I think there may be some misunderstanding about the scope of SCISA. SCISA is a disclosure authority only. It does not deal with the use of the information that's collected by a recipient agency or with any downward disclosure of it to another agency. As long as the threshold in SCISA is met—as long as it's relevant to the national security jurisdiction or responsibilities of the recipient institution—it can be disclosed, but it always operates subject to any other law that limits disclosure.
For example, if there was something in the disclosing institution's operating legislation that prevented that, SCISA does not override it. It only deals with disclosure, and the threshold has to be met for disclosure to occur. It's up to the recipient. Whether it's proactively disclosed or by request, they have to make sure that they are authorized to collect it. Nothing changes their existing collection authorities. They may have a very stringent regime. They may need a warrant to collect it. That continues to apply. Also, how they use it has to be within their existing authorities. SCISA doesn't touch that.