CBO Scores CISPA

The Cyber Intelligence Sharing and Protection Act (H.R. 624) would amend the National Security Act of 1947 to require the Director of National Intelligence (DNI) to establish procedures to promote the sharing of information about cyber threats between intelligence agencies and the private sector. The DNI also would be directed to establish guidelines for granting security clearances to employees of the private-sector entities with which the government shares such information. CBO estimates that implementing the bill would have a discretionary cost of $20 million over the 2014-2018 period, assuming appropriation of the necessary amounts. Enacting H.R. 624 could affect direct spending or revenues; therefore, pay-as-you-go procedures apply. However, CBO estimates that those effects would be insignificant for each year.

The bill would impose intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), by extending civil and criminal liability protection to entities and cybersecurity providers that share or use cyber threat information. The bill also would impose additional intergovernmental mandates on state governments by preempting state disclosure and liability laws. Because of uncertainty about the number of cases that would be limited and any forgone compensation that would result from compensatory damages, CBO cannot determine whether the costs of the mandate would exceed the annual threshold established in UMRA for private-sector mandates ($150 million in 2013, adjusted annually for inflation). However, CBO estimates that the aggregate costs of the mandates on public entities would fall below the threshold for intergovernmental mandates ($75 million in 2013, adjusted annually for inflation).