<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Ben,<br>
<br>
Good catch on the new Act.<br>
<br>
You and others might find the attached blog and the<br>
linked material useful. Although this material is<br>
directed significantly at the OASIS CTI and the CIS<br>
Critical Security Controls, many provisions of the<br>
Act - including others you didn't include - could<br>
encompass EVcerts as well. Among other things,<br>
the Forum might want to have more visibility among<br>
those charged with implementing the provisions<br>
pursuant to the depicted timeline.<br>
<br>
Because it's difficult to find a complete, readable<br>
copy of the Act, I've included one for reference.<br>
Note that many of the Title II provisions in amending<br>
the Homeland Security Act of 2002, as amended,<br>
effect a composite that is itself far reaching and<br>
go beyond just the Federal government.<br>
<br>
It is a real pity that Ballot 158 failed. Incredibly<br>
short-sighted in light of the needs in the defensive<br>
measures ecosystem.<br>
<br>
best,<br>
tony<br>
<br>
<div class="moz-cite-prefix">On 2016-01-07 11:24 AM, Ben Wilson
wrote:<br>
</div>
<blockquote
cite="mid:cac8ffb5f9af493bae431b81ce5b9776@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">Security Information Sharing Working Group:<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">Good news. On December 18, 2015, President Obama
signed into law the Cybersecurity Act of 2015. Sections
104, 105 and 106 of the Act are the ones most relevant to
our work. They are titled as follows:<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">Sec. 104. Authorizations for preventing,
detecting, analyzing, and mitigating cybersecurity threats.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">Sec. 105. Sharing of cyber threat indicators and
defensive measures with the Federal Government.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">Sec. 106. Protection from liability.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">Subsection 104(c)(1) of the Cybersecurity Act of
2015 recognizes the right of private entities to share cyber
threat indicators and defensive measures for a cybersecurity
purpose. [Section 102(4) defines “cybersecurity purpose” as
“the purpose of protecting an information system or
information that is stored on, processed by, or transiting
an “information system from a cybersecurity threat or
security vulnerability.”]<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New""> Subsection 104(d)(1) requires that the
information be adequately protected, and more specifically,
subsection 104(d)(2) requires that prior to sharing, the
entity must (A) “review such cyber threat indicator to
assess whether such cyber threat indicator contains any
information not directly related to a cybersecurity threat
that the non-Federal entity knows at the time of sharing to
be personal information of a specific individual or
information that identifies a specific individual and remove
such information” and (B) “implement and utilize a technical
capability configured to remove any information not directly
related to a cybersecurity threat that the non-Federal
entity knows at the time of sharing to be personal
information of a specific individual or information that
identifies a specific individual.”<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">If shared with a governmental entity, exemptions
within section 104 of the Cybersecurity Act are found in:
subsection (d)(4)(B)(ii) – exempt from local freedom of
information law, open government law, open meetings law,
open records law, sunshine law, or similar law requiring
disclosure of information or records); subsection
(d)(4)(C)(i) – exempt from action when following “mandatory
standards, including an activity relating to monitoring,
operating a defensive measure, or sharing of a cyber threat
indicator”; and subsection (e) – not a violation of any
provision of antitrust laws “for 2 or more private entities
to exchange or provide a cyber threat indicator or defensive
measure, or assistance relating to the prevention,
investigation, or mitigation of a cybersecurity threat, for
cybersecurity purposes.”<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">Section 106(a) protects entities from liability
when “monitoring” a system. Section 106(b) protects
entities from liability when sharing or receiving
information, and if it is shared with the federal
government, then if such sharing complies with section 105.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New""><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:10.0pt;font-family:"Courier
New"">I’m not addressing section 105 (sharing with the
federal government) here, that can be addressed separately
if/when it arises.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="line-height:1%;font-family:"Arial
Narrow","sans-serif";color:#B82630">________________________________
<strong></strong></p>
<p style="line-height:1%;font-size:12.0pt;font-family:"Arial
Narrow","sans-serif";color:#B82630"><strong>Anthony
Michael Rutkowski</strong>
</p>
<p style="line-height:1%;font-size:10.0pt;font-family:"Arial
Narrow","sans-serif";color:#CFA043">EVP, Industry
Standards & Regulatory Affairs
</p>
<p style="line-height:1%;'color:#0563C1'"><a
href="mailto:tony@yaanatech.com"><a class="moz-txt-link-abbreviated" href="mailto:tony@yaanatech.com">tony@yaanatech.com</a> </a>
</p>
<p style="line-height:1%;'color:#0563C1'"><a
href="tel:+1%20703%20999%208270">+1 703 999 8270 </a>
</p>
<p style="line-height:1%;font-family:"Arial
Narrow","sans-serif";color:#B82630">________________________________
<strong></strong></p>
<p
style="line-height:1%;font-size:12.0pt;font-family:"Arial","sans-serif";color:#B82630"><strong>Yaana
Technologies LLC </strong>
</p>
<p style="line-height:1%;font-size:8.0pt;font-family:"Arial
Narrow","sans-serif"">
</p>
<p style="line-height:1%;font-family:"Arial
Narrow","sans-serif";color:black">542 Gibraltar
Drive
</p>
<p style="line-height:1%;font-family:"Arial
Narrow","sans-serif";color:black">Milpitas CA
95035 USA
</p>
</div>
</body>
</html>