Bill summaries are authored by CRS.

Shown Here:
Introduced in Senate (03/17/2015)

Cybersecurity Information Sharing Act of 2015

Requires the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD), and the Department of Justice (DOJ) to develop and promulgate procedures to promote: (1) the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments; (2) the sharing of unclassified indicators with the public; and (3) the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects.

Permits private entities to monitor, and operate defensive measures to detect, prevent, or mitigate cybersecurity threats or security vulnerabilities on: (1) their own information systems; and (2) with authorization and written consent, the information systems of other private or government entities.

Allows entities to share and receive indicators and defensive measures with other entities or the federal government.

Requires the federal government and entities monitoring, operating, or sharing indicators or defensive measures: (1) to utilize security controls to protect against unauthorized access or acquisitions, and (2) prior to sharing an indicator, to remove personal information of or identifying a specific person not directly related to a cybersecurity threat.

Permits state, tribal, or local agencies to use shared indicators (with the consent of the entity sharing the indicators) to prevent, investigate, or prosecute offenses relating to: (1) an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction; or (2) crimes involving serious violent felonies, fraud and identity theft, espionage and censorship, or trade secrets.

Directs DOJ to promulgate: (1) procedures relating to the receipt of indicators and defensive measures by the federal government, and (2) guidelines to limit the retention or dissemination of personal or identifying information. Requires such procedures to include appropriate sanctions for federal officers, employees, or agents who conduct unauthorized activities.

Directs DHS to develop a process within DHS for the federal government to: (1) accept cyber threat indicators and defensive measures from any entity in real time, and (2) ensure that appropriate federal entities receive the shared indicators in an automated manner through that real-time process.

Requires the DHS capability to be the process by which the federal government receives indicators and defensive measures under this Act that are shared by a private entity with the federal government through electronic mail or media, an interactive Internet website form, or a real-time, automated process between information systems except: (1) communications between a federal entity and a private entity regarding a previously shared cyber threat indicator, and (2) communications by a regulated entity with such entity's federal regulatory authority regarding a cybersecurity threat.

Prohibits DHS's process from limiting lawful disclosures of communications, records, or other information to: (1) report known or suspected criminal activity, (2) participate in a federal investigation voluntarily or upon being legally compelled, or (3) provide indicators or defensive measures as part of a statutory or authorized contractual requirement.

Authorizes indicators and defensive measures to be disclosed to, retained by, and used by, consistent with otherwise applicable federal law, any federal agency or federal government agent solely for:

  • protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability;
  • identifying a cybersecurity threat, including the source, or a security vulnerability;
  • identifying the use of an information system by a foreign adversary or terrorist;
  • responding to, or otherwise preventing or mitigating, a serious threat to a minor or an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction; or
  • preventing, investigating, disrupting, or prosecuting an offense arising out of an imminent threat of death, serious bodily harm, or serious economic harm, as well as offenses relating to serious violent felonies, fraud and identity theft, espionage and censorship, or trade secrets.

Prohibits indicators and defensive measures provided to the government from being directly used by government agencies to regulate the lawful activities of an entity.

Provides liability protections to entities acting in accordance with this Act that: (1) monitor information systems, or (2) share or receive indicators or defensive measures, provided that the manner in which an entity shares any indicators or defensive measures with the federal government is consistent with specified procedures and exceptions set forth under the DHS sharing process.

Prohibits this Act from being construed to permit the federal government to require an entity to provide information to the federal government.

Amends the National Defense Authorization Act for Fiscal Year 2013 to authorize DOD to share with other federal entities information reported by a cleared defense contractor regarding a penetration of network or information systems.