Agencies are meeting the privacy-related provisions of the Cybersecurity Information Sharing Act of 2015, GAO has found.
It said that seven agencies have been involved in government-wide policies to assist federal and nonfederal entities to receive and share cybersecurity information such as defending against known or suspected cybersecurity threats or vulnerabilities. GAO said they have collectively met the act’s provisions in that area as well as defining roles of entities when sharing information and detailing processes for submitting, receiving, handling and disseminating cyber threat indicators and defensive measures.
The act also required GAO to review actions to remove personal information from cyber threat indicators when shared among federal and nonfederal entities. GAO determined the extent to which seven federal agencies designated by the act developed government-wide policies, procedures, and guidelines for the removal of personal information from cyber threat indicators.
It found that the guidance incorporates “fair information practice principles” that are the widely accepted framework used in evaluating processes that affect individual privacy.