CD113: CISA is Law

CD113: CISA is Law

Dec 27, 2015

Cybersecurity or surveillance? What does the language attached at the last minute to the 2,009 page omnibus government funding bill actually authorize? In this episode, we take a close look at what just became law.

Please support Congressional Dish:

  • Click here to contribute with PayPal or Bitcoin; click the PayPal “Make it Monthly” checkbox to create a monthly subscription
  • Click here to support Congressional Dish for each episode via Patreon
  • Mail Contributions to:
    5753 Hwy 85 North #4576
    Crestview, FL 32536

Thank you for supporting truly independent media!

Cybersecurity Act of 2015

The Cybersecurity Act of 2015 was attached at the last minute to the “omnibus” government funding bill, which was 2,009 pages long and available to read for less than three days before it became law. This is an outline of what became law:

TITLE I: Cybersecurity Information Sharing Act of 2015

Section 102: Definitions

  • Agency“: “Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of Government”
    • Does NOT include the Government Accountability Office, Federal Election Commission, or Government-owned contractor-operated facilities
  • Cybersecurity threat“: An action that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system”.
  • Cyber threat indicator“: “Information that is necessary to describe or identify”…
    • Spying, including strange patterns of communications that appear to be collecting technical information
    • Security breaches
    • Security vulnerabilities
    • A legitimate user being used to defeat a security system
    • Malicious cyber command and control
    • “The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat”
    • “Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law”
  • Non-Federal entity“: “Any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof)”

Section 103: Sharing of Information by the Federal Government

  • Procedures for sharing information both within and outside the Federal government will be created by:
    • Director of National Intelligence
    • Secretary of Homeland Security
    • Secretary of Defense
    • Attorney General
  • The procedures developed must
    • Allow real time sharing of information
    • Include requirements for the government to protect the information from unauthorized access
    • Require Federal entities to review cyber threat indicators for information not directly related to the threat that contains information that identifies a specific individual and remove the information
    • Include procedures for notifying “any United States person” whose information has been shared by the Federal government

Section 104: Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats

Use of Cyber Threat Indicators by Government

Section 105: Sharing of Cyber Threat Indicators and Defensive Measures with the Federal Government”

Section 106: Protection from Liability

  • The courts must dismiss any lawsuits against “any private entity” for monitoring information systems or sharing/receiving “cyber threat indicators”

Section 107: Oversight of Government Activities

  • Heads of “appropriate Federal entities” will submit a report
  • Inspectors General of the “appropriate Federal entities” will submit reports every two years
  • The Comptroller General of the United States will submit a report on actions taken by the Federal Government to remove personal information. Report will be due in three years.
  • Unclassified portions of the reports will be available to the public.

Section 108: Construction and Preemption

  • Lists what this bill is not intended to do

Section 109: Report on Cybersecurity Threats

  • Report will be submitted by the Director of National Intelligence

NEW Section 110: Exception to Limitation on Authority of Secretary of Defense to Disseminate Certain Information

  • Specifically allows the Secretary of Defense to share information

Section 111: Effective Period

  • These provisions expire on September 30, 2025.

TITLE II: National Cybersecurity Protection Advancement Act of 2015

Section 203: Information Sharing Structure and Processes

Sections 206-209: Reports that will expire after 7 years

Subtitle B: Federal Cybersecurity Enhancement Act of 2015

Section 223: Improved Federal Network Security

Section 225: Federal Cybersecurity Requirements

  • The Secretary of Homeland Security will issue binding operational directives for agencies to secure their networks within a year. Agencies will have to…
    • Identify sensitive and mission critical data stored by the agency
    • Assess the need to store that data and determine which individuals need access to it
    • Encrypt the data
    • Implement a single sign-on platform for people using the agency website that requires user authentication
    • Require multi-factor authentication for remote access
  • Agencies will not have to comply if they say it’s “overly burdensome to implement” or that it’s not necessary.
  • These binding operational directives will not apply to the Defense Department, a “national security system”, or the intelligence community.

Section 227: Termination

  • The directives and reports on them will expire in 7 years, December 2022.

Section 229: Direction to Agencies

  • The Secretary of Homeland Security can order the head of other agencies to take “lawful actions” in response to security threats.

TITLE III: Federal Cybersecurity Workforce Assessment Act

Section 303: National Cybersecurity Workforce Measurement Initiative

  • Requires an assessment of all Federal positions that have cyber-related functions

TITLE IV- Other Cyber Matters

Section 401: Study on Mobile Device Security

  • Orders a study on the security of mobile devices of the Federal Government

Section 402: Department of State International Cyberspace Policy Strategy

  • Orders a State Department report on threats from foreign sources and cooperation strategies within 90 days.

Section 403: Apprehension and Prosecution of International Cyber Criminals

  • The Secretary of State must consult with government officials in countries where we don’t have an extradition treaty to determine what actions they’ve taken to catch “cyber criminals” with arrest warrant issued by US judges or Interpol.

Section 404: Enhancement of Emergency Services

  • Orders the National Cybersecurity and Communications Integration Center to create a process for information sharing with Statewide Interoperability Coordinators

Section 405: Improving Cybersecurity in the Health Care Industry

  • Requires a report that will include a plan so that “the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures”

Additional Reading

Music Presented in This Episode

Cover Art

Design by Only Child Imaginations


Support the Show

  • Patreon: for an uncensored experience.
  • PayPal (click the "Make This a Monthly Donation" checkbox to start a subscription)
  • Zelle:
  • CashApp: $CongressionalDish or
  • Popmoney:
  • Venmo: @Jennifer-Briney
  • Bitcoin: 3NFBJGSAnr1XbuCk6THvbsGmn2uVeumR6s
  • Ethereum: 0xA311450A3b2198dd312b7109C295933452634278
  • Litecoin: MQ2uBHu8v12rwq9HHwD95HD6VsgpcHuqjs

Check icon

Donate by check payable to:

Congressional Dish
5753 Hwy 85 North #4576
Crestview, FL 32536
(339) 707-0307