View all text of Subchapter I [§ 1500 - § 1510]

§ 1506. Oversight of government activities
(a) Report on implementation
(1) In general
(2) ContentsThe report required by paragraph (1) may include such recommendations as the heads of the appropriate Federal entities may have for improvements or modifications to the authorities, policies, procedures, and guidelines under this subchapter and shall include the following:
(A) An evaluation of the effectiveness of real-time information sharing through the capability and process developed under section 1504(c) of this title, including any impediments to such real-time sharing.
(B) An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
(C) The number of cyber threat indicators or defensive measures received through the capability and process developed under section 1504(c) of this title.
(D) A list of Federal entities that have received cyber threat indicators or defensive measures under this subchapter.
(b) Biennial report on compliance
(1) In general
(2) ContentsEach report submitted under paragraph (1) shall include, for the period covered by the report, the following:
(A) An assessment of the sufficiency of the policies, procedures, and guidelines relating to the sharing of cyber threat indicators within the Federal Government, including those policies, procedures, and guidelines relating to the removal of information not directly related to a cybersecurity threat that is personal information of a specific individual or information that identifies a specific individual.
(B) An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
(C) A review of the actions taken by the Federal Government based on cyber threat indicators or defensive measures shared with the Federal Government under this subchapter, including a review of the following:
(i) The appropriateness of subsequent uses and disseminations of cyber threat indicators or defensive measures.
(ii) Whether cyber threat indicators or defensive measures were shared in a timely and adequate manner with appropriate entities, or, if appropriate, were made publicly available.
(D) An assessment of the cyber threat indicators or defensive measures shared with the appropriate Federal entities under this subchapter, including the following:
(i) The number of cyber threat indicators or defensive measures shared through the capability and process developed under section 1504(c) of this title.
(ii) An assessment of any information not directly related to a cybersecurity threat that is personal information of a specific individual or information identifying a specific individual and was shared by a non-Federal government 1
1 So in original. Probably should be capitalized.
entity with the Federal government 1 in contravention of this subchapter, or was shared within the Federal Government in contravention of the guidelines required by this subchapter, including a description of any significant violation of this subchapter.
(iii) The number of times, according to the Attorney General, that information shared under this subchapter was used by a Federal entity to prosecute an offense listed in section 1504(d)(5)(A) of this title.
(iv) A quantitative and qualitative assessment of the effect of the sharing of cyber threat indicators or defensive measures with the Federal Government on privacy and civil liberties of specific individuals, including the number of notices that were issued with respect to a failure to remove information not directly related to a cybersecurity threat that was personal information of a specific individual or information that identified a specific individual in accordance with the procedures required by section 1504(b)(3)(E) of this title.
(v) The adequacy of any steps taken by the Federal Government to reduce any adverse effect from activities carried out under this subchapter on the privacy and civil liberties of United States persons.
(E) An assessment of the sharing of cyber threat indicators or defensive measures among Federal entities to identify inappropriate barriers to sharing information.
(3) Recommendations
(c) Independent report on removal of personal information
(d) Form of reports
(e) Public availability of reports
(Pub. L. 114–113, div. N, title I, § 107, Dec. 18, 2015, 129 Stat. 2951.)