Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect participants of the AIS community and ultimately reduce the prevalence of cyberattacks. The AIS community includes private sector entities; federal departments and agencies; state, local, tribal, and territorial (SLTT) governments; information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs); and foreign partners and companies. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.
The AIS ecosystem empowers participants to share cyber threat indicators and defensive measures, such as information about attempted adversary compromises as they are being observed, to help protect other participants of the AIS community and ultimately limit the adversary’s use of an attack method. The more you share, the more everyone becomes informed, and the more we all prevent further damage from vicious cyber-attacks together!
Cybersecurity Information Sharing Act of 2015 Procedures and Guidance
Policies and procedures relating to the receipt and use of cyber threat indicators by federal entities, guidelines relating to privacy and civil liberties in connection with the exchange of those indicators, and guidance to federal agencies on sharing information in the government's possession.
How AIS Works
AIS uses open standards: the Structured Threat Information Expression (STIX™) for cyber threat indicators and defensive measures information and the Trusted Automated Exchange of Indicator Information (TAXII™) for machine-to-machine communications. Using standards allows threat activity context such as tactics, techniques, and procedures, vulnerabilities, and courses of action to be shared through a communications protocol to and from participants.
AIS uses a server/client architecture for communications. AIS participants connect to AIS with a STIX/TAXII client (which can be built or bought from commercial vendors) to exchange cyber threat indicators and defensive measures with CISA and, in turn, other AIS participants via the AIS TAXII Server. CISA respects organizational privacy; AIS anonymizes submissions by default when transmitting them, meaning that the identity of the submitter is not revealed without the prior express consent of the submitter.
In the future, CISA intends to provide additional AIS features to allow participants to identify the most operationally relevant indicators. As CISA receives participant feedback, it will continue to perform updates to make AIS as useful and relevant to the community as possible. Please send any feedback to email@example.com.
The Cybersecurity Information Sharing Act of 2015
CISA is the designated hub for the sharing of cyber threat indicators and defensive measures between the federal government and private sector pursuant to the Cybersecurity Information Sharing Act of 2015 (CISA 2015). This law grants liability protection, privacy protections, and other protections to organizations that share cyber threat indicators and defensive measures through AIS in accordance with the Act’s requirements. As mandated by CISA 2015, DHS certified the operation of AIS in March 2016 and released guidance, in conjunction with the Department of Justice, to help private sector entities share cyber threat indicators with the Federal Government. This guidance, as well as other guidance published pursuant to the Act, can be found on the Cybersecurity Information Sharing Act of 2015 Procedures and Guidance Documentation Page and can also be found with the rest of the AIS documents on the AIS Documentation Page.
AIS offers anonymity, as well as liability and privacy protections, to encourage the submission of cyber threat indicators and defensive measures.
CISA 2015 grants liability protection to organizations sharing and receiving cyber threat indicators and defensive measures, provided sharing is done in accordance with all the Act’s requirements. Liability protection applies to the following sharing arrangements, if the sharing is otherwise conducted in accordance with the Act:
- Non-federal entities (private sector entities, SLTT governments, international partners, ISACs/ISAOs) sharing with other non-federal organizations
- Non-federal entities sharing with CISA and other federal agencies through AIS. *
CISA has taken careful measures to ensure appropriate privacy and civil liberties protections are fully implemented in AIS and are regularly tested. CISA has published a Privacy Impact Assessment of AIS, which can be found on AIS Documentation Page.
To ensure that personally identifiable information (PII) is protected, AIS has processes that:
- Perform automated analyses and technical mitigations to delete PII that is not directly related to a cyber threat;
- Incorporate elements of human review on select fields of certain indicators to ensure that automated processes are functioning appropriately;
- Minimize the amount of data included in a cyber threat indicator to information that is directly related to a cyber threat;
- Retain only information needed to address cyber threats; and
- Ensure any information collected is used only for network defense or limited law enforcement purposes.
All cyber threat indicators and defensive measures submitted through AIS by non-federal entities afforded the additional protections when the sharing is done in accordance with all requirements of CISA 2015, including:
- Exemption from anti-trust laws;
- Exemption from federal, state, tribal, and local disclosure laws;
- Exemption from certain state and federal regulatory uses;
- No waiver of privilege for shared material;
- Treated as commercial, financial, and proprietary information when so designated; and
- Not subject to any executive branch rules or judicial doctrine regarding ex parte communications with a decision-making official.**
* Federal organizations do not receive liability protection when sharing with one another, but some aspects of CISA 2015 apply (e.g., privacy requirements when sharing cyber threat indicators).
** For more information regarding the other protections under the Cybersecurity Information Sharing Act of 2015, see the Non-Federal Entity Sharing Guidance under the Cybersecurity Information Sharing Act of 2015.
How to Participate in AIS
AIS is a free service. To participate, please complete the following steps:
- Contact firstname.lastname@example.org for engagement information and email@example.com for technical assistance during your onboarding.
- Acquire a STIX/TAXII capability: use an open source TAXII client, provided by DHS or others in the community (e.g., ISACs, ISAOs), or obtain access via a commercial solution.
- Get a PKI certificate from a Federal Bridge Certificate Authority (you may need to purchase if you do not have one already).
- Sign an Interconnection Agreement and provide your IP address to CISA.
Other Ways to Connect: ISACs, ISAOs, Threat Providers
CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.
Commercial providers offer AIS data to existing subscribers at no extra cost:
- Looking Glass
- Perch Security
- Sumo Logic
- Centripetal Networks
- Recorded Future
ISACS/ISAOs also offer AIS data to existing members via ISAC/ISAO provided automated data connections**:
- Health ISAC (H-ISAC)
- Multi-State ISAC (MS-ISAC)
- Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
- Water ISAC (W-ISAC)
- Financial Services ISAC (FS-ISAC)
- Aviation ISAC (A-ISAC)
- Information Technology ISAC (IT-ISAC)
- Research Education Networking ISAC (REN-ISAC)
- Retail and Hospitality ISAC
- Maritime Transportation System ISAC (MTS-ISAC)
- Downstream Natural Gas ISAC (DNG-ISAC)
**Other ISACS do receive AIS data but might not offer a member CTI feed connection and therefore do not distribute AIS data.
How to Share CTIs and DMs
CISA highly encourages AIS participants to share cyber threat indicators and defensive measures via the bidirectional AIS TAXII connection. Information on how to share cyber threat indicators and defensive measures via the bidirectional AIS TAXII connection is found in the AIS Submission Guidance document.
CISA will also conduct conference calls or webinars with companies that have questions about the on-boarding requirements or receiving, using, or sharing indicators and defensive measures. Engagement requests can be sent to firstname.lastname@example.org.
Other opportunities to share cyber threat information with CISA, including cyber threat indicators and defensive measures potentially subject to the protections of CISA 2015 described above, include using the Share indicators and defensive measures submission form or other available reporting methods listed on the Report Cyber Issue page.
AIS Documents for More Information
See the AIS Documentation Page for copies of the following Automated Indicator Sharing (AIS) related documents:
AIS Fact Sheet: AIS program overview document (2 pages).
The AIS Frequently Asked Questions (FAQ): The FAQ provides a list of frequently asked questions and answers from stakeholders to assist new participants in understanding how Automated Indicator Sharing (AIS) is implemented.
AIS Privacy Impact Assessment: Privacy Impact Assessment for the Automated Indicator Sharing (AIS) Program.
AIS Federal Multilateral Information Sharing Agreement (MISA): The purpose of this cross-government Multilateral Information Sharing Agreement (MISA), herein referred to as the “Agreement,” is to enhance cybersecurity information sharing among federal agencies in order to better protect the United States from malicious cyber actors in a manner that is fully consistent with the Constitution and laws of the United States, Executive Orders and other Executive Branch directives and policies, court orders, and all other legal, policy, and oversight requirements.
Cybersecurity Information Sharing Act of 2015: Cybersecurity Information Sharing Act of 2015 Original Act from the Government Printing Office.
AIS Interconnection Agreement - The Interconnect Agreement describes general responsibilities on both sides of the sharing relationship to ensure the Trusted Automated Exchange of Intelligence Information (TAXII) connectivity is properly secured and CISA knows who to contact regarding, e.g., maintenance windows or suspicious activity on the CISA-owned TAXII server. Please complete this with Point of Contact information so we can engage with the right security staff on your team.
Non-Federal Entity Sharing Guidance under the Cybersecurity Information Sharing Act of 2015: Guidance to assist non-Federal entities to share Cyber Threat Indicators and Defensive Measures with Federal entities under the Cybersecurity Information Sharing Act of 2015
Federal Government Sharing Guidance under the Cybersecurity Information Sharing Act of 2015: Guidance to assist Federal entities to share Cyber Threat Indicators and Defensive Measures with Federal entities under the Cybersecurity Information Sharing Act of 2015
Privacy and Civil Liberties Guidelines under the Cybersecurity Information Sharing Act of 2015: Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015
Final Operational Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government: Consistent with section 105(a)(2) and (3) of the Cybersecurity Information Sharing Act of 2015 (CISA), this document establishes procedures relating to the receipt of cyber threat indicators and defensive measures by all federal entities under CISA. It describes the processes for receiving, handling, and disseminating information that is shared with DHS pursuant to section 104(c) of CISA, including through operation of the DHS Automated Indicator Sharing capability under section 105(c) of CISA. It also states and interprets the statutory requirements for all federal entities that receive cyber threat indicators and defensive measures under CISA to share them with other appropriate federal entities.
AIS Submission Guidance: The Submission Guidance provides details for crafting cyber threat indicators in Structured Threat Information Expression (STIX) format, along with explanation of how to use Traffic Light Protocol (TLP). In Appendix A, all the STIX indicator fields from the AIS profile are included with information and examples for each. In addition, there are several examples of STIX indicators attached.
AIS Submission Guidance Appendix A (AIS STIX Profile): In Appendix A, all the STIX indicator fields from the AIS profile are included with information and examples for each. The fields present in this document are the only fields accepted as part of the AIS STIX profile. Other STIX fields not present in this document are disallowed by AIS.
AIS Brokering Between the Non-Federal Entities Sharing Community and the Federal Entities Sharing Community – (For AIS federal customers) The AIS Brokering Document provides significant detail on the brokering functions provided by DHS, and provides additional guidance and examples specifically for federal entities to mark information with ACS markings they intend to share with the non-federal and federal entities via AIS.
AIS ACS Marking Guidance – (For AIS federal customers) This document is intended for federal sharing community readers who have some familiarity with AIS, STIX, and xml and wish to create and mark STIX documents in xml for sharing with AIS.
Visit the AIS Documentation Page to view these, and other, AIS documents.