Amends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing.
Defines “cyber threat intelligence” as intelligence in the possession of an element of the intelligence community directly pertaining to:
(1) a vulnerability of a system or network of a government or private entity or utility;
(2) a threat to the integrity, confidentiality, or availability of such a system or network or any information stored on, processed on, or transiting such a system or network;
(3) efforts to deny access to or degrade, disrupt, or destroy such a system or network; or
(4) efforts to gain unauthorized access to such a system or network, including for the purpose of exfiltrating information.
Excludes intelligence pertaining to efforts to gain unauthorized access to such a system or network that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.
Requires the DNI to: (1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities and utilities, and (2) encourage the sharing of such intelligence.
Requires the procedures established to ensure that such intelligence is only:
(1) shared with certified entities or a person with an appropriate security clearance;
(2) shared consistent with the need to protect U.S. national security;
(3) used in a manner that protects such intelligence from unauthorized disclosure; and
(4) used, retained, or further disclosed by a certified entity for cybersecurity purposes.
Provides guidelines for the granting of security clearance approvals to certified entities or officers, employees, or independent contractors of such entities.
Prohibits a certified entity receiving such intelligence from further disclosing the information to any entity other than another certified entity or a federal agency authorized to receive such intelligence.
Authorizes a cybersecurity provider, with the express consent of a protected entity (an entity that contracts with a cybersecurity provider), to:
(1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and
(2) share cyber threat information with any other entity designated by the protected entity, including, if specifically designated, the DHS and DOJ entities designated by the President. Provides cybersecurity system use and threat information sharing authority to self-protected entities.
Sets forth requirements with respect to the use and protection of shared information, including anonymization or minimization of such information and prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure and prohibits the use of such information for regulatory purposes. Specifies that a non-federal recipient may only use such information for a cybersecurity purpose.
Prohibits a civil or criminal cause of action against a protected entity, a self-protected entity, or a cybersecurity provider acting in good faith under the above circumstances.
Prohibits such shared information requirements from being construed to provide new authority to:
(1) a cybersecurity provider to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, or
(2) a self-protected entity to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by such self-protected entity.
Allows the federal government to use shared cyber threat information for:
(1) cybersecurity purposes to ensure the integrity, confidentiality, availability, or safeguarding of a system or network;
(2) the investigation of cybersecurity crimes; or
(3) the protection of individuals from the danger of death or serious bodily harm and the prosecution of crimes involving such dangers (including the protection of minors from child pornography, sexual exploitation, kidnapping, and trafficking).
Prohibits the federal government from affirmatively searching such information for any other purpose.
Prohibits the federal government from using certain personally identifiable information shared from sensitive personal documents such as library records, firearms sales records, educational records, tax returns, and medical records. Requires a federal agency receiving information that is not cyber threat information to so notify the entity or provider of such information. Prohibits federal agencies from retaining shared information for any unauthorized use.
Outlines federal government liability for violations of restrictions on the disclosure, use, and protection of voluntarily shared information.
Preempts any state statute that restricts or otherwise regulates specified activity authorized by this Act.
States that nothing in this section shall be construed to:
(1) provide additional authority to, or modify existing authority of, any element of the intelligence community to control or direct the cybersecurity efforts of a private-sector entity or a component of the federal government or a state, local, or tribal government;
(2) limit or affect existing information sharing relationships of the federal government;
(3) preclude the federal government from requiring an entity to report significant cyber incidents under another provision of law; or
(4) provide additional authority to, or modify existing authority of, any entity to use a cybersecurity system owned or controlled by the federal government on a private-sector system or network to protect the latter system or network.
Prohibits this section from being construed to authorize the DOD, National Security Agency (NSA), or any other intelligence community element to target a U.S. person for surveillance.