The IT Law Wiki

Citation[]

Cybersecurity Act of 2015, Pub. L. No. 114-113 (Dec. 18, 2015) (full-text).

Overview[]

On December 18, 2015, President Obama signed into law the Cybersecurity Act of 2015. The Act, claimed by many commentators to be "the most significant piece of federal cyber-related legislation enacted to date"[1]:

establishes a mechanism for cybersecurity information sharing among private-sector and federal government entities. It also provides safe harbors from liability for private entities that share cybersecurity information in accordance with certain procedures, and it authorizes various entities, including outside the federal government, to monitor certain information systems and operate defensive measures for cybersecurity purposes. The Act also contains provisions designed to bolster cybersecurity protections at federal agencies, assess the federal government's cybersecurity workforce, and implement a range of measures intended to improve the cybersecurity preparedness of critical information systems and networks.[2]

The Act contains four titles:

  • Title I — Cybersecurity Information Sharing Act of 2015 (CISA) — establishes a centralized mechanism for cybersecurity information sharing.
  • Title II — National Cybersecurity Advancement (containing
    • Subtitle A, the National Cybersecurity Protection Advancement Act of 2015 (NCPAA)
    • Subtitle B, the Federal Cybersecurity Enhancement Act of 2015 (FCEA)) — instructs DHS to take measures designed to strengthen cybersecurity in the federal government and at federal agencies, as well as to facilitate the implementation of Title I.
  • Title III — Federal Cybersecurity Workforce Assessment Act of 2015 (FCWAA) — calls for a cybersecurity-focused assessment of the federal workforce.
  • Title IV — Changes to Access Device Liability Outside of the United States and Other Cyber Matteres provides for other measures intended to identify and address threats to critical information systems and networks.

Absent changes, the Act will stay in effect for 10 years, sunseting on September 30, 2025.

References[]

  1. Sullivan & Cromwell, "The Cybersecurity Act of 2015" (Dec. 22, 2015) (full-text)
  2. Id.