The Department of Energy has taken the steps necessary to implement the 2015 Cybersecurity Information Sharing Act, the department’s inspector general (IG) said.
The IG report “found that policies and procedures related to sharing cyber threat indicators were sufficient and included requirements for the removal of personally identifiable information.”
The Cybersecurity Information Sharing Act of 2015 was signed into law to help improve cybersecurity by enhancing information-sharing practices related to cyber threats. The legislation permits Federal agencies to share classified and unclassified cyber threat indicators and defensive measures with other agencies and “properly cleared representatives in the private sector.”
According to the IG, DoE officials said the agency has not received any notifications of accidental submission of classified data, and the department had “shared over three million threat indicators and defensive measures with other Federal agencies in calendar year 2018.”
The IG didn’t make any formal recommendations to DoE. But while the agency has been able to comply with the legislation, the IG noted that department officials did indicate potential barriers that have or could affect the sharing of cyber threat indicators with other agencies.
“Specifically, officials commented that the cost of security clearances, the length of time to adjudicate a clearance, lack of communication from [the Department of Homeland Security], and liability protection provisions were considered to be barriers that had or could potentially adversely affect the sharing of cyber threat data,” the IG wrote.