Summary administration priorities for CISA



include language, such as “detects,” that overlaps with the definition of monitoring in thedefinition of a defensive measure.4)


Privacy Scrub



Private Sector Requirement:

 The Administration Supports requiring private entities totake reasonable steps to remove irrelevant personal information when sendingcybersecurity data to the government or other private sector entities.

TheAdministration supports language in Section 203(i)(3)(C) of H.R. 1560 or,alternatively, in Section 103(d)(2) of H.R. 1560 that requires companies to take“reasonable efforts” to remove personal information unrelated to a cyber threat.



Government Requirement 

: The Administration supports real-time sharing amongstFederal agencies with appropriate privacy protections. Such sharing must preserve thegovernment’s ability to remove or redact personal information that is unrelated to acybersecurity threat.

As such, the Administration strongly prefers S. 754’sformulation, which allows cyber threat indicators to be modified pursuant toprotocols developed by relevant agencies.



Proprietary Restriction

: Language that allows a sharing entity to designate cyber threatindicators as proprietary will complicate information sharing within the government andfrom the government to the private sector. It could put the government in the position ofknowing about a threat and not being able to share information about it. For instance, were asharer to deem a technical indicator as proprietary, the government could be prohibited fromfurther anonymizing such indicator and sharing it with other private entities to help them protect their systems from a threat. It could also confuse private sector entities if they label a particular indicator as proprietary, but the government already had received that particularindicator from another independent source.

The Administration proposes that any finallanguage includes a provision that appropriately protects proprietary information in amanner that does not inhibit the government’s legitimate use of cyber threat indicators.



 Recommended text 

: “Consistent with section 104(c)(2) or [103(C)(2)], a cyber threatindicator or defensive measure provided by an entity to the Federal Government underthis Act shall be considered by a private entity the commercial, financial, and proprietaryinformation of such originating entity when so designated, consistent with applicable lawand as otherwise appropriate, by the originating entity or a third party acting inaccordance with the written authorization of the originating entity.”6)


Cyber Threat Intelligence Integration Center:

The complexity and pace of cyber threatsrequires that we have a dedicated cadre of experts who can focus on integrating multipleintelligence analyses so that policymakers and operators can receive community-wide viewson cyber threats in short order. The CTIIC will not replace the functions performed byexisting departments, agencies, or government cyber centers. Instead, it is intended to supportthose entities’ missions – for example, the CTIIC will help ensure that indicators ofmalicious activity are downgraded to the lowest possible classification level to facilitate