On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were accompanied by Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act of 2015 (“Guidance”).  These documents represent finalized versions of interim guidance and procedures which, as we have previously reported, were issued in February.

Earlier this month, the U.S. Department of Homeland Security (DHS) and Department of Justice (DOJ) issued joint interim guidance on private entities’ sharing of cyber threat indicators and defensive measures with the government and other private entities. As we have written, Congress required the agencies to develop and publish this guidance through the Cybersecurity Information Sharing Act (CISA). The guidance provides helpful examples of information that may or may not be shared, along with details about the information sharing mechanism. Concurrently, DHS and DOJ published interim procedures for the receipt of cyber threat indicators and defensive measures, and privacy and civil liberties guidelines.

Below are the key takeaways from the guidance.