Section 103 of the Cybersecurity Information Sharing Act of 2015, Pub. L. 114-113, 129 Stat.694 (2015), directs the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of the appropriate federal entities set forth in Subsection 1.1, to jointly develop and issue procedures to facilitate and promote:
1. Timely sharing of classified cyber threat indicators (CTIs) and defensive measures (DMs) in the possession of the Federal Government with representatives of relevant federal entities and non-federal entities that have appropriate security clearances;
2. Timely sharing with relevant federal entities and non-federal entities of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government that may be declassified and shared at an unclassified level;
3. Timely sharing with relevant federal entities and non-federal entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators and defensive measures in the possession of the Federal Government;
4. Timely sharing with federal entities and non-federal entities, if appropriate, of information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats; and
5. Periodic sharing, through publication and targeted outreach, of cybersecurity best practices that are developed based on ongoing analyses of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government, with attention to accessibility and implementation challenges faced by small business concerns (as defined in Section 3 of the Small Business Act (15 U.S.C. 632)).
The procedures outlined in this document describe the current mechanisms through which the appropriate federal entities, as named in Section 102(3), share information with non-federal entities. Examples of non-federal entities are private sector entities and state, local, tribal and territorial (SLTT) governments, including owners and operators of private and public critical infrastructure. These procedures are implemented today through a series of programs, which are described below and provide the foundation of appropriate federal entities’ cybersecurity information sharing capability. These programs are dynamic and are expected to grow or evolve over time.2 That said, some programs may be discontinued and new programs may begin. In addition, these programs work together to identify useful information available through their unique information sources and to share that information with their respective partners. Wherever possible, appropriate federal entities coordinate with each other through these programs to ensure that the information they share is timely, actionable, and unique.