PRIA Logo
Take the PRIA Score
Title 6Domestic SecurityRelease 119-73

§1503 Authorizations for preventing, detecting, analyzing, and mitigating cybersecurity threats

Title 6 › Chapter CHAPTER 6— - CYBERSECURITY › Subchapter SUBCHAPTER I— - CYBERSECURITY INFORMATION SHARING › § 1503

Last updated Apr 6, 2026|Official source

Summary

Allows private companies and other non-federal groups to watch and protect computer systems for cybersecurity. A company can monitor its own systems. With written permission it can monitor another non-federal group’s system. With written approval from an authorized federal official it can monitor a federal system. It may also look at data stored on, processed by, or passing through systems it monitors. Monitoring and use are only allowed in the ways this law permits and do not stop other lawful actions. Private groups can run defensive tools on their own systems, on another non-federal system with that group’s written consent, or on a federal system with written consent from an authorized federal official. Non-federal groups may share or receive cyber threat indicators or defensive tools with other non-federal groups or the federal government for cybersecurity, while protecting classified information. Recipients must follow any sharing limits the sender sets. They must use security controls to keep shared information safe and must remove or scrub personal information that is not directly related to the threat before sharing. Shared data can be used to protect systems (including on others’ systems with consent) and can only be kept or passed on as the sender or other laws allow. When state, tribal, or local governments get such information, they may use it for certain cybersecurity purposes, it is treated as voluntarily shared, and it is exempt from local public-record laws. They generally cannot use the information to regulate or enforce against lawful private activity, except to help make rules specifically to prevent or reduce cyber threats. Two or more private companies may share threat information or help each other for cybersecurity without it being treated as an antitrust violation, unless limited elsewhere. Sharing does not give a recipient a right to get similar information from others.

Full Legal Text

Title 6, §1503

Domestic Security — Source: USLM XML via OLRC

(a)(1)Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor—
(A)an information system of such private entity;
(B)an information system of another non-Federal entity, upon the authorization and written consent of such other entity;
(C)an information system of a Federal entity, upon the authorization and written consent of an authorized representative of the Federal entity; and
(D)information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
(2)Nothing in this subsection shall be construed—
(A)to authorize the monitoring of an information system, or the use of any information obtained through such monitoring, other than as provided in this subchapter; or
(B)to limit otherwise lawful activity.
(b)(1)Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, operate a defensive measure that is applied to—
(A)an information system of such private entity in order to protect the rights or property of the private entity;
(B)an information system of another non-Federal entity upon written consent of such entity for operation of such defensive measure to protect the rights or property of such entity; and
(C)an information system of a Federal entity upon written consent of an authorized representative of such Federal entity for operation of such defensive measure to protect the rights or property of the Federal Government.
(2)Nothing in this subsection shall be construed—
(A)to authorize the use of a defensive measure other than as provided in this subsection; or
(B)to limit otherwise lawful activity.
(c)(1)Except as provided in paragraph (2) and notwithstanding any other provision of law, a non-Federal entity may, for a cybersecurity purpose and consistent with the protection of classified information, share with, or receive from, any other non-Federal entity or the Federal Government a cyber threat indicator or defensive measure.
(2)A non-Federal entity receiving a cyber threat indicator or defensive measure from another non-Federal entity or a Federal entity shall comply with otherwise lawful restrictions placed on the sharing or use of such cyber threat indicator or defensive measure by the sharing non-Federal entity or Federal entity.
(3)Nothing in this subsection shall be construed—
(A)to authorize the sharing or receiving of a cyber threat indicator or defensive measure other than as provided in this subsection; or
(B)to limit otherwise lawful activity.
(d)(1)A non-Federal entity monitoring an information system, operating a defensive measure, or providing or receiving a cyber threat indicator or defensive measure under this section shall implement and utilize a security control to protect against unauthorized access to or acquisition of such cyber threat indicator or defensive measure.
(2)A non-Federal entity sharing a cyber threat indicator pursuant to this subchapter shall, prior to such sharing—
(A)review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information; or
(B)implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual.
(3)(A)Consistent with this subchapter, a cyber threat indicator or defensive measure shared or received under this section may, for cybersecurity purposes—
(i)be used by a non-Federal entity to monitor or operate a defensive measure that is applied to—
(I)an information system of the non-Federal entity; or
(II)an information system of another non-Federal entity or a Federal entity upon the written consent of that other non-Federal entity or that Federal entity; and
(ii)be otherwise used, retained, and further shared by a non-Federal entity subject to—
(I)an otherwise lawful restriction placed by the sharing non-Federal entity or Federal entity on such cyber threat indicator or defensive measure; or
(II)an otherwise applicable provision of law.
(B)Nothing in this paragraph shall be construed to authorize the use of a cyber threat indicator or defensive measure other than as provided in this section.
(4)(A)A State, tribal, or local government that receives a cyber threat indicator or defensive measure under this subchapter may use such cyber threat indicator or defensive measure for the purposes described in section 1504(d)(5)(A) of this title.
(B)A cyber threat indicator or defensive measure shared by or with a State, tribal, or local government, including a component of a State, tribal, or local government that is a private entity, under this section shall be—
(i)deemed voluntarily shared information; and
(ii)exempt from disclosure under any provision of State, tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.
(C)(i)Except as provided in clause (ii), a cyber threat indicator or defensive measure shared with a State, tribal, or local government under this subchapter shall not be used by any State, tribal, or local government to regulate, including an enforcement action, the lawful activity of any non-Federal entity or any activity taken by a non-Federal entity pursuant to mandatory standards, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator.
(ii)A cyber threat indicator or defensive measure shared as described in clause (i) may, consistent with a State, tribal, or local government regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of a regulation relating to such information systems.
(e)(1)Except as provided in section 1507(e) of this title, it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes under this subchapter.
(2)Paragraph (1) shall apply only to information that is exchanged or assistance provided in order to assist with—
(A)facilitating the prevention, investigation, or mitigation of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system; or
(B)communicating or disclosing a cyber threat indicator to help prevent, investigate, or mitigate the effect of a cybersecurity threat to an information system or information that is stored on, processed by, or transiting an information system.
(f)The sharing of a cyber threat indicator or defensive measure with a non-Federal entity under this subchapter shall not create a right or benefit to similar information by such non-Federal entity or any other non-Federal entity.

Reference

Citations & Metadata

Citation

6 U.S.C. § 1503

Title 6Domestic Security

Last Updated

Apr 6, 2026

Release point: 119-73