The U.S. Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) enables actionable, relevant, and timely unclassified information exchange through trusted public-private partnerships across all critical infrastructure (CI) sectors. CISCP fosters this collaboration by leveraging the depth and breadth of DHS cybersecurity capabilities within a focused operational context. Through analyst-to-analyst sharing of threat and vulnerability information, CISCP helps partners manage cybersecurity risks and enhances our collective ability to proactively detect, prevent, mitigate, respond to, and recover from cybersecurity incidents. CISCP's overall objective is to build cybersecurity resiliency and to harden the defenses of the United States and its strategic partners.
Products and Briefings
CISCP membership provides access to DHS analysts, and to a broad suite of CISA Central services and CISCP products. These DHS resources help reduce the cyberspace attack surface of the United States and its strategic partners and support cybersecurity information exchange.
CISA Central Services
- Monthly Analyst to Analyst Webinars: Learn the specific actions to take to protect against emerging threats and vulnerabilities.
- Analyst to Analyst Technical Exchanges: Receive and share threat actor tactics, techniques, and procedures (TTPs) as well as emerging trends and themes.
- Digital Malware Analysis: Use CISA Central malware analysis reports to understand and mitigate threats and attack vectors.
- Cross Industry Orchestration: Learn lessons and share expertise with peers across all 16 CI sectors.
- CISCP Analytical Products: Receive analysis delivered through an exclusive and trusted partner portal.
- Automated Indicator Sharing: Distribute cybersecurity information bi-directionally using STIX and TAXII
- Operational Context: Collaborate and correlate threat intelligence and cybersecurity data to bring clarity
- Forum Post: Share emerging threats, warnings, and indicators of compromise (IOCs) via a trusted venue.
- Indicator Bulletins (IB): Provide frequent, timely, and actionable cyber threat information regarding IOCs and vulnerabilities derived from government sources and industry partners.
- Analysis Reports (AR): Tie together related threat and intruder activity; describing the activity in depth, how to detect it, defensive measures, and remediation advice.
- Joint Analysis Report: Collaborative reports that leverage the combined expertise and consensus of DHS and another federal entity (or entities) to define or identify cyber threats and vulnerabilities.
- Malware Initial Findings Report: Provide initial IOCs for computer network defense.
- Malware Analysis Report: Provide detailed descriptions of malware actions on an infected host and the associated code analysis with insight on the malware's specific TTPS.
- Joint Indicator Bulletins: Co-published between NCCIC and other federal entities and contain domain names and IP addresses associated with ongoing malicious activity.
Information shared among CISCP partners is governed using the Traffic Light Protocol (TLP), which empowers the submitter to determine the handling and dissemination of their information. For more on TLP, visit https://us-cert.gov/tlp.
- Freedom of Information Act (FOIA): NCCIC will not disclose any information that is exempt from disclosure under FOIA consistent with 5 USC 552(b), including but not limited to Exemption (b)(3) as specifically exempt from disclosure by statute, Exemption (b)(4) as trade secrets and commercial or financial information that is privileged or confidential, and Exemption (b)(7)(A)-(f) as records or information compiled for law enforcement purposes
- Cybersecurity Information Sharing Act (CISA): Stakeholders that share information with NCCIC are eligible for certain protections under CISA of 2015, if the stakeholder meets certain requirements. See detailed guidance at US-CERT.
- Protected Critical Infrastructure Information (PCII): Stakeholders that share information with NCCIC may invoke PCII protections, See detailed guidance at https://www.dhs.gov/pcii-program.
- Traffic-Light Protocol (TLP) and Homeland Security Information Network (HSIN): NCCIC adheres to TLP and any dissemination control markings clearly displayed by the parties on written documents containing cybersecurity information. Shared information is made available to the limited sharing community through HSIN. More information on TLP is available at https://www.us-cert.gov/TLP.
CISCP Membership Process
It is free to join and use the CISCP program. To become members, prospective partners sign a Cyber Information Sharing and Collaboration Agreement (CISCA), which enables DHS and its partners to exchange anonymized information. Once partners sign the agreement, DHS coordinates an on-boarding session to customize how DHS and the organization can exchange information
For more information on the CISCP program, visit http://www.dhs.gov/ciscp or email CISCP_Coordination@hq.dhs.gov. For more questions on this topic or CISA in general, please contact Central@cisa.gov. To report anomalous cyber activity and/or cyber incidents 24/7 email firstname.lastname@example.org or (888) 282-0870.