Cybersecurity Information Sharing Act (CISA) Guidelines: Privacy and Civil Liberties Interim Guidelines for Federal Agencies
Last week, we discussed the Federal government’s first steps toward implementing the Cybersecurity Information Sharing Act (CISA). Among the guidance documents released by the Department of Homeland Security and the Department of Justice were the Privacy and Civil Liberties Interim Guidelines. This guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.
FIPPs form the core of many federal and state privacy laws as well as the basis for privacy best practices across numerous industries and government agencies. This guidance applies them to federal agency collection of cyber threat indicators as described below. In practice, the government intends that application of some FIPPs to cyber threat indicators shared via the Department of Homeland Security’s Automated Indicator Sharing (AIS) tool, which we referenced here, will be effectuated via capabilities embedded within the AIS mechanism.
Transparency. Federal agencies are required to publish privacy compliance documents that describe the agencies’ receipt, retention, use, and dissemination of cyber threat indicators. Pursuant to CISA, federal entities must notify individuals whose personal information has been shared in violation of CISA. Specifically, the guidelines state that this notification to individuals should be made in accordance with an agency’s own breach/incident response plan.
Individual Participation. The guidelines explicitly acknowledge that, in some instances, a shared cyber threat indicator may by necessity include personal information directly related to the threat being described. Note that Federal agencies may rely on their definitions of the term “personal information,” so long as such definition includes, at a minimum, personal information of a specific individual, or information that identifies specific individuals.
However, the government will limit the impact on the privacy and civil liberties of individuals by requiring, prior to sharing, agency review for – and removal of – personal information identifying a specific individual that is not directly related to a cybersecurity threat. As an example, the guidance notes that for a cyber threat indicator describing a phishing email, personal information about the sender of email (“From”/“Sender” address), a malicious URL in the e-mail, malware files attached to the e-mail, and the Subject Line and content of the e-mail could be considered directly related to a cybersecurity threat. Conversely, the name and e-mail address of the targets of the email (i.e., the “To” address) would be personal information not directly related to that threat and therefore should be removed. The document states that Federal entities that receive cyber threat indicators via the DHS’ AIS capability “may assume that any personal information of a specific individual or information that identifies a specific individual that is not directly related to a cybersecurity threat has been removed.”
Data Minimization. The government will limit the receipt, retention, use, and dissemination of cyber threat indicators that contain personal information in accordance with existing guidelines applicable to Federal agencies, including, but not limited to, timely destruction of cyber threat indicators containing personal information. In addition, the guidelines state that defensive measures will typically not contain personal information, but if they do, Federal agencies are encouraged, but not required, to remove such information prior to sharing.
Purpose Specification. CISA generally authorizes Federal agencies to use cyber threat indicators and defensive measures for only limited purposes related to identifying, preventing or mitigating cybersecurity threats or preventing a specific threat of serious bodily or economic harm.
Use Limitation. Cyber threat indicators may only be used for the purposes authorized by CISA. In addition, all cyber threat indicators will be disseminated only in a manner consistent with the markings that denote their sensitivity or other concerns.
Data Quality and Integrity. The usefulness of a cyber threat indicator may be limited to a short time period, so agencies should only retain indicators for a specified period of time or until they are no longer directly related to an authorized use under CISA.
Security. Federal entities should adopt certain safeguards to protect information from unauthorized use or acquisition. Such safeguards include: (1) internal user access controls; (2) physical or logical segregation of data; and (3) other controls commensurate with the risk of harm from unauthorized access, disclosure, modification, or destruction of the data. In addition, sanctions will be implemented for violations of the guidelines, including, for example, remedial training or a loss of security clearance.
Accountability and Auditing. Federal entities are required to ensure that they have audit capabilities sufficient to oversee the receipt, retention, and use of cyber threat indicators. Also, the heads of relevant federal agencies will coordinate a joint review and update of these guidelines every 2 years. The Inspector General will also conduct biennial compliance reports.
Lastly, the guidance notes that further dissemination of, and access to, cyber threat indicators and defensive measures shared by private companies through the AIS capability may only occur in accordance with markings concerning the sensitivity of the information that are based upon Traffic Light Protocol (TLP), as well as markings that convey the sharing entity’s willingness to be identified to appropriate Federal entities or the entire AIS community.