Several Cyber Matters Covered in The Cybersecurity Act of 2015
January 7, 2016
On December 16, 2015, President Obama signed into law the CYBERSECURITY ACT OF 2015. This Act covers several areas, including information sharing, advancement of national cybersecurity, national cybersecurity workforce assessment, and other cyber matters. The Act contains several substantive provisions.
Generally, the Act allows, but does not mandate, organizations to share cybersecurity information with other governmental and non-governmental organizations. The Act does not create private causes of action for violations and preempts conflicting state laws.
A private entity may, for cybersecurity purposes, monitor its own information system or information systems of others upon the authorization and written consent of such other entity and information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
A private entity may, for cybersecurity purposes, operate a defensive measure applied to its own information system to protect its rights or property or an information system of another upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity.
An entity may, for a cybersecurity purpose and consistent with the protection of classified information, share with, or receive from, any other non-Federal entity or the Federal Government a cyber-threat indicator or defensive measure. A non-Federal entity receiving a cyber-threat indicator or defensive measure from another shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing entity.
A non-Federal entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber-threat indicator or defensive measure shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure. An entity sharing a cyber-threat indicator shall remove all personal identifying information prior to such sharing. The Act contains many other details too voluminous to include here. Please let me know if you would like additional information.
Practices
January 7, 2016
On December 16, 2015, President Obama signed into law the CYBERSECURITY ACT OF 2015. This Act covers several areas, including information sharing, advancement of national cybersecurity, national cybersecurity workforce assessment, and other cyber matters. The Act contains several substantive provisions.
Generally, the Act allows, but does not mandate, organizations to share cybersecurity information with other governmental and non-governmental organizations. The Act does not create private causes of action for violations and preempts conflicting state laws.
A private entity may, for cybersecurity purposes, monitor its own information system or information systems of others upon the authorization and written consent of such other entity and information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
A private entity may, for cybersecurity purposes, operate a defensive measure applied to its own information system to protect its rights or property or an information system of another upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity.
An entity may, for a cybersecurity purpose and consistent with the protection of classified information, share with, or receive from, any other non-Federal entity or the Federal Government a cyber-threat indicator or defensive measure. A non-Federal entity receiving a cyber-threat indicator or defensive measure from another shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing entity.
A non-Federal entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber-threat indicator or defensive measure shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure. An entity sharing a cyber-threat indicator shall remove all personal identifying information prior to such sharing. The Act contains many other details too voluminous to include here. Please let me know if you would like additional information.