Title 6 — Domestic SecurityRelease 119-73not60
§1504 Sharing of Cyber Threat Indicators and Defensive Measures with the Federal Government
Title 6 › Chapter 6— CYBERSECURITY › Subchapter I— CYBERSECURITY INFORMATION SHARING › § 1504
Summary
Requires the Attorney General and the Secretary of Homeland Security to write rules and privacy guidelines so the federal government can receive cyber threat indicators and defensive measures from outside groups. They must publish interim rules and privacy guidelines within 60 days after December 18, 2015, and final rules and privacy guidelines within 180 days after that date. The Secretary of Homeland Security must build a real-time system inside DHS within 90 days after December 18, 2015, that accepts cyber threat indicators and defensive measures by email, web form, or automated system and passes them automatically to the right federal agencies. The system must be open for any non-federal group to use, must let all appropriate federal entities get the information quickly, and must follow the published policies and privacy rules. The President may later name another federal agency (not the Defense Department or NSA) to build a similar capability if needed, after notifying Congress at least 30 days earlier. The rules must include audit checks and punishments for federal staff who knowingly misuse the process. Cyber threat indicators — basic one-line: information about cybersecurity threats. Defensive measures — basic one-line: actions or tools to stop or reduce those threats. The law says shared indicators are treated as voluntarily given and can be kept private from public records laws. A provider can mark information as proprietary or privileged, and giving it to the government does not waive trade-secret or other protections. Federal use of the shared data is limited to cybersecurity purposes, finding threats or vulnerabilities, responding to serious threats (like death, serious bodily harm, or major economic harm), protecting minors, or preventing or prosecuting certain crimes such as fraud, identity theft, espionage, or trade-secret theft. The guidelines must limit how long personal or identifying information is kept, require safe handling, set rules for destroying data that is not a threat, protect confidentiality as much as possible, and ensure sharing fits with classified and national security rules. The law also says the rules should not let federal, state, tribal, or local governments use the shared information to regulate lawful activity of private entities, except narrowly to make or enforce cybersecurity rules.
Full Legal Text
Title 6, §1504
Domestic Security — Source: USLM XML via OLRC
(a)(1)Not later than 60 days after December 18, 2015, the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
(2)Not later than 180 days after December 18, 2015, the Attorney General and the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, jointly issue and make publicly available final policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government.
(3)Consistent with the guidelines required by subsection (b), the policies and procedures developed or issued under this subsection shall—
(A)ensure that cyber threat indicators shared with the Federal Government by any non-Federal entity pursuant to section 1503(c) of this title through the real-time process described in subsection (c) of this section—
(i)are shared in an automated manner with all of the appropriate Federal entities;
(ii)are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls—
(I)agreed upon unanimously by all of the heads of the appropriate Federal entities;
(II)carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and
(III)uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and
(iii)may be provided to other Federal entities;
(B)ensure that cyber threat indicators shared with the Federal Government by any non-Federal entity pursuant to section 1503 of this title in a manner other than the real-time process described in subsection (c) of this section—
(i)are shared as quickly as operationally practicable with all of the appropriate Federal entities;
(ii)are not subject to any unnecessary delay, interference, or any other action that could impede receipt by all of the appropriate Federal entities; and
(iii)may be provided to other Federal entities; and
(C)ensure there are—
(i)audit capabilities; and
(ii)appropriate sanctions in place for officers, employees, or agents of a Federal entity who knowingly and willfully conduct activities under this subchapter in an unauthorized manner.
(4)(A)Not later than 60 days after December 18, 2015, the Attorney General and the Secretary of Homeland Security shall jointly develop and make publicly available guidance to assist entities and promote sharing of cyber threat indicators with Federal entities under this subchapter.
(B)The guidelines developed and made publicly available under subparagraph (A) shall include guidance on the following:
(i)Identification of types of information that would qualify as a cyber threat indicator under this subchapter that would be unlikely to include information that—
(I)is not directly related to a cybersecurity threat; and
(II)is personal information of a specific individual or information that identifies a specific individual.
(ii)Identification of types of information protected under otherwise applicable privacy laws that are unlikely to be directly related to a cybersecurity threat.
(iii)Such other matters as the Attorney General and the Secretary of Homeland Security consider appropriate for entities sharing cyber threat indicators with Federal entities under this subchapter.
(b)(1)Not later than 60 days after December 18, 2015, the Attorney General and the Secretary of Homeland Security shall, in consultation with heads of the appropriate Federal entities and in consultation with officers designated under section 2000ee–1 of title 42, jointly develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this subchapter.
(2)(A)Not later than 180 days after December 18, 2015, the Attorney General and the Secretary of Homeland Security shall, in coordination with heads of the appropriate Federal entities and in consultation with officers designated under section 2000ee–1 of title 42 and such private entities with industry expertise as the Attorney General and the Secretary consider relevant, jointly issue and make publicly available final guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this subchapter.
(B)The Attorney General and the Secretary of Homeland Security shall, in coordination with heads of the appropriate Federal entities and in consultation with officers and private entities described in subparagraph (A), periodically, but not less frequently than once every 2 years, jointly review the guidelines issued under subparagraph (A).
(3)The guidelines required by paragraphs (1) and (2) shall, consistent with the need to protect information systems from cybersecurity threats and mitigate cybersecurity threats—
(A)limit the effect on privacy and civil liberties of activities by the Federal Government under this subchapter;
(B)limit the receipt, retention, use, and dissemination of cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals, including by establishing—
(i)a process for the timely destruction of such information that is known not to be directly related to uses authorized under this subchapter; and
(ii)specific limitations on the length of any period in which a cyber threat indicator may be retained;
(C)include requirements to safeguard cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals from unauthorized access or acquisition, including appropriate sanctions for activities by officers, employees, or agents of the Federal Government in contravention of such guidelines;
(D)consistent with this subchapter, any other applicable provisions of law, and the fair information practice principles set forth in appendix A of the document entitled “National Strategy for Trusted Identities in Cyberspace” and published by the President in April 2011, govern the retention, use, and dissemination by the Federal Government of cyber threat indicators shared with the Federal Government under this subchapter, including the extent, if any, to which such cyber threat indicators may be used by the Federal Government;
(E)include procedures for notifying entities and Federal entities if information received pursuant to this section is known or determined by a Federal entity receiving such information not to constitute a cyber threat indicator;
(F)protect the confidentiality of cyber threat indicators containing personal information of specific individuals or information that identifies specific individuals to the greatest extent practicable and require recipients to be informed that such indicators may only be used for purposes authorized under this subchapter; and
(G)include steps that may be needed so that dissemination of cyber threat indicators is consistent with the protection of classified and other sensitive national security information.
(c)(1)Not later than 90 days after December 18, 2015, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that—
(A)shall accept from any non-Federal entity in real time cyber threat indicators and defensive measures, pursuant to this section;
(B)shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyber threat indicators and defensive measures under this subchapter that are shared by a non-Federal entity with the Federal Government through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems except—
(i)consistent with section 1503 of this title, communications between a Federal entity and a non-Federal entity regarding a previously shared cyber threat indicator to describe the relevant cybersecurity threat or develop a defensive measure based on such cyber threat indicator; and
(ii)communications by a regulated non-Federal entity with such entity’s Federal regulatory authority regarding a cybersecurity threat;
(C)ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators and defensive measures shared through the real-time process within the Department of Homeland Security;
(D)is in compliance with the policies, procedures, and guidelines required by this section; and
(E)does not limit or prohibit otherwise lawful disclosures of communications, records, or other information, including—
(i)reporting of known or suspected criminal activity, by a non-Federal entity to any other non-Federal entity or a Federal entity, including cyber threat indicators or defensive measures shared with a Federal entity in furtherance of opening a Federal law enforcement investigation;
(ii)voluntary or legally compelled participation in a Federal investigation; and
(iii)providing cyber threat indicators or defensive measures as part of a statutory or authorized contractual requirement.
(2)(A)Not later than 90 days after December 18, 2015, the Secretary of Homeland Security shall, in consultation with the heads of the appropriate Federal entities, submit to Congress a certification as to whether the capability and process required by paragraph (1) fully and effectively operates—
(i)as the process by which the Federal Government receives from any non-Federal entity a cyber threat indicator or defensive measure under this subchapter; and
(ii)in accordance with the interim policies, procedures, and guidelines developed under this subchapter.
(B)(i)At any time after certification is submitted under subparagraph (A), the President may designate an appropriate Federal entity, other than the Department of Defense (including the National Security Agency), to develop and implement a capability and process as described in paragraph (1) in addition to the capability and process developed under such paragraph by the Secretary of Homeland Security, if, not fewer than 30 days before making such designation, the President submits to Congress a certification and explanation that—
(I)such designation is necessary to ensure that full, effective, and secure operation of a capability and process for the Federal Government to receive from any non-Federal entity cyber threat indicators or defensive measures under this subchapter;
(II)the designated appropriate Federal entity will receive and share cyber threat indicators and defensive measures in accordance with the policies, procedures, and guidelines developed under this subchapter, including subsection (a)(3)(A); and
(III)such designation is consistent with the mission of such appropriate Federal entity and improves the ability of the Federal Government to receive, share, and use cyber threat indicators and defensive measures as authorized under this subchapter.
(ii)If the President designates an appropriate Federal entity to develop and implement a capability and process under clause (i), the provisions of this subchapter that apply to the capability and process required by paragraph (1) shall also be construed to apply to the capability and process developed and implemented under clause (i).
(3)The Secretary of Homeland Security shall ensure there is public notice of, and access to, the capability and process developed and implemented under paragraph (1) so that—
(A)any non-Federal entity may share cyber threat indicators and defensive measures through such process with the Federal Government; and
(B)all of the appropriate Federal entities receive such cyber threat indicators and defensive measures in real time with receipt through the process within the Department of Homeland Security consistent with the policies and procedures issued under subsection (a).
(4)The process developed and implemented under paragraph (1) shall ensure that other Federal entities receive in a timely manner any cyber threat indicators and defensive measures shared with the Federal Government through such process.
(d)(1)The provision of cyber threat indicators and defensive measures to the Federal Government under this subchapter shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.
(2)Consistent with section 1503(c)(2) of this title and any other applicable provision of law, a cyber threat indicator or defensive measure provided by a non-Federal entity to the Federal Government under this subchapter shall be considered the commercial, financial, and proprietary information of such non-Federal entity when so designated by the originating non-Federal entity or a third party acting in accordance with the written authorization of the originating non-Federal entity.
(3)A cyber threat indicator or defensive measure shared with the Federal Government under this subchapter shall be—
(A)deemed voluntarily shared information and exempt from disclosure under section 552 of title 5 and any State, tribal, or local provision of law requiring disclosure of information or records; and
(B)withheld, without discretion, from the public under section 552(b)(3)(B) of title 5 and any State, tribal, or local provision of law requiring disclosure of information or records.
(4)The provision of a cyber threat indicator or defensive measure to the Federal Government under this subchapter shall not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.
(5)(A)Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—
(i)a cybersecurity purpose;
(ii)the purpose of identifying—
(I)a cybersecurity threat, including the source of such cybersecurity threat; or
(II)a security vulnerability;
(iii)the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
(iv)the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or
(v)the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iii) or any of the offenses listed in—
(B)Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter shall not be disclosed to, retained by, or used by any Federal agency or department for any use not permitted under subparagraph (A).
(C)Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter shall be retained, used, and disseminated by the Federal Government—
(i)in accordance with the policies, procedures, and guidelines required by subsections (a) and (b);
(ii)in a manner that protects from unauthorized use or disclosure any cyber threat indicators that may contain—
(I)personal information of a specific individual; or
(II)information that identifies a specific individual; and
(iii)in a manner that protects the confidentiality of cyber threat indicators containing—
(I)personal information of a specific individual; or
(II)information that identifies a specific individual.
(D)(i)Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this subchapter shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a non-Federal entity pursuant to mandatory standards, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.
(ii)(I)Cyber threat indicators and defensive measures provided to the Federal Government under this subchapter may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.
(II)Clause (i) shall not apply to procedures developed and implemented under this subchapter.
Reference
Citations & Metadata
Citation
6 U.S.C. § 1504
Title 6 — Domestic Security
Last Updated
Apr 3, 2026
Release point: 119-73not60