[cabfpub] Cybersecurity Act of 2015

Tony Rutkowski tony at yaanatech.com
Thu Jan 7 18:06:42 UTC 2016


Hi Ben,

Good catch on the new Act.

You and others might find the attached blog and the
linked material useful.  Although this material is
directed significantly at the OASIS CTI and the CIS
Critical Security Controls, many provisions of the
Act - including others you didn't include - could
encompass EVcerts as well.  Among other things,
the Forum might want to have more visibility among
those charged with implementing the provisions
pursuant to the depicted timeline.

Because it's difficult to find a complete, readable
copy of the Act, I've included one for reference.
Note that many of the Title II provisions in amending
the Homeland Security Act of 2002, as amended,
effect a composite that is itself far reaching and
go beyond just the Federal government.

It is a real pity that Ballot 158 failed.  Incredibly
short-sighted in light of the needs in the defensive
measures ecosystem.

best,
tony

On 2016-01-07 11:24 AM, Ben Wilson wrote:
>
> Security Information Sharing Working Group:
>
> Good news.  On December 18, 2015, President Obama signed into law the 
> Cybersecurity Act of 2015.  Sections 104, 105 and 106 of the Act are 
> the ones most relevant to our work.  They are titled as follows:
>
> Sec. 104. Authorizations for preventing, detecting, analyzing, and 
> mitigating cybersecurity threats.
>
> Sec. 105. Sharing of cyber threat indicators and defensive measures 
> with the Federal Government.
>
> Sec. 106. Protection from liability.
>
> Subsection 104(c)(1) of the Cybersecurity Act of 2015 recognizes the 
> right of private entities to share cyber threat indicators and 
> defensive measures for a cybersecurity purpose. [Section 102(4) 
> defines “cybersecurity purpose” as “the purpose of protecting an 
> information system or information that is stored on, processed by, or 
> transiting an “information system from a cybersecurity threat or 
> security vulnerability.”]
>
>   Subsection 104(d)(1) requires that the information be adequately 
> protected, and more specifically, subsection 104(d)(2) requires that 
> prior to sharing, the entity must (A) “review such cyber threat 
> indicator to assess whether such cyber threat indicator contains any 
> information not directly related to a cybersecurity threat that the 
> non-Federal entity knows at the time of sharing to be personal 
> information of a specific individual or information that identifies a 
> specific individual and remove such information” and (B) “implement 
> and utilize a technical capability configured to remove any 
> information not directly related to a cybersecurity threat that the 
> non-Federal entity knows at the time of sharing to be personal 
> information of a specific individual or information that identifies a 
> specific individual.”
>
> If shared with a governmental entity, exemptions within section 104 of 
> the Cybersecurity Act are found in: subsection (d)(4)(B)(ii) – exempt 
> from local freedom of information law, open government law, open 
> meetings law, open records law, sunshine law, or similar law requiring 
> disclosure of information or records); subsection (d)(4)(C)(i) – 
> exempt from action when following “mandatory standards, including an 
> activity relating to monitoring, operating a defensive measure, or 
> sharing of a cyber threat indicator”; and subsection (e) – not a 
> violation of any provision of antitrust laws “for 2 or more private 
> entities to exchange or provide a cyber threat indicator or defensive 
> measure, or assistance relating to the prevention, investigation, or 
> mitigation of a cybersecurity threat, for cybersecurity purposes.”
>
> Section 106(a) protects entities from liability when “monitoring” a 
> system.  Section 106(b) protects entities from liability when sharing 
> or receiving information, and if it is shared with the federal 
> government, then if such sharing complies with section 105.
>
> I’m not addressing section 105 (sharing with the federal government) 
> here, that can be addressed separately if/when it arises.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-- 

________________________________ **

*Anthony Michael Rutkowski*

EVP, Industry Standards & Regulatory Affairs

tony at yaanatech.com <mailto:tony at yaanatech.com>

+1 703 999 8270 <tel:+1%20703%20999%208270>

________________________________ **

*Yaana Technologies LLC *

542 Gibraltar Drive

Milpitas CA 95035 USA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160107/ba4f4154/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Cybersecurity_Act_specifications_process_1.0.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 191544 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160107/ba4f4154/attachment-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: _Cybersecurity_Act_of_2015.pdf
Type: application/pdf
Size: 457883 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160107/ba4f4154/attachment-0003.pdf>


More information about the Public mailing list