PRIA Logo
Take the PRIA Score
Title 6Domestic SecurityRelease 119-73

§681e Information shared with or provided to the Federal Government

Title 6 › Chapter CHAPTER 1— - HOMELAND SECURITY ORGANIZATION › Subchapter SUBCHAPTER XVIII— - CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY › Part Part D— - Cyber Incident Reporting › § 681e

Last updated Apr 6, 2026|Official source

Summary

The Agency may share, keep, and use information it gets about cyber incidents or ransom payments with federal government people and offices only for specific reasons: to protect computer systems, to find cyber threats or weaknesses, to stop or respond to threats that could cause death, serious injury, or big economic harm (including terrorism), to protect minors from serious threats like sexual exploitation, or to investigate and prosecute crimes tied to the cyber incident. The Agency must check each report right away, use it to spot and quickly share useful, anonymous threat details and defenses, and make rules for when and how to share vulnerability information. The Agency must protect personal data, keep reports on systems that meet at least the “moderate impact” security level in Federal Information Processing Standards Publication 199 (or its replacement), and generally cannot let other governments use a report given only to the Agency to regulate or punish the reporter unless those governments say reports can meet regulatory requirements. Reports can, however, help shape cybersecurity rules. Reports are treated as the reporting company’s confidential business information if the company says so. They are exempt from the Freedom of Information Act and similar state or local disclosure laws. Sending a report does not waive legal protections like trade secrets and does not count as forbidden ex parte contact. If a report was submitted properly, a person or company cannot be sued just because they reported it, and reports or documents made only to prepare the report cannot be used as evidence or discovery in court or agency proceedings (with narrow exceptions). The Agency must remove the reporter’s identity before sharing information with critical infrastructure owners or the public. These rules do not let service providers disclose information that the Stored Communications Act does not allow.

Full Legal Text

Title 6, §681e

Domestic Security — Source: USLM XML via OLRC

(a)(1)Information provided to the Agency pursuant to section 681b or 681c of this title may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—
(A)a cybersecurity purpose;
(B)the purpose of identifying—
(i)a cyber threat, including the source of the cyber threat; or
(ii)a security vulnerability;
(C)the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or use of a weapon of mass destruction;
(D)the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or
(E)the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a cyber incident reported pursuant to section 681b or 681c of this title or any of the offenses listed in section 1504(d)(5)(A)(v) of this title.
(2)(A)Upon receiving a covered cyber incident or ransom payment report submitted pursuant to this section, the Agency shall immediately review the report to determine whether the cyber incident that is the subject of the report is connected to an ongoing cyber threat or security vulnerability and where applicable, use such report to identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures.
(B)With respect to information in a covered cyber incident or ransom payment report regarding a security vulnerability referred to in paragraph (1)(B)(ii), the Director shall develop principles that govern the timing and manner in which information relating to security vulnerabilities may be shared, consistent with common industry best practices and United States and international standards.
(3)Information contained in covered cyber incident and ransom payment reports submitted to the Agency pursuant to section 681b of this title shall be retained, used, and disseminated, where permissible and appropriate, by the Federal Government in accordance with processes to be developed for the protection of personal information consistent with processes adopted pursuant to section 1504 of this title and in a manner that protects personal information from unauthorized use or unauthorized disclosure.
(4)The Agency shall ensure that reports submitted to the Agency pursuant to section 681b of this title, and any information contained in those reports, are collected, stored, and protected at a minimum in accordance with the requirements for moderate impact Federal information systems, as described in Federal Information Processing Standards Publication 199, or any successor document.
(5)(A)A Federal, State, local, or Tribal government shall not use information about a covered cyber incident or ransom payment obtained solely through reporting directly to the Agency in accordance with this part to regulate, including through an enforcement action, the activities of the covered entity or entity that made a ransom payment, unless the government entity expressly allows entities to submit reports to the Agency to meet regulatory reporting obligations of the entity.
(B)A report submitted to the Agency pursuant to section 681b or 681c of this title may, consistent with Federal or State regulatory authority specifically relating to the prevention and mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such systems.
(b)Reports describing covered cyber incidents or ransom payments submitted to the Agency by entities in accordance with section 681b of this title, as well as voluntarily-submitted cyber incident reports submitted to the Agency pursuant to section 681c of this title, shall—
(1)be considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity;
(2)be exempt from disclosure under section 552(b)(3) of title 5 (commonly known as the “Freedom of Information Act”), as well as any provision of State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records;
(3)be considered not to constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection; and
(4)not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.
(c)(1)No cause of action shall lie or be maintained in any court by any person or entity and any such action shall be promptly dismissed for the submission of a report pursuant to section 681b(a) of this title that is submitted in conformance with this part and the rule promulgated under section 681b(b) of this title, except that this subsection shall not apply with regard to an action by the Federal Government pursuant to section 681d(c)(2) of this title.
(2)The liability protections provided in this subsection shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the Agency.
(3)Notwithstanding paragraph (2), no report submitted to the Agency pursuant to this part or any communication, document, material, or other record, created for the sole purpose of preparing, drafting, or submitting such report, may be received in evidence, subject to discovery, or otherwise used in any trial, hearing, or other proceeding in or before any court, regulatory body, or other authority of the United States, a State, or a political subdivision thereof, provided that nothing in this part shall create a defense to discovery or otherwise affect the discovery of any communication, document, material, or other record not created for the sole purpose of preparing, drafting, or submitting such report.
(d)The Agency shall anonymize the victim who reported the information when making information provided in reports received under section 681b of this title available to critical infrastructure owners and operators and the general public.
(e)Nothing in this part shall be construed to permit or require disclosure by a provider of a remote computing service or a provider of an electronic communication service to the public of information not otherwise permitted or required to be disclosed under chapter 121 of title 18 (commonly known as the “Stored Communications Act”).

Reference

Citations & Metadata

Citation

6 U.S.C. § 681e

Title 6Domestic Security

Last Updated

Apr 6, 2026

Release point: 119-73