Cybersecurity: Federal Agencies Met Legislative Requirements for Protecting Privacy When Sharing Threat Information

What GAO Found

Seven designated agencies--the Departments of Homeland Security, Justice, Defense, Commerce, Energy, and the Treasury, and the Office of the Director of National Intelligence--developed government-wide policies, procedures, and guidelines to assist federal and nonfederal entities in their efforts to receive and share cybersecurity information. In particular, these policies, procedures, and guidelines met the eight provisions of the Cybersecurity Information Sharing Act of 2015 (hereafter referred to as the act) on removal of personal information from cyber threat indicators and defensive measures.

As defined in the act, cyber threat indicators include threat-related information such as methods of defeating or causing users to unwittingly enable the defeat of security controls and methods of exploiting cybersecurity vulnerabilities. Defensive measures include any actions, devices, procedures, techniques, or other means that detect, prevent, or mitigate a known or suspected cybersecurity threat or vulnerability.

More specifically, the government-wide policies, procedures, and guidelines collectively met the act's provisions by:

• outlining ways in which federal entities are to share classified and unclassified cyber threat indicators and defensive measures in a way that mitigates adverse effects;

• defining roles and responsibilities of federal and nonfederal entities when sharing information, in areas such as notification of an error or protection against unauthorized access; and

• providing details on the process for submitting, receiving, handling, and disseminating cyber threat indicators and defensive measures. 

As required by the act, these artifacts also addressed eight fair information practice principles, as applicable, that are the widely accepted framework to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy. Specifically, the government-wide guidelines do so by establishing or considering the fair information practice principles as the primary guiding principles for all federal entity activities related to the receipt, retention, use, and dissemination of cyber threat indicators, as authorized by the act. 

Why GAO Did This Study

Federal agencies and our nation's critical infrastructures, such as communications and financial services, are dependent on information technology systems and electronic data to carry out operations and to process, maintain, and report essential information. The security of these systems and data is vital to public confidence and national security, prosperity, and well-being. GAO first designated information security as a government-wide high-risk area in 1997. This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015.

In December 2015, the President signed the Cybersecurity Information Sharing Act of 2015 into law to encourage the sharing of cyber threat information between the public and private sectors. The act included a provision for GAO to review actions taken by the federal government to remove personal information from cyber threat indicators when shared among federal and nonfederal entities. GAO determined the extent to which seven federal agencies designated by the act developed government-wide policies, procedures, and guidelines for the removal of personal information from cyber threat indicators, pursuant to the act's provisions and fair information practice principles. To do so, GAO gathered and analyzed the policies, procedures, and guideline developed under the act and compared them to eight requirements in the act related to the removal of personal information.