Major agencies following cyber info-sharing policies, GAO finds
A Government Accountability Office audit of seven major federal agencies found that they have all put in place policies, procedures and guidelines around the removal of personal information from cyber threat indicator sharing programs that meet requirements established in the 2015 Cybersecurity Information Sharing Act.
That law set out eight principles around fair information practices designed to minimize exposure of and remove "personal information or information that identifies a specific person not directly related to a cybersecurity threat" in information sharing programs like Automated Indicator Sharing. That includes principles such as transparency around collection practices, seeking consent for such collection down to the individual level if practicable, articulating relevant authorities to collect personal data and putting in place appropriate safeguards to protect it.
The Departments of Homeland Security, Justice, Defense, Commerce, Energy, Treasury and the Office of the Director of National Intelligence were all found to have put in place "policies, procedures, and guidelines that met the eight CISA provisions relevant to the removal of personal information from cyber threat indicators and defensive measures," according to a letter sent to the Senate and House Intelligence Committees by Nick Marinos, director of cybersecurity and data protection issues at GAO.