Information sharing is essential to the protection of critical infrastructure and to furthering cybersecurity for the nation. As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, the Cybersecurity and Infrastructure Agency (CISA) has developed and implemented numerous information sharing programs. Through these programs, CISA develops partnerships and shares substantive information with the private sector, which owns and operates the majority of the nation’s critical infrastructure. CISA also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries.
Traffic Light Protocol (TLP)
CISA uses the Traffic Light Protocol (TLP) according to the FIRST Standard Definitions and Usage Guidance. TLP was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). TLP only has four colors; any designations not listed in this standard are not considered valid by FIRST.
For more information, see cisa.gov/TLP.
Cyber Information Sharing and Collaboration Program (CISCP)
Cyber Information Sharing and Collaboration Program (CISCP) enables information exchange and the establishment of a community of trust between the Federal Government and critical infrastructure owners and operators. CISCP and its members can share cyber threat, incident, and vulnerability information in near real-time to collaborate and better understand cyber threats. By leveraging CISA Central, formerly known as the National Cybersecurity and Communications Integration Center (NCCIC), members can receive guidance on cyber-related threats to prevent, mitigate or recover from cyber incidents.
CISCP membership provides access to the full suite of CISA Central products and services to support information exchange. Upon receiving indicators of observed cyber threat activity from its members, CISCP analysts redact proprietary information and collaborate with both government and industry partners to produce accurate, timely, actionable data and analytical products.
Information Sharing and Analysis Centers (ISACs)
Sector-specific Information Sharing and Analysis Centers (ISACs) are non-profit, member-driven organizations formed by critical infrastructure owners and operators to share information between government and industry. While CISA Central works in close coordination with all of the ISACs, a few critical infrastructure sectors maintain a consistent presence within the NCCIC.
The Multi-State Information Sharing and Analysis Center (MS-ISAC) receives programmatic support from and has been designated by DHS as the cybersecurity ISAC for state, local, tribal, and territorial (SLTT) governments. The MS-ISAC provides services and information sharing that significantly enhances SLTT governments’ ability to prevent, protect against, respond to and recover from cyberattacks and compromises. DHS maintains operational-level coordination with the MS-ISAC through the presence of MS-ISAC analysts in CISA Central to coordinate directly with its own 24x7 operations center that connects with SLTT government stakeholders on cybersecurity threats and incidents.
In addition to the MS-ISAC, representatives of the Communications ISAC maintain a presence at DHS through the NCCIC’s National Coordinating Center for Communications (NCC), with resident members from the nation’s major communications carriers on site. The Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Aviation Information Sharing and Analysis Center (A-ISAC) also maintain a presence within CISA Central
Information Sharing and Analysis Organizations (ISAOs)
Like Information Sharing and Analysis Centers (ISACs), the purpose of Information Sharing and Analysis Organizations (ISAOs) is to gather, analyze, and disseminate cyber threat information, like ISACs, ISAOs are sector-affiliated. Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing calls for the development of ISAOs in order to promote better cybersecurity information sharing between the private sector and government, and enhance collaboration and information sharing amongst the private sector.
ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sectors, or consist of a combination of public and private sector organizations. ISAOs may be formed as for-profit or nonprofit entities.
DHS is responsible for the execution of Executive Order 13691. Its role is threefold: DHS will select, through an open and competitive process, a non-governmental organization to serve as the ISAO Standards Organization, which will identify a set of voluntary guidelines for the creation and functioning of ISAOs; DHS will engage in continuous, collaborative, and inclusive coordination with ISAOs via its NCCIC; and DHS will develop a more efficient means for granting clearances to private sector individuals who are members of an ISAO via a designated critical infrastructure protection program.
This new ISAO model complements DHS’s existing information sharing programs and creates an opportunity to expand the number of entities that can share threat information with the government and with each other, reaching those who haven’t necessarily had the opportunity to participate in such information sharing.
Automated Indicator Sharing
Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect participants of the AIS community and ultimately reduce the prevalence of cyber attacks. The AIS community includes private sector entities; federal departments and agencies; state, local, tribal, and territorial (SLTT) governments; information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs); and foreign partners and companies. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.
The AIS ecosystem empowers participants to share cyber threat indicators and defensive measures, such as information about attempted adversary compromises as they are being observed, to help protect other participants of the AIS community and ultimately limit the adversary’s use of an attack method. The more you share, the more everyone becomes informed, and the more we all prevent further damage from vicious cyber-attacks together!
How AIS Works
AIS uses open standards: the Structured Threat Information Expression (STIX™) for cyber threat indicators and defensive measures information and the Trusted Automated Exchange of Intelligence Information (TAXII™) for machine-to-machine communications. Using standards allows threat activity context such as tactics, techniques, and procedures, vulnerabilities, and courses of action to be shared through a communications protocol to and from participants.
AIS uses a server/client architecture for communications. AIS participants connect to AIS with a STIX/TAXII client (which can be built or bought from commercial vendors) to exchange cyber threat indicators and defensive measures with CISA and, in turn, other AIS participants via the AIS TAXII Server. CISA respects organizational privacy; AIS anonymizes submissions by default when transmitting them, meaning that the identity of the submitter is not revealed without the prior express consent of the submitter.
In the future, CISA intends to provide additional AIS features to allow participants to identify the most operationally relevant indicators. As CISA receives participant feedback, it will continue to perform updates to make AIS as useful and relevant to the community as possible. Please send any feedback to firstname.lastname@example.org.
The Cybersecurity Information Sharing Act of 2015
CISA is the designated hub for the sharing of cyber threat indicators and defensive measures between the federal government and private sector pursuant to the Cybersecurity Information Sharing Act of 2015 (CISA 2015). This law grants liability protection, privacy protections, and other protections to organizations that share cyber threat indicators and defensive measures through AIS in accordance with the Act’s requirements. As mandated by CISA 2015, DHS certified the operation of AIS in March 2016 and released guidance, in conjunction with the Department of Justice, to help private sector entities share cyber threat indicators with the Federal Government. This guidance, as well as other guidance published pursuant to the Act, can be found on https://www.cisa.gov/automated-indicator-sharing-ais
AIS offers anonymity, as well as liability and privacy protections, to encourage the submission of cyber threat indicators and defensive measures.
CISA 2015 grants liability protection to organizations sharing and receiving cyber threat indicators and defensive measures, provided sharing is done in accordance with all the Act’s requirements. Liability protection applies to the following sharing arrangements, if the sharing is otherwise conducted in accordance with the Act:
- Non-federal entities (private sector entities, SLTT governments, international partners, ISACs/ISAOs) sharing with other non-federal organizations
- Non-federal entities sharing with CISA and other federal agencies through AIS. *
* Federal organizations do not receive liability protection when sharing with one another, but some aspects of CISA 2015 apply (e.g., privacy requirements when sharing cyber threat indicators).
CISA has taken careful measures to ensure appropriate privacy and civil liberties protections are fully implemented in AIS and are regularly tested. CISA has published a Privacy Impact Assessment of AIS, which can be found on https://www.cisa.gov/automated-indicator-sharing-ais.
To ensure that personally identifiable information (PII) is protected, AIS has processes that:
- Perform automated analyses and technical mitigations to delete PII that is not directly related to a cyber threat;
- Incorporate elements of human review on select fields of certain indicators to ensure that automated processes are functioning appropriately;
- Minimize the amount of data included in a cyber threat indicator to information that is directly related to a cyber threat;
- Retain only information needed to address cyber threats; and
- Ensure any information collected is used only for network defense or limited law enforcement purposes.
All cyber threat indicators and defensive measures submitted through AIS by non-federal entities afforded the additional protections when the sharing is done in accordance with all requirements of CISA 2015, including:
- Exemption from anti-trust laws;
- Exemption from federal, state, tribal, and local disclosure laws;
- Exemption from certain state and federal regulatory uses;
- No waiver of privilege for shared material;
- Treated as commercial, financial, and proprietary information when so designated; and
- Not subject to any executive branch rules or judicial doctrine regarding ex parte communications with a decision-making official.**
** For more information regarding the other protections under the Cybersecurity Information Sharing Act of 2015, see the Non-Federal Entity Sharing Guidance under the Cybersecurity Information Sharing Act of 2015, available at https://www.cisa.gov/automated-indicator-sharing-ais.
How to Participate in AIS
AIS is a free service. To participate, please complete the following steps:
- Contact email@example.com for engagement information and firstname.lastname@example.org for technical assistance during your onboarding.
- Acquire a STIX/TAXII capability: use an open source TAXII client, provided by DHS or others in the community (e.g., ISACs, ISAOs), or obtain access via a commercial solution.
- Get a PKI certificate from a Federal Bridge Certificate Authority (you may need to purchase if you do not have one already).
- Sign an Interconnection Security Agreement and provide your IP address to CISA.
Other Ways to Connect: ISACs, ISAOs, Threat Providers
CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.
Commercial providers offer AIS data to existing subscribers at no extra cost.
1. Anomali https://www.anomali.com
2. Infoblox/IID https://www.infoblox.com
3. Looking Glass https://www.lookingglasscyber.com
4. Perch Security https://www.perchsecurity.com
5. ThreatConnect https://threatconnect.com/
6. ThreatQuotient https://www.threatq.com
7. Sumo Logic https://www.sumologic.com/ (Formerly Jask)
8. Centripetal Networks https://www.centripetalnetworks.com
9. Recorded Future https://www.recordedfuture.com/
10. Trustar https://www.trustar.co/
ISACS/ISAOs also offer AIS data to existing members via ISAC/ISAO provided automated data connections**:
Health ISAC (H-ISAC)
Multi-State ISAC (MS-ISAC)
Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
Water ISAC (W-ISAC)
Financial Services ISAC (FS-ISAC)
Aviation ISAC (A-ISAC)
Information Technology ISAC (IT-ISAC)
Research Education Networking ISAC (REN-ISAC)
Retail and Hospitality ISAC
**Other ISACS do receive AIS data but might not offer a member CTI feed connection and therefore do not distribute AIS data.
How to Share CTIs and DMs
CISA highly encourages AIS participants to share cyber threat indicators and defensive measures via the bidirectional AIS TAXII connection. Information on how to share cyber threat indicators and defensive measures via the bidirectional AIS TAXII connection is found in the AIS Submission Guidance Document.
CISA will also conduct conference calls or webinars with companies that have questions about the on-boarding requirements or receiving, using, or sharing indicators and defensive measures. Engagement requests can be sent to email@example.com
Other opportunities to share cyber threat information with CISA, including cyber threat indicators and defensive measures potentially subject to the protections of CISA 2015 described above, include using the Share indicators and defensive measures submission form or other available reporting methods listed on the Report Cyber Issue page.
AIS Documents for More Information
Several documents are associated with the Automated Indicator Sharing (AIS) capability, including:
AIS Submission Guidance: The Submission Guidance provides details for crafting cyber threat indicators in Structured Threat Information Expression (STIX) format, along with explanation of how to use Traffic Light Protocol (TLP). In Appendix A, all the STIX indicator fields from the AIS profile are included with information and examples for each. In addition, there are several examples of STIX indicators attached.
The On-boarding Frequently Asked Questions (FAQ): The FAQ provides the TAXII connectivity URL and explains the types of PKI certificates needed to connect and suggestions on where to purchase them if you do not have already.
AIS ACS Marking Guidance – (For AIS federal customers) This document is intended for federal sharing community readers who have some familiarity with AIS, STIX, and xml and wish to create and mark STIX documents in xml for sharing with AIS.
AIS Brokering System Description – (For AIS federal customers) The AIS Brokering Document provides significant detail on the brokering functions provided by DHS, and provides additional guidance and examples specifically for federal entities to mark information with ACS markings they intend to share with the non-federal and federal entities via AIS.
AIS Interconnection Agreement - The Interconnect Agreement describes general responsibilities on both sides of the sharing relationship to ensure the Trusted Automated Exchange of Indicator Information (TAXII) connectivity is properly secured and CISA knows who to contact regarding, e.g., maintenance windows or suspicious activity on the CISA-owned TAXII server. Please complete this with Point of Contact information so we can engage with the right security staff on your team.
Visit the Automated Indicator Sharing publication page to view all AIS documents.
Protected Critical Infrastructure Information Program (PCII)
The Protected Critical Infrastructure Information (PCII) Program is an information-protection program that enhances voluntary information sharing between infrastructure owners and operators and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data.
Homeland Security Information Network
The Homeland Security Information Network (HSIN) is a trusted network for homeland security mission operations to share sensitive but unclassified information. Federal, SLTT, and private sector partners can use HSIN to manage operations, analyze data, send alerts and notices, and share the information they need to perform their duties. CISA Central-developed products are available to registered stakeholders in authorized communities of interest. These products include Traffic Light Protocol (TLP) GREEN and AMBER indicator bulletins and analysis reports. TLP is a set of designations used to facilitate greater sharing of sensitive information with the appropriate audience. Four colors are used to indicate expected sharing boundaries from most restricted to least restricted public disclosure: RED, AMBER, GREEN, and WHITE, respectively. For information on applying for a HSIN account, contact HSIN at 866-430-0162 or HSIN.HelpDesk@hq.dhs.gov. NCCIC TLP:WHITE products are available through www.us-cert.cisa.gov/ics.
HSIN uses enhanced security measures, including verifying the identity of all users the first time they register and ensuring users use two-factor authentication each time they log on. HSIN leverages the trusted identity of its users to provide simplified access to a number of law enforcement, operations, and intelligence information sharing portals.
Service benefits include:
- alerts and notifications
- basic Learning Management System
- comprehensive HSIN training
- document repository
- geographic information system mapping
- instant messaging (HSIN chat)
- managed workflow capabilities
- secure messaging (HSIN Box)
- web conferencing (HSIN Connect)
For more information, or to become a member, visit www.dhs.gov/homeland-security-information-network-hsin or email HSIN.Outreach@hq.dhs.gov.
Information Products: National Cyber Awareness System
NCCIC offers no-cost, subscription-based information products to stakeholders through the www.us-cert.gov and www.ics-cert.gov websites. CISA Central designed these products—part of the National Cyber Awareness System (NCAS)—to improve situational awareness among technical and non-technical audiences by providing timely information about cybersecurity threats and issues and general security topics. Products include technical alerts, control systems advisories and reports, weekly vulnerability bulletins, and tips on cyber hygiene best practices. Subscribers can select to be notified when products of their choosing are published.
Service benefits include:
- Current Activity provides up-to-date information about high-impact security activity affecting the community at-large.
- Alerts provide timely information about current security issues, vulnerabilities, and exploits.
- Advisories provide timely information about current ICS security issues, vulnerabilities, and exploits.
- Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.
- Tips provide guidance on common security issues.
For more information on available information products, visit www.us-cert.gov/ncas and www.ics-cert.us-cert.gov/. To subscribe to select products, visit public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new.
National Information Exchange Model (NIEM)
In January 2020, CISA officially became the Domain Steward of the National Information Exchange Model (NIEM) Cyber Domain. As the nation’s risk advisor, CISA is uniquely positioned to partner with community stakeholders to develop risk-informed decisions based on consistent cyber data and information sharing. Representing cyber data in a NIEM conformant way is critical to defend against cybersecurity threats and to inform a resilient posture to cyber risks.
What is NIEM?
NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations. NIEM enables a common understanding of commonly used terms and definitions, which provide consistent, reusable, and repeatable data terms, definitions and processes.
The Cyber Domain will ensure a coordinated community effort to increase broad visibility of cyber risks through consistent data and information sharing.
Where is NIEM Being Used?
For example, the Disaster Assistance Improvement Program (DAIP) uses NIEM to reduce the burden for disaster survivors through inter-agency information sharing. Using NIEM as the data layer foundation, DAIP connects partner agencies that provide disaster assistance to survivors, including the Small Business Administration and the Social Security Administration. By consolidating benefit information, application intake, and status information into a unified system, survivors can apply for assistance from 17 US government agencies with a single, online application.
CISA will manage the Cyber Domain through the Office of the Chief Technology Officer (OCTO). For more information about NIEM, visit www.niem.gov. To get involved in the NIEM Cyber Domain, visit https://www.niem.gov/communities/cyber or email us at firstname.lastname@example.org.