Automated Indicator Sharing (AIS) Participant Protections
AIS offers anonymity, as well as liability and privacy protections, to encourage the submission of cyber threat indicators and defensive measures.
CISA 2015 grants liability protection to organizations sharing and receiving cyber threat indicators and defensive measures, provided sharing is done in accordance with all the Act’s requirements. Liability protection applies to the following sharing arrangements, if the sharing is otherwise conducted in accordance with the Act:
- Non-federal entities (private sector entities, SLTT governments, international partners, ISACs/ISAOs) sharing with other non-federal organizations
- Non-federal entities sharing with CISA and other federal agencies through AIS. *
CISA has taken careful measures to ensure appropriate privacy and civil liberties protections are fully implemented in AIS and are regularly tested. CISA has published a Privacy Impact Assessment of AIS, which can be found on AIS Documentation Page.
To ensure that personally identifiable information (PII) is protected, AIS has processes that:
- Perform automated analyses and technical mitigations to delete PII that is not directly related to a cyber threat;
- Incorporate elements of human review on select fields of certain indicators to ensure that automated processes are functioning appropriately;
- Minimize the amount of data included in a cyber threat indicator to information that is directly related to a cyber threat;
- Retain only information needed to address cyber threats; and
- Ensure any information collected is used only for network defense or limited law enforcement purposes.
All cyber threat indicators and defensive measures submitted through AIS by non-federal entities afforded the additional protections when the sharing is done in accordance with all requirements of CISA 2015, including:
- Exemption from anti-trust laws;
- Exemption from federal, state, tribal, and local disclosure laws;
- Exemption from certain state and federal regulatory uses;
- No waiver of privilege for shared material;
- Treated as commercial, financial, and proprietary information when so designated; and
- Not subject to any executive branch rules or judicial doctrine regarding ex parte communications with a decision-making official.**
* Federal organizations do not receive liability protection when sharing with one another, but some aspects of CISA 2015 apply (e.g., privacy requirements when sharing cyber threat indicators).
** For more information regarding the other protections under the Cybersecurity Information Sharing Act of 2015, see the Non-Federal Entity Sharing Guidance under the Cybersecurity Information Sharing Act of 2015 (updated October 2020).