Sharing of Data Obtained by Subpoenas


CISA has restrictions on sharing non-public information obtained through administrative subpoenas. CISA only shares non-public information obtained through administrative subpoenas in the following two circumstances:

  • CISA may share the information with DOJ for the purpose of enforcing such subpoena.
  • CISA may share the information with a federal agency if all of the following conditions apply:
    • CISA identifies or is notified of a cybersecurity incident involving the entity whose non-public information was obtained through the subpoena, and that incident relates to the vulnerability which led to the issuance of the subpoena;
    • CISA determines that sharing the nonpublic information with another federal department or agency is necessary to allow such department or agency to take a law enforcement or national security action, or actions related to mitigating or otherwise resolving the incident;
    • The entity to which the information pertains is notified of CISA’s determination, to the extent practicable consistent with national security or law enforcement interests; and
    • The notified entity consents to the sharing (Note: this consent is not required if another federal department or agency identifies the entity to CISA in connection with a suspected cybersecurity incident).

Was this webpage helpful?  Yes  |  Somewhat  |  No