ISAO SP 8000: Frequently Asked Questions for ISAO General Counsels v0.02

Request For Comment

The request for comment period for this draft concluded on Tuesday, July 18, 2017. All comments were reviewed and adjudicated by working groups. Comments received after the July 18th deadline may be included in future adjudication and revision periods.

Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.

With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.

To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.

Download This Draft Document
Having trouble viewing this document?

Submitted Comments

The ISAO SO invited the public to provide comments on this document from June 19, 2017 – July 18, 2017. The line reference and comment fields listed below are the exact contents as submitted by the commenter.

Line ReferenceCommentDisposition
9Add "Information Sharing" after CybersecurityApproved
9, 10Add div. N., 129 Stat. 2242, 2936 – 2956 (2015) before CISAApproved
10 Add "public and private sector" after "encourage" Approved
10 (11)Delete "participation by even more" after "encourage"Approved
10 (11)Add "to share cyber threat information " after "entities"Approved
10 (11, 12)
Add "removing legal barriers and" after "entities by"Approved
11, 12 (13-19)Add "Broadly, as explained in the legislative history, CISA provides “positive legal authori-ties for private companies to: (1) monitor their networks, or those of their customers upon authorization and written consent, for cybersecurity purposes; (2) take defensive measures to stop cyber attacks and (3) share cyber threat information with each other and with the government to further collective cybersecurity.” S.Rep. No. 114-32, at 2 (2015). CISA therefore provides an environment and potentially serves as a catalyst for increasing private sector information sharing. " after "circumstances."Approved
13 (21)
Delete "to their superiors"Approved
15-19 (23-25)Delete "With the growth of the ISAO movement, it is possible that joint private/public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality. "Approved
27 (33)Remove "-" in "cyber-threat"Approved
36-38 (44-46)Delete "and help identify victims for notification purposes where information reveals compromised customer IP addresses"Approved
41 (49-50)Insert "vital assets, including its " before "critical infrastructure"Approved
44 (52)Delete "• It also should be noted that most of the value of s" and capitalize "s"Approved
44 (52-53)Replace "be accomplished " with "occur"Approved
45 (53)Replace "the inclusion of " with "including"Approved
45 (53-54)Replace "personal information (PII) " with "personally identifiable information (PII),"Approved
56 (65-67)Insert "Furthermore, federal laws such as CISA provide protections that lower the risk by providing clear authority for sharing and other protections for sharing information" after "compromise"Approved
56-60 (67-71)See CommentsApproved
63 (74)Insert "such as the Traffic Light Protocol "Approved
69 (81)Replace "risk" with "threat"Approved
81 (93)Change font for " etc., "Approved
81 (93-96)Insert "Sharing cyber threat indicators and defensive measures helps ensure that one entity’s detection of a threat allows other entities to quickly defend against that threat, which helps quickly mitigate attacks and protects the entire ecosystem." after "provide"Approved
81 (97-105)Make own paragraph and delete "also"Approved
94 (107-126)Insert new paragraph " • Private entities receive liability protection and other protections and ex-emptions for sharing cyber threat indicators and defensive measures with other private entities, including ISAOs, in accordance with CISA. 6 U.S.C. § 1503, § 1505(b)(1). Such sharing is authorized “notwithstanding any other provision of law,” meaning any conflicting law is overridden when con-ducted in accordance with CISA. Furthermore, CISA provides statutory liability protection for sharing certain information. To receive liabil-ity protection or to benefit from CISA’s other protections, an entity must share cyber threat indicators or defensive measures for a cybersecurity purpose. Prior to sharing, the entity must remove information not directly related to a cybersecurity threat that the entity knows at the time of sharing to be personal information of a specific individual or information that iden-tifies a specific individual, and implement and use a security control to pro-tect against unauthorized access to or acquisition of the information. Final-ly, when receiving such information, the entity must observe lawful re-strictions placed by the sharing entity. For further information, see U.S. Department of Homeland Security and U.S. Department of Justice, Guid-ance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Infor-mation Sharing Act of 2015 (June 2015), available at https://us-cert.gov/ais.Approved
94 (128-148)Insert new paragraph: "• Similarly, private entities, including ISAOs, that share cyber threat indica-tors or defensive measures with the federal government in accordance with CISA receive liability protection and other protections and exemptions. 6 U.S.C. § 1503(c); 6 U.S.C. § 1504(c)(1)(B). Again, such sharing is authorized “notwithstanding any other provision of law,” meaning any conflicting law is overridden when conducted in accordance with CISA. Further, it pro-vides liability protection. To obtain liability protection when sharing with the Federal Government, private entities must share through the DHS-operated capability and process for receiving cyber threat indicators (or under one of the exceptions to the use of that capability) concerning previously shared cyber threat indicators and sharing with federal regula-tory authorities. See 6 U.S.C. § 1504(c)(1)(B)(i) and (ii). Non-federal en-tities sharing with the federal government also receive additional protec-tions, including exemption from state and federal disclosure laws, exemp-tion from certain state and federal regulatory use, no waiver of privilege for shared material, waiver from ex parte communications, and a limitation on permitted uses the government can make of the information that is shared. For further information, see U.S. Department of Homeland Security and U.S. Department of Justice, Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Enti-ties under the Cybersecurity Information Sharing Act of 2015 (June 2015), available at https://us-cert.gov/aisApproved
91-94 (149-152)Delete: "• If CISA’s pre-requisites are met, CISA’s liability protections apply both to cyber threat information exchanges between private sector entities includ-ing ISAOs and the government and to cyber threat information exchanges between private sector entities alone. "Approved
107 (165)Delete "also"Approved
107 (165)
Replace "redaction" with "removal before sharing"Approved
107 (165)
Delete "certain"Approved
107-110 (166-171)Replace "(e.g. personally identifiable information or PII) that is not directly related to a cybersecurity threat that the entity knows at the time of sharing that identifies specific individuals or information personal to them. " with "not directly related to a cybersecurity threat that the sharing entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual"Approved
115 (177)Insert new paragraph "• Prior to sharing cyber threat indicators and defensive measures under CISA, private entities should have processes in place to ensure the removal of information not directly related to a cybersecurity threat that the entity knows at the time of sharing to be personal information of a specific indi-vidual or information that identifies a specific individual. The entity should also implement and use a security control to protect against unau-thorized access to or acquisition of the cyber threat information or defen-sive measures. When receiving such information, the entity should also have policies in place that require the observation of lawful restrictions placed by the sharing federal government or private entity."Approved
117 (189)Add "sharing and handling " after "information"Approved
120 (192)Replace "their" with "its"Approved
141 (214)Replace "also contemplates" with "permits"Approved
147 (220)Delete "o Moreover, as a matter of policy, the Federal government has stated that it will not turn over reported CISA information to enforcement agencies, and reported information is not made public"Approved
150-152 (224-226)Delete "o CISA also addresses the inadvertent disclosure of personally identifiable information. In any event, counsel must be attentive to have in place measures to protect confidential information that is to be shared."Approved
155 (229-231)Insert "CISA’s liability protection applies to monitoring information systems and the sharing or receiving of cyber threat indicators under CISA"Approved
156 (232)Change "enforcement" to "regulatory"Approved
162 (238)Insert "the" before SAFETY ActApproved
163 (239)Change "legal" to "certain"Approved
163-164 (239-241)Change "Qualified Anti-Terrorism products or Technologies approved by the Department of Homeland SecurityApproved
174 (251)see commentsApproved
176-178 (253-255)Delete: "This is especially true for PHI (Protected Health Information) covered by HIPAA, which has requirements beyond CISA’s. HIPAA also offers certain additional protections if data are encrypted. "Approved
179 (256)see commentsApproved
208 (286-291)Insert paragraph:" • Liability protections attach to sharing of cyber threat indicators and defen-sive measures regardless of whether removal of information not directly re-lated to a cybersecurity threat occurs using a manual or technical means. Similarly, sharing cyber threat indicators and defensive measures with DHS regardless of whether through the automated process and capability or through a manual means receives certain liability protections."Approved
62-66Related to bullet two in Section 2.2, the FS-ISAC recommends the use of a Traffic Light Protocol (TLP) approach be introduced here in this document. This is necessary to signal the sensitivity of information shared and the necessary control mechanisms. This also is important to establish and maintain trust among participants involved in information sharing processes. Finally, it would be consistent with Legal Counsel document.Approved
17Replaced citation with footnoteApproved
27Change "therein" to "herein"Approved
28Consider changing the "." to a dash or colon after the word "advice"Approved
67-71Reduce complexity by putting the required action up front and/or breaking the sentence into sections.Approved
110Insert "for their members" between "resource" and "to gather information…"Approved
111Replaced citation with footnoteApproved
126-127Changed citations to footnotesApproved
131-132Changed citations to footnotesApproved
145-149Change to footnoteApproved
165Add reference for ISAO SP 4000Approved
218-219Recommend deleting references to specific agencies. If the reference is essential, recommend adding a footnote that lists all known federal regulatory authorities.Approved
223-224First sentence is a fragment. Recommend deleting this.Approved
224-227Second sentence - One or more information sharing organizations have already established liability protection under the SAFETY Act. We should be able to articulate more clearly what the “certain liability protections” are and the require-ments to obtain them.Approved
243-245Rephrase this to recommend this as a best practice. As currently written, it implies that this is a pre-requisite to joining an ISAO, which will deter organizations from joining.Approved
251-252Change "...published about standards" to "standardized processes"Approved
254-258This isn't a binary question. Modify question to reflect: What are the legal impacts of automated information sharing? Should be a repeatable process, reduces, human error, and incorporates organizational policy on regarding PII.Approved
275-284We need to add a reference to the work the ISAO SO is doing to develop standards and guidelines with respect to information sharing generally and to automated information sharing specifically. It should be inserted prior to any other agency referenceApproved
289-290Add "or region," between "sector" and "how it has exercised control…"Approved