Information sharing is essential to the protection of critical infrastructure and to furthering cybersecurity for the nation. As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, the Cybersecurity and Infrastructure Agency (CISA) has developed and implemented numerous information sharing programs. Through these programs, CISA develops partnerships and shares substantive information with the private sector, which owns and operates the majority of the nation’s critical infrastructure. CISA also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries.
Traffic Light Protocol (TLP)
CISA uses the Traffic Light Protocol (TLP) according to the FIRST Standard Definitions and Usage Guidance. TLP was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). TLP only has four colors; any designations not listed in this standard are not considered valid by FIRST.
For more information, see cisa.gov/TLP.
Cyber Information Sharing and Collaboration Program (CISCP)
Cyber Information Sharing and Collaboration Program (CISCP) enables information exchange and the establishment of a community of trust between the Federal Government and critical infrastructure owners and operators. CISCP and its members can share cyber threat, incident, and vulnerability information in near real-time to collaborate and better understand cyber threats. By leveraging CISA Central, formerly known as the National Cybersecurity and Communications Integration Center (NCCIC), members can receive guidance on cyber-related threats to prevent, mitigate or recover from cyber incidents.
CISCP membership provides access to the full suite of CISA Central products and services to support information exchange. Upon receiving indicators of observed cyber threat activity from its members, CISCP analysts redact proprietary information and collaborate with both government and industry partners to produce accurate, timely, actionable data and analytical products.
Information Sharing and Analysis Centers (ISACs)
Sector-specific Information Sharing and Analysis Centers (ISACs) are non-profit, member-driven organizations formed by critical infrastructure owners and operators to share information between government and industry. While CISA Central works in close coordination with all of the ISACs, a few critical infrastructure sectors maintain a consistent presence within CISA Central.
The Multi-State Information Sharing and Analysis Center (MS-ISAC) receives programmatic support from and has been designated by DHS as the cybersecurity ISAC for state, local, tribal, and territorial (SLTT) governments. The MS-ISAC provides services and information sharing that significantly enhances SLTT governments’ ability to prevent, protect against, respond to and recover from cyberattacks and compromises. DHS maintains operational-level coordination with the MS-ISAC through the presence of MS-ISAC analysts in CISA Central to coordinate directly with its own 24x7 operations center that connects with SLTT government stakeholders on cybersecurity threats and incidents.
In addition to the MS-ISAC, representatives of the Communications ISAC maintain a presence at DHS through the CISA Central’s National Coordinating Center for Communications (NCC), with resident members from the nation’s major communications carriers on site. The Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Aviation Information Sharing and Analysis Center (A-ISAC) also maintain a presence within CISA Central.
Information Sharing and Analysis Organizations (ISAOs)
Like Information Sharing and Analysis Centers (ISACs), the purpose of Information Sharing and Analysis Organizations (ISAOs) is to gather, analyze, and disseminate cyber threat information, like ISACs, ISAOs are sector-affiliated. Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing calls for the development of ISAOs in order to promote better cybersecurity information sharing between the private sector and government, and enhance collaboration and information sharing amongst the private sector.
ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sectors, or consist of a combination of public and private sector organizations. ISAOs may be formed as for-profit or nonprofit entities.
DHS is responsible for the execution of Executive Order 13691. Its role is threefold: DHS will select, through an open and competitive process, a non-governmental organization to serve as the ISAO Standards Organization, which will identify a set of voluntary guidelines for the creation and functioning of ISAOs; DHS will engage in continuous, collaborative, and inclusive coordination with ISAOs via CISA Central; and DHS will develop a more efficient means for granting clearances to private sector individuals who are members of an ISAO via a designated critical infrastructure protection program.
This new ISAO model complements DHS’s existing information sharing programs and creates an opportunity to expand the number of entities that can share threat information with the government and with each other, reaching those who haven’t necessarily had the opportunity to participate in such information sharing.
Automated Indicator Sharing
Automated Indicator Sharing (AIS), a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect participants of the AIS community and ultimately reduce the prevalence of cyber attacks. The AIS community includes private sector entities; federal departments and agencies; state, local, tribal, and territorial governments; information sharing and analysis centers and information sharing and analysis organizations; and foreign partners and companies. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.
The AIS ecosystem empowers participants to share cyber threat indicators and defensive measures, such as information about attempted adversary compromises as they are being observed, to help protect other participants of the AIS community and ultimately limit the adversary’s use of an attack method. The more you share, the more everyone becomes informed, and the more we all prevent further damage from vicious cyber-attacks together!
Please visit CISA's AIS page for more information.
Protected Critical Infrastructure Information Program (PCII)
The Protected Critical Infrastructure Information (PCII) Program is an information-protection program that enhances voluntary information sharing between infrastructure owners and operators and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data.
Homeland Security Information Network
The Homeland Security Information Network (HSIN) is a trusted network for homeland security mission operations to share sensitive but unclassified information. Federal, SLTT, and private sector partners can use HSIN to manage operations, analyze data, send alerts and notices, and share the information they need to perform their duties. CISA Central-developed products are available to registered stakeholders in authorized communities of interest. These products include Traffic Light Protocol (TLP) GREEN and AMBER indicator bulletins and analysis reports. TLP is a set of designations used to facilitate greater sharing of sensitive information with the appropriate audience. Four colors are used to indicate expected sharing boundaries from most restricted to least restricted public disclosure: RED, AMBER, GREEN, and WHITE, respectively. For information on applying for a HSIN account, contact HSIN at 866-430-0162 or HSIN.HelpDesk@hq.dhs.gov. CISA Central TLP:WHITE products are available through www.us-cert.cisa.gov/ics.
HSIN uses enhanced security measures, including verifying the identity of all users the first time they register and ensuring users use two-factor authentication each time they log on. HSIN leverages the trusted identity of its users to provide simplified access to a number of law enforcement, operations, and intelligence information sharing portals.
Service benefits include:
- alerts and notifications
- basic Learning Management System
- comprehensive HSIN training
- document repository
- geographic information system mapping
- instant messaging (HSIN chat)
- managed workflow capabilities
- secure messaging (HSIN Box)
- web conferencing (HSIN Connect)
For more information, or to become a member, visit www.dhs.gov/homeland-security-information-network-hsin or email HSIN.Outreach@hq.dhs.gov.
Information Products: National Cyber Awareness System
CISA Central offers no-cost, subscription-based information products to stakeholders through the www.us-cert.gov and www.ics-cert.gov websites. CISA Central designed these products—part of the National Cyber Awareness System (NCAS)—to improve situational awareness among technical and non-technical audiences by providing timely information about cybersecurity threats and issues and general security topics. Products include technical alerts, control systems advisories and reports, weekly vulnerability bulletins, and tips on cyber hygiene best practices. Subscribers can select to be notified when products of their choosing are published.
Service benefits include:
- Current Activity provides up-to-date information about high-impact security activity affecting the community at-large.
- Alerts provide timely information about current security issues, vulnerabilities, and exploits.
- Advisories provide timely information about current ICS security issues, vulnerabilities, and exploits.
- Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.
- Tips provide guidance on common security issues.
For more information on available information products, visit www.us-cert.gov/ncas and www.ics-cert.us-cert.gov/. To subscribe to select products, visit public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new.
National Information Exchange Model (NIEM)
In January 2020, CISA officially became the Domain Steward of the National Information Exchange Model (NIEM) Cyber Domain. CISA is uniquely positioned to partner with community stakeholders to develop risk-informed decisions based on consistent cyber data and information sharing. Representing cyber data in a NIEM conformant way is critical to defend against cybersecurity threats and to inform a resilient posture to cyber risks.
What is NIEM?
NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations. NIEM enables a common understanding of commonly used terms and definitions, which provide consistent, reusable, and repeatable data terms, definitions and processes.
The Cyber Domain will ensure a coordinated community effort to increase broad visibility of cyber risks through consistent data and information sharing.
Where is NIEM Being Used?
For example, the Disaster Assistance Improvement Program (DAIP) uses NIEM to reduce the burden for disaster survivors through inter-agency information sharing. Using NIEM as the data layer foundation, DAIP connects partner agencies that provide disaster assistance to survivors, including the Small Business Administration and the Social Security Administration. By consolidating benefit information, application intake, and status information into a unified system, survivors can apply for assistance from 17 US government agencies with a single, online application.
CISA will manage the Cyber Domain through the Office of the Chief Technology Officer (OCTO). For more information about NIEM, visit www.niem.gov. To get involved in the NIEM Cyber Domain, visit https://www.niem.gov/communities/cyber or email us at firstname.lastname@example.org.
Shared Cybersecurity Services
Shared Cybersecurity Services (SCS) is a portfolio of Cybersecurity and Infrastructure Security Agency (CISA)-funded contracts that provides federal civilian agencies, state fusion centers, and select information sharing and analysis centers with no-cost access to commercial Cyber Threat Intelligence (CTI) and services.