DoD Has Been Slow to Implement 2015 Cyber Information Sharing Law

In December 2015, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA) as part of an FY 2016 omnibus appropriations bill. CISA requires DoD agencies to develop plans and procedures for sharing cyber- threat indicators with civilian and non-governmental entities. Congress designed CISA to encourage public and private sector entities to share cyber threat indicators and defensive measures while protecting classified information, intelligence sources and methods, and privacy.

Recently the DoD Inspector General (IG) released a report assessing the implementation of CISA requirements by four DoD Components—the National Security Agency (NSA), Defense Information Systems Agency (DISA), DoD Cyber Crime Center (DC3), and U.S. Cyber Command (USCYBERCOM).

These assessments, which are required by CISA, are to determine whether the DoD had sufficient policies and procedures in place for sharing cyber threat indicators or defensive measures, if DoD verified the security clearances for private sector individuals authorized to share information, if info-sharing was done in a timely manner and removed irrelevant personally identifiable information (PII), and if DoD assessed and mitigated any barriers to sharing.

Limited Progress

The IG found that the DoD has taken limited actions to implement the CISA requirements for sharing cyber threat indicators and defensive measures within the DoD and with other Federal and non-Federal entities leading to inconsistent implementation.

• Policies and Procedures – The NSA and DC3 had sufficient agency-level policies and procedures for sharing both unclassified and classified cyber threat indicators or defensive measures under CISA; however, DISA and USCYBERCOM did not.
• Verification of Security Clearances – DC3 did not verify all of the private sector individuals the IG sampled had an active security clearance for authorized Defense Industrial Base Network-Unclassified (DIBNet-U) system access prior to sharing cyber threat indicators and defensive measures in the system.
• Review of Cyber Threat Indicators and Defensive Measures for Timely Sharing and Irrelevant PII – The NSA, DISA, and DC3 shared unclassified cyber threat indicators in a timely manner and without irrelevant PII.
• Barriers to Sharing Cyber Threat Indicators and Defensive Measures – All four DoD Components reviewed verbally stated that they had barriers to sharing cyber threat indicators when asked; however, none of them documented those barriers or identified plans to mitigate those barriers.
• No DoD-Wide Policy for Implementing CISA – The DoD CIO did not establish an overall DoD-wide policy for the implementation of CISA or require that the DoD Components comply with the CISA requirements. 
• The DoD Limited Its Ability to Share and Receive Cybersecurity Information – The inconsistent implementation of CISA by DoD Components limits DoD’s ability to gain a more complete understanding of increasing and persistent cybersecurity threats by leveraging the collective knowledge and capabilities of sharing entities.

Based on their findings the IG made several recommendations, many of which were highly redacted for national security reasons. But at the high level the IG recommended that the DoD issue department-wide policy on CISA implementation, including a requirement for the component agencies to “document barriers to sharing cyber threat indicators and defensive measures and take appropriate actions to mitigate the identified barriers.”

Contractor Implications

The information sharing knife cuts both ways. The DoD’s delay in fully implementing effective cyber- information sharing puts both federal and supporting industry infrastructure and information at risk. Not only are the DoD agencies not fully benefitting from threat information they might receive from others, but outside organizations not benefitting from DoD information may inadvertently place DoD information on their systems at risk.

Information sharing also affects competitiveness. Ongoing scrutiny of the DoD’s implementation of CISA provisions and others will continue to raise the compliance bar for contractors in the DIB space. For example, DC3 shares unclassified cyber threat indicators and defensive measures with authorized system users through the DIBNet-U portal. (DC3 shares classified cyber threat information electronically with DIB participants through a secret-level web portal.) DC3 requires that all DIBNet-U users have an active security clearance.

In its review the IG found that the DoD did not have internal controls over the sharing of cyber threat indicators or protect the DIBNet-U from unauthorized access. This resulted in some users gaining DIBNet access without clearance verification. When notified of the discrepancies DC3 removed access for the unverified users.

This is a simple example, but as government-wide cybersecurity policy matures and continues to emphasize the priority of, and requirement for, cyber- information sharing companies that do not (or cannot) effectively comply with such policies will find themselves unable to compete for federal contracts.