US Code

Public Law 119-73 (01/23/2026)

6 U.S.C. § 1506

Oversight of government activities

(a)

Report on implementation

(1)

In general

Not later than 1 year after , the heads of the appropriate Federal entities shall jointly submit to Congress a detailed report concerning the implementation of this subchapter.

(2)

Contents

The report required by paragraph (1) may include such recommendations as the heads of the appropriate Federal entities may have for improvements or modifications to the authorities, policies, procedures, and guidelines under this subchapter and shall include the following:
(A)
section 1504(c) of this title An evaluation of the effectiveness of real-time information sharing through the capability and process developed under , including any impediments to such real-time sharing.
(B)
An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
(C)
section 1504(c) of this title The number of cyber threat indicators or defensive measures received through the capability and process developed under .
(D)
A list of Federal entities that have received cyber threat indicators or defensive measures under this subchapter.
(b)

Biennial report on compliance

(1)

In general

Not later than 2 years after and not less frequently than once every 2 years thereafter, the inspectors general of the appropriate Federal entities, in consultation with the Inspector General of the Intelligence Community and the Council of Inspectors General on Financial Oversight, shall jointly submit to Congress an interagency report on the actions of the executive branch of the Federal Government to carry out this subchapter during the most recent 2-year period.

(2)

Contents

Each report submitted under paragraph (1) shall include, for the period covered by the report, the following:
(A)
An assessment of the sufficiency of the policies, procedures, and guidelines relating to the sharing of cyber threat indicators within the Federal Government, including those policies, procedures, and guidelines relating to the removal of information not directly related to a cybersecurity threat that is personal information of a specific individual or information that identifies a specific individual.
(B)
An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.
(C)
A review of the actions taken by the Federal Government based on cyber threat indicators or defensive measures shared with the Federal Government under this subchapter, including a review of the following:
(i)
The appropriateness of subsequent uses and disseminations of cyber threat indicators or defensive measures.
(ii)
Whether cyber threat indicators or defensive measures were shared in a timely and adequate manner with appropriate entities, or, if appropriate, were made publicly available.
(D)
An assessment of the cyber threat indicators or defensive measures shared with the appropriate Federal entities under this subchapter, including the following:
(i)
section 1504(c) of this title The number of cyber threat indicators or defensive measures shared through the capability and process developed under .
(ii)
1
1 So in original. Probably should be capitalized.
1 An assessment of any information not directly related to a cybersecurity threat that is personal information of a specific individual or information identifying a specific individual and was shared by a non-Federal government  entity with the Federal government  in contravention of this subchapter, or was shared within the Federal Government in contravention of the guidelines required by this subchapter, including a description of any significant violation of this subchapter.
(iii)
section 1504(d)(5)(A) of this title The number of times, according to the Attorney General, that information shared under this subchapter was used by a Federal entity to prosecute an offense listed in .
(iv)
section 1504(b)(3)(E) of this title A quantitative and qualitative assessment of the effect of the sharing of cyber threat indicators or defensive measures with the Federal Government on privacy and civil liberties of specific individuals, including the number of notices that were issued with respect to a failure to remove information not directly related to a cybersecurity threat that was personal information of a specific individual or information that identified a specific individual in accordance with the procedures required by .
(v)
The adequacy of any steps taken by the Federal Government to reduce any adverse effect from activities carried out under this subchapter on the privacy and civil liberties of United States persons.
(E)
An assessment of the sharing of cyber threat indicators or defensive measures among Federal entities to identify inappropriate barriers to sharing information.
(3)

Recommendations

Each report submitted under this subsection may include such recommendations as the inspectors general may have for improvements or modifications to the authorities and processes under this subchapter.

(c)

Independent report on removal of personal information

Not later than 3 years after , the Comptroller General of the United States shall submit to Congress a report on the actions taken by the Federal Government to remove personal information from cyber threat indicators or defensive measures pursuant to this subchapter. Such report shall include an assessment of the sufficiency of the policies, procedures, and guidelines established under this subchapter in addressing concerns relating to privacy and civil liberties.

(d)

Form of reports

Each report required under this section shall be submitted in an unclassified form, but may include a classified annex.

(e)

Public availability of reports

The unclassified portions of the reports required under this section shall be made available to the public.

Pub. L. 114–113, div. N, title I, § 107129 Stat. 2951(, , .)