Resources for Lawyers
Responding to emerging cyber and infrastructure security threats requires unprecedented cooperation between the private and public sectors. Corporate in-house and outside counsel wield significant influence as advisors on security strategies, such as whether companies should participate in CISA’s information sharing programs, leverage CISA’s assessment tools, or request CISA’s incident response services. It is essential to understand the mechanisms and protections designed to facilitate trust and collaboration between the private sector and CISA.
This page provides resources to help attorneys understand the legal issues relevant to CISA’s mission and enable them to quickly recognize when our resources can assist their clients.
What is The Law?
Recent surveys by the Association of Corporate Counsel consistently show that cybersecurity is one of the top concerns for general counsel at private companies, a well-placed concern given the steady stream of alarming incidents involving the security of critical infrastructure and sensitive data. As a result, corporate general counsels are increasingly aware of the need for cybersecurity attorneys. Former CISA Chief Counsel Dan Sutherland discusses, in What Is a Cybersecurity Legal Practice?, what this means and what should be in such a lawyer’s portfolio.
Constitutional, Statutory and Regulatory Authorities
The U.S. Constitution, particularly the Fourth Amendment, provides parameters for government action in this area. Other statutes and regulations of which practitioners should be aware include:
- Title XXII of the Homeland Security Act of 2002, as enacted by the Cybersecurity and Infrastructure Security Agency Act of 2018 (collected at 6 U.S.C. §§ 651-674) establishes CISA and details its authorities, including the roles and responsibilities for each of its operating divisions.
- In particular, 6 U.S.C. § 659 establishes CISA as a central player in the sharing of cyber threat information between the federal government and the private sector and authorizes it to provide cybersecurity technical assistance and incident-response capabilities to Federal and non-Federal entities, upon request.
- 6 U.S.C. §§ 571 - 580 authorizes the creation of CISA’s Emergency Communications Division, designed to promote interoperable communications among public safety officials.
- The Cybersecurity Information Sharing Act of 2015 (CISA 2015) (6 U.S.C. §§ 1501-1533) creates protections for non-federal entities to share cyber threat indicators and defensive measures in accordance with certain requirements with the government and provides that they may do so notwithstanding any other law. Such protections include the non-waiver of privilege, protection of proprietary information, exemption from disclosure under the Freedom of Information Act (FOIA), prohibition on use in regulatory enforcement, and more. CISA 2015 also requires DHS to operate a capability and process for sharing cyber threat indicators with both the federal government and private sector entities and provides for liability protection for information shared through this process. The statute also creates protections for cyber threat indicators and defensive measures shared in accordance with the statutory requirements with state, local, tribal, and territorial (SLTT) entities, including that the information shall be exempt from disclosure under SLTT freedom of information laws. These aspects are further detailed in multiple guidance documents, especially the DHS-DOJ Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015
- The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (6 U.S.C. §§ 681-681g) requires, among other things, that CISA develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These new authorities are regulatory in nature and require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CIRCIA requires CISA to develop and publish a Notice of Proposed Rulemaking, which will be open for public comment, and a Final Rule. CIRCIA also expressly permits entities to submit voluntary information or voluntary reports of cyber incidents or ransom payments, which may be submitted to enhance the situational awareness of cyber threats. Information or reports submitted in accordance with the requirements in CIRCIA and the forthcoming regulations, as well as voluntarily submitted reports and information, will be entitled to certain protections comparable to those provided to information voluntarily shared under CISA 2015. More information on CIRCIA is available here: Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) | CISA.
- Sections 3551-3558 of Title 44, U.S. Code, as enacted by the Federal Information Systems Modernization Act of 2014 (FISMA) (44 U.S.C. §§ 3551-3558) establish CISA’s central role in the security of the information and information systems of federal, civilian, and executive-branch agencies. CISA implements government-wide policies, deploys technologies to assist in the protection of federal agencies’ networks, and issues binding operational directives to agencies to safeguard information and information systems from known or reasonably suspected information security threats, vulnerabilities, and risks.
- The Federal Acquisition Supply Chain Security Act (41 U.S.C. §§ 1321-1328) creates the Federal Acquisition Security Council (FASC), an Executive Branch body designed to bring rigor to decisions about supply chain security risks to federal information and information systems. The FASC is also authorized to recommend exclusion and removal orders to the Secretaries of Homeland Security and Defense for covered articles that pose supply chain risks to federal Executive Branch networks.
- The Computer Fraud and Abuse Act (18 U.S.C. § 1030) provides that accessing a computer without, or in excess of, authorization may be a crime.
- The Wiretap Act (18 U.S.C. § 2511) and the Pen/Trap Act (18 U.S.C. § 3121) govern the monitoring of communications on a network.
- The Stored Communications Act (18 U.S.C. § 2702 and § 2703) governs the provision of certain information to the government by providers of electronic communications or remote computing services to the public.
- The Critical Infrastructure Information Act (6 U.S.C. §§ 671-674) is designed to encourage companies to share sensitive information with the government by addressing handling, sharing, use, and disclosure. This statute led to the creation of CISA's Protected Critical Infrastructure Information (PCII) Program and procedures codified at 6 C.F.R. § 29. Critical Infrastructure Information, as defined in the statute, is protected under the PCII Program if it meets several procedural requirements. The PCII Program provides protections for entities who share validated information, including imposing limitations on access to only those with a lawful and authorized government purpose, prescribing storage and transmission processes, prohibiting use for regulatory purposes in civil actions, and exempting from disclosure under FOIA. PCII is also exempt from SLTT freedom of information laws.
- The Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (6 U.S.C. §§ 621-629) provides the foundational authority for the Chemical Facility Anti-Terrorism Standards (CFATS). The CFATS program identifies and regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risk that certain hazardous chemicals are weaponized by terrorists. The rule implementing this statute can be found at 6 C.F.R. § 27.
- Subtitle J (§§ 899A-899J) of Title VIII of the Homeland Security Act (6 U.S.C. §§ 488-488i). DHS is required to regulate the sale and transfer of ammonium nitrate—which is widely used in agricultural fertilizers and explosives manufacturing—to prevent its misappropriation and use for terrorist acts. Pursuant to this authority, DHS issued a notice of proposed rulemaking (NPRM) on August 3, 2011, to implement the Ammonium Nitrate Security Program. 76 FR 46908.
- Regulatory guidance materials for the PCII and CFATS programs are available at https://www.cisa.gov/guidance.
Presidential Directives
In addition to statutes passed by Congress and their implementing regulations, CISA’s work is governed by several Presidential Directives:
- Executive Order 14028, “Improving the Nation’s Cybersecurity,” provides robust direction on improving the cybersecurity posture of the Federal civilian Executive Branch agencies.
- Presidential Policy Directive 41, “United States Cyber Incident Coordination,” lays out the roles and responsibilities within the federal government regarding responding to cyber incidents.
- Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” directs federal departments and agencies to work together and with the private sector to strengthen the security and resilience of the Nation’s critical infrastructure.
- Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience,” accompanying EO 13636, lays out the roles and responsibilities within the federal government regarding promoting the security of critical infrastructure. CISA’s Critical Infrastructure Partnership Advisory Council (CIPAC) operates consistent with the critical infrastructure sector construct outlined here and in the National Infrastructure Protection Plan.
- Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” requires DHS to strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs) in various ways.
- Executive Order 12977, “Interagency Security Committee,” establishes a committee of representatives from various federal agencies and directs it to develop policies and recommendations to enhance the quality and effectiveness of security in and protection of buildings and facilities occupied by Federal employees for nonmilitary activities. The Committee was moved from the General Services Administration to DHS in Executive Order 13286.
- Executive Order 13650, “Improving Chemical Facility Safety and Security,” establishes a Federal Interagency Working Group to address issues on improving the safety and security of chemical facilities and reducing the risks of hazardous chemicals to workers and communities.
- Executive Order 13618, “Assignment of National Security and Emergency Preparedness Communications Functions,” assigns responsibilities to DHS and other agencies, to provide for resilient, continuous communications under all circumstances.
Obtaining CISA's Services
- When a federal or non-federal entity requests CISA’s services, typically CISA must document the request, ensure necessary authorization and consents are in place, and establish other parameters for the engagement. To facilitate this, CISA has developed standard templates. Because CISA provides these services to a wide range of entities, we are not able to alter or customize the terms of the standard agreements. For a sense of the typical form of these agreements, please see the “Terms of Use” for signing up for the Automated Indicator Sharing (AIS) service (PDF).
Protecting the Privacy of Data
- One of CISA’s core functions is to properly steward the data in our control. CISA therefore has developed a strong privacy infrastructure within the agency. The CISA Office of Privacy provides several resources to better understand CISA’s commitment to privacy.
Guidance on Consent Banners
- CISA has identified nine factors that entities should consider as they develop banners, that provide notice to employees of network monitoring and seek their consent. There is separate guidance for SLTT governments and for private sector entities, both available here.
Best Practices in Incident Response
- Many attorneys are called upon to help their organizations manage a response to a cybersecurity incident. CISA, with the Australian Cyber Security Centre; New Zealand’s National Cyber Security Centre, and Computer Emergency Response Team; Canada’s Communications Security Establishment; and the United Kingdom’s National Cyber Security Centre, released a Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity. This ground-breaking joint advisory highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices.
- Cyber Essentials: Managing cyber risk requires building a Culture of Cyber Readiness.
Vulnerability Disclosure Policies
- CISA has issued Binding Operational Directive 20-01, which requires individual federal civilian Executive Branch agencies to develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services and maintain processes to support it. These provisions may be helpful for non-federal entities considering similar policies.
Advisory Committees
CISA manages several advisory committees that inform and support the nation’s efforts to protect critical infrastructure:
- The Critical Infrastructure Partnership Advisory Council (CIPAC) was established, by exercise of the Secretary's authority to establish advisory bodies exempt from the requirements of the Federal Advisory Committee Act, to support the implementation of the National Infrastructure Protection Plan and Presidential Policy Directive 21. Unlike the other advisory committees mentioned below, the work of CIPAC is explicitly exempt from the requirements of FACA. Representatives of CIPAC member entities meet to provide consensus advice and recommendations to the Federal Government on critical infrastructure protection, security, and resilience matters. CIPAC is composed primarily of the critical infrastructure owner and oeprator and representative trade association members of the Sector Coordinating Councils, and their companion Government Coordinating Councils (whose members include Federal officials and SLTT partners). The Secretary of Homeland Security established CIPAC by Federal Register Notice in 2006. 71 FR 14930 (Mar. 24, 2006).
- The National Security Telecommunications Advisory Committee (NSTAC), established under Executive Order 12382 and continued under Executive Order 13889, provides information and advice to the President, through the DHS Secretary, on national security and emergency preparedness (NS/EP) telecommunications, information, and communications services. NSTAC is composed of up to 30 members appointed by the President.
- The National Infrastructure Advisory Council (NIAC), established under Executive Order 13231 §10 (as amended) and continued under the authority of Executive Order 13889, provides advice to the President on the security and resilience of the Nation’s critical infrastructure sectors and their functional systems, physical assets, and cyber networks.
- The Cybersecurity Advisory Committee (CSAC), established pursuant to the Fiscal Year 2021 National Defense Authorization Act, provides recommendations to the CISA Director on the development, refinement, and implementation of policies, programs, planning, and training pertaining to CISA’s cybersecurity mission. The CSAC is composed of up to thirty-five individuals.
- The Cyber Safety Review Board (CSRB), established by the Secretary pursuant to Executive Order 14028 §5, reviews, assesses, and provides consensus advice on threat activity, vulnerabilities, mitigation activities, and agency responses with respect to significant cyber incidents. The CRSB may be composed of up to twenty members (including federal officials and individuals employed by the private sector) and delivers its reports to the Secretary of Homeland Security, who delivers them to the White House. The Secretary of Homeland Security established the CSRB by Federal Register Notice in 2022. 87 FR 6195 (Feb. 3, 2022).
National Response Framework
The National Response Framework (NRF) is a guide to handling disasters and emergencies, including prevention, preparation, response, and recovery. The NRF includes Emergency Support Functions (such as public health and medical services, transportation, communication, search and rescue, and more) and Support Annexes (including public affairs, financial management, tribal relations, and more).
- Under the Emergency Support Function #14 Annex to the National Response Framework, CISA supports the coordination of cross-sector operations, including stabilization of key supply chains and community lifelines, among infrastructure owners and operators, businesses, and their government partners, during response to incidents covered by the National Response Framework.
- Under the Emergency Support Function #2 Annex to the National Response Framework, CISA’s National Coordinating Center for Communications coordinates disaster response and restoration activities for the communications and cybersecurity sectors.
School Safety
- Pursuant to the Luke and Alex School Safety Act of 2022 (§2220D of the Homeland Security Act), CISA manages the Federal Clearinghouse on School Safety Evidence-Based Practices (SchoolSafety.gov) and oversees the assessment and identification of best practices on a wide range of school security and school safety issues.