Explainer: Congress Passed Three Different Information Sharing Bills. So What Now?

This year, Congress has passed three separate cybersecurity information sharing bills, all with different requirements, authorities, and protections. The House of Representatives passed two bills: the Homeland Security Committee bill, the National Cybersecurity Protection Advancement Act (NCPAA, H.R. 1560 Title II; originally H.R. 1731), with a vote of 355-63; and the Permanent Select Committee on Intelligence bill, the Protecting Cyber Networks Act (PCNA, H.R. 1560 Title I), with a vote of 30-116. While the two bills were considered and voted on separately, they were combined into one bill, with two distinct titles. The Senate also passed its own bill, the Select Committee on Intelligence’s Cybersecurity Information Sharing Act (CISA, S. 754).

In order for a new information sharing authorization to become law, an identical version of a single bill must be approved by each chamber of Congress. To that end, members of relevant Committees from each chamber will come together to negotiate a compromise bill that includes provisions from each of the three proposals.

No bill is perfect, but each has provisions that are better and worse than their counterparts. The below chart is a short one-page summary of the primary authorizations, requirements, and protections in each bill, and OTI’s assessment as to whether particular provisions in each bill are best, intermediate, or worst, as compared to their counterparts, and, where appropriate, a recommended standard in lieu of the provisions in each bill. A more detailed summary, which includes an assessment of additional provisions and bill citations, is available here.