As it nears its sunset date this fall, the Cybersecurity Information Sharing Act (CISA) of 2015 has succeeded in improving Federal agencies’ ability to share cyber threat data – a feat that would have been less likely without the law, according to a new Government Accountability Office (GAO) report that highlights the law’s implementation successes.
The “snapshot” report from GAO details efforts to implement CISA 15, which encourages industry to share cyber threat indicators with the Federal government and private sector partners. The law is due to expire in September without further congressional action.
That act also requires agencies to protect privacy and civil liberties of shared cyber threat indicators by removing personally identifiable information.
“Prior to the act, nonfederal entities did not have a readily available method of sharing cyber threat information,” said GAO. “However, the act led to the development of automated information sharing tools for entities to share classified and unclassified threat information.”
Since the act’s implementation, all seven Federal agencies reviewed by GAO in its report developed government-wide policies and procedures to encourage Federal and private sector participants share and receive cybersecurity information, GAO said citing a report from its office in 2023.
All other stipulations of the act – such as classifying all shared information, sharing and receiving information in a timely manner, removing PII before sharing data, and identifying barriers to sharing information – have been followed, GAO said.
“Policies and actions implemented under the Cybersecurity Information Sharing Act of 2015 have positively contributed to the sharing of cyber threat information between federal and nonfederal entities,” said GAO. “Sharing such information can enhance awareness of the extent of current cyber threats and how to mitigate those threats.”
While CISA 15 has generally been well received, it was controversial when it was approved by Congress over potential data privacy concerns and increased access that the Federal government would have to Americans’ data.
Most Republicans and Democrats now want to extend the act after successfully navigating privacy concerns, but the reauthorization should include tweaks, according to industry experts and lawmakers who said that it should align incentives across government and the private sector and establish a better information sharing mechanism.
Other reported barriers in sharing cyber threat information include reluctance to share information, data classification concerns, a lack of policy requirement to share information, inconsistent formats, and resource constraints.
However, agencies have taken the appropriate steps to resolve those barriers, according to GAO, which said that the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies are planning to make declassifying and disseminating unclassified indicators easier while also addressing challenges with timeliness, among other steps.
In April, Sens. Gary Peters, D-Mich., and Mike Rounds, R-S.D., introduced the Cybersecurity Information Sharing Extension Act which would extend the law to 2035.