Several federal agencies face 180-day deadlines this week related to last years’ Cybersecurity Information Sharing Act (CISA), which became law in late December.
The Office of the Director of National Intelligence and the Office of Management and Budget are expected to deliver a report evaluating how cybercriminals could gain access to classified information by accessing or manipulating an unclassified system.
The Department of Justice and the Department of Homeland Security, meanwhile, are expected to release guidelines on how federal agencies will protect privacy when sharing cyber threat data.
The Office of Personnel Management and the National Institute of Standards and Technology also face CISA-related deadlines this week.
The Cybersecurity Act of 2015 set up incentives for businesses to share threat information with each other and with government agencies and would eventually result in tools to protect both business and government networks.
CISA was the subject of passionate lobbying by privacy groups in late 2015. Companies such as Apple and Dropbox said CISA fails to protect users' privacy.
DOJ and DHS are also expected to deliver finalized policies on how companies can best share cyber threat data with the government this week. In March, DHS released an assessment proclaiming there were some significant privacy concerns to be worked out with the Automated Indicator Sharing initiative, the automated system intended to allow private companies to share cyberthreat indicators with the federal government. The system was intended to facilitate sharing without impacting privacy by stripping personally identifiable information (PII) out of the shared data.
CISA requires any personally-identifiable information that is shared through the program to be directly related to a cybersecurity threat. But the report found "residual privacy risk that these processes may not always identify and remove unrelated PII, thereby disseminating more PII than is directly related to the cybersecurity threat.”