Full Report
The law is due to lapse in September, something cyber experts and industry officials say would be a huge loss. The post Exclusive: Peters, Rounds tee up bill to renew expiring cyber threat information sharing law appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: Renewal of Cybersecurity Information Sharing Act (CISA) of 2015
## Overview
This summary pertains to a proposed bill by Senators Peters and Rounds to renew the Cybersecurity Information Sharing Act (CISA) of 2015 for another ten years. CISA is crucial as it provides **legal liability protections** for entities sharing cyber threat information between companies, from companies to the government, and through collaborative programs like the Joint Cyber Defense Collaborative (JCDC). The expiration of this act would significantly weaken the cybersecurity ecosystem by removing these vital protections.
## Key Details
- Issuing Authority: U.S. Congress (Proposed by Senators Peters, D-MI, and Rounds, R-SD).
- Effective Date: The proposed renewal needs to pass before the current law expires.
- Jurisdiction: United States federal jurisdiction, affecting private sector companies and government agencies.
- Status: **Proposed** (Legislation introduced).
## Requirements
### Mandatory Requirements
*Note: Since the article discusses a *renewal* of an existing law, current CISA requirements (which are being extended) focus on the *ability* to share information while being protected, rather than mandating the sharing itself or specific technical controls.*
1. **Information Sharing Facilitation:** Entities must be able to share cyber threat information with government entities and other private sector organizations, facilitated by the existing legal framework provided by CISA.
2. **Liability Protection Adherence:** Organizations rely on CISA's provisions to ensure that sharing threat data (including PII/PHI found incidentally) does not result in civil or administrative liability, provided they comply with the act's stipulations regarding PII handling.
### Recommended Practices
1. **Utilize Sharing Avenues:** Actively participate in threat information sharing via established mechanisms (e.g., sector ISACs, Joint Cyber Defense Collaborative).
2. **Consider Policy Updates:** While the proposed bill is a simple extension, industry stakeholders have previously called for updates to better match current threat landscapes (though the current bill does not include them).
## Affected Organizations
- Industries: All sectors relying on cyber threat intelligence, specifically mentioned are the **defense industrial base** and **critical infrastructure sectors**.
- Organization Size: Not explicitly categorized by size in the renewal context, but any entity handling cyber threats benefits.
- Geographic Scope: United States.
## Compliance Timeline
- **September [Current Year]:** Current Cybersecurity Information Sharing Act (CISA) of 2015 is **set to expire**.
- **TBD:** Congressional Committee consideration (Expected: Senate Homeland Security and Governmental Affairs Committee, potentially Intelligence Committees).
- **TBD (Before September):** Final passage required for renewal.
- **If Extended:** Full compliance framework remains in effect for the next 10 years under the renewed law.
## Implementation Guidance
### Assessment Phase
- Review current internal processes for cyber threat information sharing to ensure they align with the existing CISA legal protections, especially concerning incidental collection and sharing of PII/PHI.
### Implementation Phase
- Monitor legislative progress of the Peters-Rounds bill closely.
- Be prepared to operate without CISA liability protections if the bill fails to pass before September.
### Validation Phase
- If the renewal passes, organizations should verify that their existing established threat-sharing protocols remain valid under the extended law.
## Technical Requirements
The article primarily discusses the legal/policy framework rather than specific technical mandates. The central operational requirement revolves around **secure and reliable mechanisms** for sharing threat data, often facilitated via programs like the JCDC.
## Penalties & Enforcement
*Note: The article focuses on the *removal* of protections rather than specific penalties for non-compliance with a renewal bill.*
- **If CISA Lapses (No Renewal):** Organizations lose the vital **liability protections** currently afforded when sharing threat information, significantly increasing their legal risk exposure from sharing data between entities or with the Government.
- Fines: N/A (Penalties relate to loss of existing legal shield).
- Enforcement: Enforcement pertains to potential litigation against entities sharing information without the CISA shield.
## Related Standards
- **Cybersecurity Information Sharing Act (CISA) of 2015:** The foundational law being renewed.
- **Joint Cyber Defense Collaborative (JCDC):** A key program relying on CISA's legal structure for collaboration.
## Resources
- Official Documentation: Specific bill text needs to be monitored as it is introduced.
- Guidance Documents: Previous guidance related to CISA 2015 implementation regarding PII protection would remain relevant pending renewal terms.
- Tools: Frameworks for threat intelligence sharing (e.g., STIX/TAXII) are operational tools that benefit from the CISA framework.
## Practical Recommendations
1. **Advocate for Extension:** Organizations heavily engaged in information sharing should support the prompt passage of the Peters-Rounds renewal bill.
2. **Prepare for Lapse:** Develop contingency plans detailing how information sharing operations would be managed internally if CISA expires in September, recognizing the increased tort liability risk.
3. **Monitor Committee Action:** Track the bill's assignment, particularly the stance of Sen. Rand Paul (Chairman of the Senate Homeland Security Committee), as potential referral to intelligence committees might impact the process.