Answers to frequently asked questions about Information Sharing and Analysis Organizations.
What is an Information Sharing and Analysis Organization (ISAO)?
An ISAO is a group created to gather, analyze, and disseminate cyber threat information. Unlike ISACs, ISAOs are not directly tied to critical infrastructure sectors, as outlined in Presidential Policy Directive 21. Instead, ISAOs offer a more flexible approach to self-organized information sharing activities amongst communities of interest such as small businesses across sectors: legal, accounting, and consulting firms that support cross-sector clients, etc.
What is the ISAO Standards Organization?
Pursuant to Section 3 of Executive Order 13691, the ISAO Standards Organization is a non-governmental organization selected through an open and competitive process that will engage with existing information sharing organizations, owners and operators of critical infrastructure, relevant agencies, and other public and private sector stakeholders to develop a set of voluntary standards and guidelines for the creation and functioning of ISAOs.
Who will serve as the Standards Organization?
The University of Texas at San Antonio (UTSA) with support from the Logistics Management Institute (LMI) and the Retail Cyber Intelligence Sharing Center (R-CISC) has been selected to serve as the ISAO Standards Organization.
How was the Standards Organization Selected?
The ISAO Standards Organization was selected through an open and competitive process. A public Notice of Funding Opportunity (NOFO) was posted to Grants.gov, where all interested entities were expected to submit an application by the deadline – July 17, 2015.
After an initial screening by DHS Grants and Financial Assistance Division to assure format and content compliance as per the NOFO, each proposal went through a review process. The criteria for the reviews were derived from Section E of the NOFO. The top scoring proposals went through a second review process by a different set of reviewers. The top scoring proposals from the second review were referred to DHS leadership for selection where one awardee was selected. Information on how to view the NOFO announcement can be found on the DHS ISAO Homepage.
How long is the award for?
This award is for up to 5 years.
Once standards are developed, what will be the role of the ISAO Standards Organization?
Once the Voluntary Standards are developed, the ISAO Standards Organization will lead several activities to continuously improve the rollout of the Executive Order. This includes assessing the progress and challenges of ISAOs in implementing voluntary standards, in order to assist ISAOs to overcome those challenges.
What role will DHS play in executing Executive Order 13691?
DHS has selected, through an open and competitive process, a non-governmental organization to serve as the ISAO Standards Organization. This ISAO Standards Organization will identify a set of voluntary guidelines for the creation and functioning of ISAOs through public, open-ended community engagement. The DHS National Cybersecurity and Communications Integration Center (NCCIC) will engage in continuous coordination with ISAOs who wish to collaborate in voluntary information sharing, while respecting privacy, civil rights, civil liberties, and other information security compliance principles. Also, in accordance with Section 6 of the executive order, DHS will develop a means for granting clearances to private sector individuals who are under a designated critical infrastructure protection program, as part of the National Industrial Security Program.
Why is government involved if this Executive Order is meant to stimulate industry information sharing?
In terms of standards development, DHS’s role was to identify a non-governmental organization that will independently gather the consensus best practices voiced by the private sector. DHS’s intent is to provide support and funding to enable consensus industry efforts, not to direct through regulation.
Why do we need a Standards Organization to outline ISAO best practices?
Currently, there is no transparent model that outlines best practices for the formation and operation of ISAOs. Many companies, even newly-formed ISACs, which are sector-based, have expressed a desire for best practices that would help them form a successful non-sector-based ISAO. The Standards Organization will help facilitate a transparent dialogue with industry members wishing to contribute to the development of information sharing models that are suitable for a variety of business needs and are not only sector-based.
How can my organization be involved in the standards development process?
UTSA routinely collaborates and solicits input via public, open-ended community engagement as described in Section 3 of the Executive Order. Organizations interested in participating should visit http://www.isao.org/ to stay apprised of those engagement sessions.
Does my organization need any special knowledge, staff, or security clearances to participate in standards development?
No, any organization or individual can participate in the standards development process, regardless of their cybersecurity knowledge, staffing levels, or security clearance status.
What will happen to the ISACs?
ISACs, which are actually a sector-based type of ISAO, are and will continue to be a vital piece of the U.S. information sharing effort. The expertise of existing ISACs will be vital during the ISAO standards development process. Once launched, the new ISAOs will be able to share information with ISACs, thus broadening each group’s information sharing network.
Membership in ISAOs is voluntary. Do any incentives exist in the private sector to promote interest in joining ISAOs?
The ability for a company to share and receive actionable cyber threat information with fellow industry groups, in order to protect their own networks, is an inherent benefit of participating in an ISAO. Increased and more timely awareness of cyber risks will allow companies to implement effective mitigations and reduce the frequency and impact of cyber incidents.