Federal Policy Agenda
of the Cybersecurity Information Sharing Act
of 2015 should facilitate a risk-based strategy by promoting the sharing of
actionable cyber threat information from government to industry, from industry to
government, and among private companies.
In developing the policies and procedures to implement the Act’s information
sharing requirements, the Administration should protect the privacy of data. TechNet members are encouraged to participate
in the program as it is implemented.
- The U.S. government
should share cyber threat information with the private sector in a timely and actionable
manner. The current process does not provide
companies with actionable, accurate, and timely information.
- A comprehensive risk-based cybersecurity strategy
should increase the security and resiliency of all networks, and should prepare
for and mitigate against cyber attacks
through the voluntary coordination
of industry and government.
incentives should be used to encourage companies to actively manage risks in accordance
with industry standards and practices.
- Industry should be provided appropriate liability protections when participating in government cybersecurity
should be continued support for flexible, stakeholder-driven, risk management-based
approaches to cybersecurity as exemplified by the National Institute of Standards
and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. This includes: promotion of voluntary industry adoption
of the Framework; promotion and/or requirement of adoption of the Framework by federal
agencies; and promotion of Framework-like approaches (flexible, stakeholder-driven,
risk management-based) with international partners.