Tribal-ISAC, a previously shared a post (copied below) with information sharing references. One of the links (for CISA 2015) seems to be 'hit or miss'. DHS is looking at that. So, the PDF is also attached here.

Previous post follows...

Good morning, Tribal-ISAC. From time-to-time I have the conversation of 'legal won't let us share anything' with folks. Here are two good references to help assuage those pesky lawyers...

- CISA 2015 (legislation, not DHS's CISA org, even though this also impacts that org...) https://us-cert.cisa.gov/sites/default/files/ais_files/Privacy_and_Civil_Liberties_Guidelines.pdf ‘Congress designed CISA to create a voluntary cybersecurity information sharing process that will encourage public and private entities to share cyber threat information while protecting classified information, intelligence sources and methods, and privacy and civil liberties.’

- When GDPR came out, the FS-ISAC led development of this report to basically say, 'hey, share threat info, that's not impacted by GDPR'. The main guy on this is a lawyer, and a long-time FS leader. https://www.fsisac.com/hubfs/5442200/Resources/FS-ISAC_Threat_Information_Sharing_and_GDPR.pdf