CISA has restrictions on sharing non-public information obtained through administrative subpoenas. CISA only shares non-public information obtained through administrative subpoenas in the following two circumstances:
- CISA may share the information with DOJ for the purpose of enforcing such subpoena.
- CISA may share the information with a federal agency if all of the following conditions apply:
- CISA identifies or is notified of a cybersecurity incident involving the entity whose non-public information was obtained through the subpoena, and that incident relates to the vulnerability which led to the issuance of the subpoena;
- CISA determines that sharing the nonpublic information with another federal department or agency is necessary to allow such department or agency to take a law enforcement or national security action, or actions related to mitigating or otherwise resolving the incident;
- The entity to which the information pertains is notified of CISA’s determination, to the extent practicable consistent with national security or law enforcement interests; and
- The notified entity consents to the sharing (Note: this consent is not required if another federal department or agency identifies the entity to CISA in connection with a suspected cybersecurity incident).