Cybersecurity-Related Resources for Lawyers
Responding to emerging cyber and infrastructure security threats requires unprecedented cooperation between the private and public sectors. Surveys by the Association of Corporate Counsel consistently show that cybersecurity is one of the top concerns for general counsel at private companies. Corporate in-house and outside counsel wield significant influence as advisors on security strategies and related engagements with the Federal government, including whether and how companies should participate in CISA’s information sharing programs, leverage CISA’s assessment tools, or request CISA’s incident response services.
CISA believes it is important for private sector attorneys to understand the mechanisms and protections designed to facilitate trust and collaboration between the private sector and CISA.
This page provides resources to help attorneys understand the legal issues relevant to CISA’s cybersecurity mission and enable them to quickly recognize when our resources can assist their clients. One such resource is an article by former CISA Chief Counsel Dan Sutherland’s What Is a Cybersecurity Legal Practice?, which discusses the nature of a cybersecurity legal practice and what should be in such a lawyer’s portfolio.
Constitutional, Statutory and Regulatory Authorities
The U.S. Constitution, particularly the First and Fourth Amendments, provides parameters for government action to promote cybersecurity and infrastructure security. Other cyber related statutes and regulations of which private sector practitioners should be aware include:
- Title XXII of the Homeland Security Act of 2002, as enacted by the Cybersecurity and Infrastructure Security Agency Act of 2018 and as amended (collected at 6 U.S.C. §§ 650-681g) establishes CISA and details its authorities, including the roles and responsibilities for each of its operating divisions.
- In particular, 6 U.S.C. § 659 establishes CISA as a central player in the sharing of cyber threat information between the federal government and the private sector and authorizes it to provide cybersecurity technical assistance and incident-response capabilities to Federal and non-Federal entities, upon request.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (6 U.S.C. §§ 681-681g) requires, among other things, that CISA develop and implement regulations requiring covered entities to report covered cyber incidents and ransom payments in response to ransomware attacks to CISA. These new authorities are regulatory in nature and require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CIRCIA required CISA to develop and publish a Notice of Proposed Rulemaking (which CISA published in April 2024 and which was open for public comment for 90 days), and a Final Rule. CIRCIA also expressly permits entities to submit voluntary information or voluntary reports of cyber incidents or ransom payments, which may be submitted to enhance the situational awareness of cyber threats. Information or reports submitted in accordance with the requirements in CIRCIA and the forthcoming regulations, as well as voluntarily submitted reports and information, will be entitled to certain protections, which are in many ways comparable to those provided to information voluntarily shared under CISA 2015 (discussed below). More information on CIRCIA is available here: Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) | CISA
- In particular, 6 U.S.C. § 659 establishes CISA as a central player in the sharing of cyber threat information between the federal government and the private sector and authorizes it to provide cybersecurity technical assistance and incident-response capabilities to Federal and non-Federal entities, upon request.
- 6 U.S.C. §§ 571 - 580 authorizes the creation of CISA’s Emergency Communications Division, designed to promote interoperable communications among public safety officials.
- The Cybersecurity Information Sharing Act of 2015 (CISA 2015) (6 U.S.C. §§ 1501-1510) creates protections for non-federal entities to share cyber threat indicators and defensive measures, in accordance with certain requirements, with each other and with the government and provides that they may do so notwithstanding any other law. Such protections include the non-waiver of privilege, protection of proprietary information, exemption from disclosure under the Freedom of Information Act (FOIA), prohibition on use in regulatory enforcement, and more. CISA 2015 also requires DHS to operate a capability and process for sharing cyber threat indicators with both the federal government and private sector entities and provides for liability protection for information shared through this process. The statute also creates protections for cyber threat indicators and defensive measures shared in accordance with the statutory requirements with state, local, tribal, and territorial (SLTT) entities, including that the information shall be exempt from disclosure under SLTT freedom of information laws. These aspects are further detailed in multiple guidance documents, especially the DHS-DOJ Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015. Other guidance related to CISA 2015 and CISA’s associated Automated Indicator Sharing platform are available at cisa.gov/ais.
- Federal Information Systems Modernization Act of 2014 (FISMA) (44 U.S.C. §§ 3551-3558) establishes CISA’s central role in the security of the information and information systems of federal, civilian, and executive-branch agencies. CISA implements government-wide policies, deploys technologies to assist in the protection of federal agencies’ networks, and issues binding operational directives to agencies to safeguard information and information systems from known or reasonably suspected information security threats, vulnerabilities, and risks.
- The Federal Acquisition Supply Chain Security Act (41 U.S.C. §§ 1321-1328) creates the Federal Acquisition Security Council (FASC), an Executive Branch body designed to bring rigor to decisions about supply chain security risks to federal information and information systems. The FASC is also authorized to recommend exclusion and removal orders to the Secretaries of Homeland Security and Defense for covered articles that pose supply chain risks to federal Executive Branch networks. Pursuant to the FASC implementing regulations (41 CFR Parts 201 and 201-1), CISA serves as the FASC’s Information Sharing Agency.
- The Computer Fraud and Abuse Act (18 U.S.C. § 1030) provides that accessing a computer without, or in excess of, authorization may be a crime.
- The Wiretap Act (18 U.S.C. § 2511) and the Pen/Trap Act (18 U.S.C. § 3121) govern the monitoring of communications on a network.
- The Stored Communications Act (18 U.S.C. § 2702 and § 2703) governs the provision of certain information to the government by providers of electronic communications or remote computing services to the public.
- The Critical Infrastructure Information Act (6 U.S.C. §§ 671-674) is designed to encourage companies to share sensitive information with the government by addressing handling, sharing, use, and disclosure. This statute led to the creation of CISA's Protected Critical Infrastructure Information (PCII) Program and procedures codified at 6 C.F.R. § 29. Critical Infrastructure Information, as defined in the statute, is protected under the PCII Program if it meets several procedural requirements. The PCII Program provides protections for entities who share validated information, including imposing limitations on access to only those with a lawful and authorized government purpose, prescribing storage and transmission processes, prohibiting use for regulatory purposes in civil actions, and exempting from disclosure under FOIA. PCII is also exempt from SLTT freedom of information laws.
Presidential Directives
In addition to statutes passed by Congress and their implementing regulations, CISA’s work is governed by various Presidential Directives. These Directives provide important guidance and context to CISA in carrying out its mission with the private sector by promoting information sharing and public-private cooperation.
Working With CISA
Obtaining CISA's Services
- When a federal or non-federal entity requests CISA’s services, typically CISA must document the request from an authorized representative of the entity, ensure necessary authorization and consents are in place, and establish other parameters for the engagement. To facilitate this, CISA has developed standard templates. Because CISA provides these services to a wide range of entities, we are not able to alter or customize the terms of the standard agreements. For a sense of the typical form of these agreements, please see the “Terms of Use” for signing up for the Automated Indicator Sharing (AIS) service.
Protecting the Privacy of Data
- One of CISA’s core functions is to properly steward the data in our control. CISA therefore has developed a strong privacy infrastructure within the agency, as required by federal law. The CISA Office of Privacy webpage provides several resources to better understand CISA’s commitment to privacy.
Guidance on Consent Banners
- CISA has identified nine factors that entities should consider as they develop log-in banners, which provide notice to employees and other users of network monitoring and seek their consent. There is separate guidance for SLTT governments, government contractors, and private sector entities, available here.
Best Practices in Incident Response
- Many attorneys are called upon to help their organizations manage a response to a cybersecurity incident. CISA, with the Australian Cyber Security Centre; New Zealand’s National Cyber Security Centre, and Computer Emergency Response Team; Canada’s Communications Security Establishment; and the United Kingdom’s National Cyber Security Centre, released a Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity. This ground-breaking joint advisory highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices.
- Cyber Essentials: Managing cyber risk requires building a Culture of Cyber Readiness.
Vulnerability Disclosure Policies
- CISA has issued Binding Operational Directive 20-01, which requires individual federal civilian Executive Branch agencies to develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services and maintain processes to support it. These provisions may be helpful for non-federal entities considering similar policies.
External Engagement
- CISA manages and participates in several engagement mechanisms that inform and support the nation’s efforts to protect critical infrastructure. These mechanisms highlight the beneficial relationship between government and private-sector partners in furthering cyber and infrastructure security. These mechanisms include advisory committees established by the Secretary of Homeland Security, sector-specific councils that convene experts from a particular industry, and partnerships with organizations to share information.