Responding to emerging cyber and infrastructure security threats will take an unprecedented level of cooperation between the private and public sectors. Reaching corporate in-house and outside counsel is particularly critical because they wield significant influence as company advisors on cybersecurity and infrastructure protection strategies, including whether those companies should participate in CISA’s information sharing programs, leverage CISA’s assessment tools, or benefit from CISA’s incident response capabilities. To promote cooperation, it is essential that in-house and outside counsel understand the mechanisms and protections in place designed to facilitate trust and collaboration between the private sector and CISA.
The purpose of this page is to provide attorneys with resources that will help them understand the legal issues relevant to CISA’s mission. We hope that counsel for companies and government agencies will be able to quickly recognize when CISA’s resources can assist their clients.
Constitutional, Statutory and Regulatory Authorities
Practitioners in this field should be aware of the Fourth Amendment to the United States Constitution, which provides parameters for government action in this area. Practitioners should also be aware of several statutes and regulations, including:
- The Cybersecurity and Infrastructure Security Agency Act of 2018 (6 U.S.C. 651-674) establishes the CISA and details its authorities, including the roles and responsibilities for each of its operating divisions.
- In particular, 6 U.S.C. 659 establishes CISA as a central player in the sharing of cyber threat information between the federal government and the private sector, and authorizes CISA to provide cybersecurity technical assistance and incident-response capabilities to Federal and non-Federal entities upon request.
- 6 U.S.C. 571 - 580 authorizes the creation of the Emergency Communications Division of CISA, designed to promote interoperable communications among public safety officials.
- The Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501-1533), which required the Department of Homeland Security to establish a capability and process for sharing cyber threat indicators with both the federal government and private sector entities. This statute creates incentives for private companies to share information with the government through DHS notwithstanding any other law – companies receive liability protections, privileges are maintained, proprietary information is protected, information is not released under the Freedom of Information Act, and others. These aspects are further detailed in multiple guidance documents, especially the DHS-DOJ guidance to non-Federal entities, available at https://us-cert.cisa.gov/ais.
- The Federal Information Systems Modernization Act (FISMA) (44 U.S.C. 3551-3558) establishes CISA’s central role in the security of the information and information systems of federal, executive-branch, civilian agencies. CISA administers the implementation of government-wide policies, deploy technologies to assist in the protection of federal agencies’ networks, and issue binding operational directives to agencies to safeguard information and information systems from known or reasonably suspected information security threats, vulnerabilities and risks.
- The Federal Acquisition Supply Chain Security Act (41 U.S.C. 1321-1328) creates the Federal Acquisition Security Council (FASC), a new Executive Branch body designed to bring rigor to decisions about supply chain security risks to federal information and information systems.
- The Computer Fraud and Abuse Act (18 U.S.C. 1030) provides that accessing a computer without, or in excess of, authorization may be a crime. The Wiretap Act (18 U.S.C. 2511) and the Pen/Trap Act (18 U.S.C. 3121) govern the monitoring of communications on a network. The Stored Communications Act (18 U.S.C. 2702 and 2703) governs the provision of certain information to the government by providers of electronic communications or remote computing services to the public.
- The Critical Infrastructure Information Act (6 U.S.C. 671-674) encourages companies to share sensitive information with the government by creating a method for that information, documents, and material to be secure. This statute led to the creation of the Protected Critical Infrastructure (PCII) program in CISA. The rule implementing this statute is found at 6 C.F.R. part 29.
- The Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (6 U.S.C. 621-629) provides the foundational authority for the Chemical Facility Anti-Terrorism Standards (CFATS). The CFATS program identifies and regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risk that certain hazardous chemicals are weaponized by terrorists. The rule implementing this statute can be found at 6 C.F.R. part 27.
- Subtitle J (Sections 899A-899J) of Title VIII of the Homeland Security Act (6 U.S.C. 488-488i). DHS is required to regulate the sale and transfer of ammonium nitrate (AN)—which is widely used in agricultural fertilizers and explosives manufacturing—to prevent its misappropriation and use in terrorist acts. Pursuant to this authority, DHS issued a notice of proposed rulemaking (NPRM) on August 3, 2011 to implement the Ammonium Nitrate Security Program. 76 FR 46908.
- Regulatory guidance materials for the PCII and CFATS programs are available at https://www.cisa.gov/guidance.
In addition to statutes passed by Congress, and the regulations implementing those statutes, CISA’s work is governed by a number of Presidential Directives. Practitioners should be aware of the following:
- Presidential Policy Directive 41, “United States Cyber Incident Coordination ,” (July 2016), which lays out the roles and responsibilities within the federal government with regard to responding to cyber incidents.
- Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which directs federal departments and agencies to work together and with the private sector to strengthen the security and resilience of the Nation’s critical infrastructure.
- Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience ,” accompanying EO 13636, which lays out the roles and responsibilities within the federal government with regard to promoting the security of critical infrastructure CISA’s Critical Infrastructure Partnership Advisory Council (CIPAC) operates consistent with the critical infrastructure sector construct outlined in PPD-21 and in the National Infrastructure Protection Plan.
- Executive Order 12977 , “Interagency Security Committee,” which establishes a committee of representatives from agencies across the federal government and directs the committee to develop policies and recommendation in order to enhance the quality and effectiveness of security in and protection of buildings and facilities occupied by Federal employees for nonmilitary activities. Executive Order 13286 moved the ISC from the General Services Administration to DHS.
- Executive Order 13650, “Improving Chemical Facility Safety and Security,” which established a Federal Interagency Working Group to address issues on improving the safety and security of chemical facilities and reducing the risks of hazardous chemicals to workers and communities.
- Executive Order 13618, “Assignment of National Security and Emergency Preparedness Communications Functions ,” assigns responsibilities to DHS and other agencies to provide for resilient, continuous communications under all circumstances.
Obtaining CISA’s services
Protecting the Privacy of Data
- One of CISA’s core functions is to properly steward the data in our control. CISA therefore has developed a strong privacy infrastructure within the agency. The CISA Privacy Office has provided a number of resources to better understand the agency’s commitment to privacy.
- CISA has identified nine factors that entities should consider as they develop banners that provide notice to employees of network monitoring and seek their consent. There is one set of guidance for state, local, tribal and territorial governments, and another set of guidance for private sector entities.
Best Practices in Incident Response
- Many attorneys are called upon to help their organizations manage a response to a cybersecurity incident. CISA, the Australian Cyber Security Centre (ACSC), New Zealand’s National Cyber Security Centre (NCSC NZ) and Computer Emergency Response Team NZ (CERT NZ), Canada’s Communications Security Establishment, and the United Kingdom’s National Cyber Security Centre (NCSC UK), released a Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity. This ground-breaking joint advisory highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices.
- Your Actions Under Stress. As your strategy for responding to and recovering from compromise, this is an essential element of your organization’s Culture of Cyber Readiness.
Vulnerability Disclosure Policies
- CISA has issued Binding Operational Directive 20-01, which requires individual federal civilian executive branch agencies to develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services, and maintain processes to support their VDP. The provisions of this Binding Operational Directive may be helpful for non-federal entities that are considering similar policies
- The Critical Infrastructure Partnership Advisory Council (CIPAC) is an advisory council chartered by the Department of Homeland Security to support the implementation of the National Infrastructure Protection Plan and Presidential Policy Directive 21. CIPAC members meet to provide consensus advice and recommendations to the Federal Government on critical infrastructure protection, security, and resilience matters. CIPAC is composed primarily of Sector Coordinating Councils (whose members represent critical infrastructure owners and operators) and Government Coordinating Councils (whose members include Federal officials and State, Local, and Tribal partners). The Secretary of Homeland Security established CIPAC by Federal Register Notice in 2006. 71 FR 14930 (Mar. 24, 2006).
- The National Security Telecommunications Advisory Committee (NSTAC), established under Executive Order 12382 and continued under Executive Order 13889, provides information and advice to the President, through the Secretary of Homeland Security, on national security and emergency preparedness (NS/EP) telecommunications, information and communications services. NSTAC is composed of up to 30 members who are appointed by the President.
- The National Infrastructure Advisory Council (NIAC), established under Section 10 of Executive Order 13231 (as amended) and continued under the authority of Executive Order 13889, provides advice to the President on the security and resilience of the Nation’s critical infrastructure sectors and their functional systems, physical assets, and cyber networks.
National Response Framework
- Under the Emergency Support Function #14 Annex to the National Response Framework, CISA supports the coordination of cross-sector operations, including stabilization of key supply chains and community lifelines, among infrastructure owners and operators, businesses, and their government partners, during response to incidents covered by the National Response Framework.
- Under the Emergency Support Function #2 Annex to the National Response Framework, CISA’s National Coordinating Center for Communications coordinate disaster response and restoration activities for the communications and cybersecurity sectors.
- Pursuant to a recommendation by the Federal Commission on School Safety, and in furtherance of CISA’s statutory authorities to direct critical infrastructure security efforts, and coordinate with Federal entities to carry out critical infrastructure security activities, CISA operates under a 2019 “Memorandum of Understanding among the U.S. Departments of Education, Justice, Health and Human Services, and Homeland Security” to lead the development of SchoolSafety.gov and oversee the assessment and identification of best practices on school security and school safety.