Information sharing is essential to the protection of critical infrastructure and to furthering cybersecurity for the nation. As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, the Cybersecurity and Infrastructure Agency (CISA) has developed and implemented numerous information sharing programs. Through these programs, CISA develops partnerships and shares substantive information with the private sector, which owns and operates the majority of the nation’s critical infrastructure. CISA also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries.
Traffic Light Protocol (TLP)
CISA uses the Traffic Light Protocol (TLP) according to the FIRST Standard Definitions and Usage Guidance. TLP was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s). TLP only has four colors; any designations not listed in this standard are not considered valid by FIRST.
For more information, see cisa.gov/TLP.
Cyber Information Sharing and Collaboration Program (CISCP)
Cyber Information Sharing and Collaboration Program (CISCP) enables information exchange and the establishment of a community of trust between the Federal Government and critical infrastructure owners and operators. CISCP and its members can share cyber threat, incident, and vulnerability information in near real-time to collaborate and better understand cyber threats. By leveraging CISA Central, formerly known as the National Cybersecurity and Communications Integration Center (NCCIC), members can receive guidance on cyber-related threats to prevent, mitigate or recover from cyber incidents.
CISCP membership provides access to the full suite of CISA Central products and services to support information exchange. Upon receiving indicators of observed cyber threat activity from its members, CISCP analysts redact proprietary information and collaborate with both government and industry partners to produce accurate, timely, actionable data and analytical products.
Information Sharing and Analysis Centers (ISACs)
Sector-specific Information Sharing and Analysis Centers (ISACs) are non-profit, member-driven organizations formed by critical infrastructure owners and operators to share information between government and industry. While CISA Central works in close coordination with all of the ISACs, a few critical infrastructure sectors maintain a consistent presence within the NCCIC.
The Multi-State Information Sharing and Analysis Center (MS-ISAC) receives programmatic support from and has been designated by DHS as the cybersecurity ISAC for state, local, tribal, and territorial (SLTT) governments. The MS-ISAC provides services and information sharing that significantly enhances SLTT governments’ ability to prevent, protect against, respond to and recover from cyberattacks and compromises. DHS maintains operational-level coordination with the MS-ISAC through the presence of MS-ISAC analysts in CISA Central to coordinate directly with its own 24x7 operations center that connects with SLTT government stakeholders on cybersecurity threats and incidents.
In addition to the MS-ISAC, representatives of the Communications ISAC maintain a presence at DHS through the NCCIC’s National Coordinating Center for Communications (NCC), with resident members from the nation’s major communications carriers on site. The Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Aviation Information Sharing and Analysis Center (A-ISAC) also maintain a presence within CISA Central
Information Sharing and Analysis Organizations (ISAOs)
Like Information Sharing and Analysis Centers (ISACs), the purpose of Information Sharing and Analysis Organizations (ISAOs) is to gather, analyze, and disseminate cyber threat information, but unlike ISACs, ISAOs are not sector-affiliated. Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing calls for the development of ISAOs in order to promote better cybersecurity information sharing between the private sector and government, and enhance collaboration and information sharing amongst the private sector.
DHS is responsible for the execution of Executive Order 13691. Its role is threefold: DHS will select, through an open and competitive process, a non-governmental organization to serve as the ISAO Standards Organization, which will identify a set of voluntary guidelines for the creation and functioning of ISAOs; DHS will engage in continuous, collaborative, and inclusive coordination with ISAOs via its NCCIC; and DHS will develop a more efficient means for granting clearances to private sector individuals who are members of an ISAO via a designated critical infrastructure protection program.
This new ISAO model complements DHS’s existing information sharing programs and creates an opportunity to expand the number of entities that can share threat information with the government and with each other, reaching those who haven’t necessarily had the opportunity to participate in such information sharing.
Automated Indicator Sharing
Automated Indicator Sharing (AIS) enables the exchange of cyber threat indicators between the Federal Government, SLTT governments, and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender’s address of a phishing email. AIS is part of a CISA effort to create a cyber ecosystem where as soon as a stakeholder observes an attempted compromise, the cyber threat indicator of compromise (IOC) will be shared in real time with all partners, protecting everyone from that particular threat.
Service benefits include:
- Privacy and civil liberty protection - CISA has taken careful measures to ensure that appropriate privacy and civil liberty protections are implemented in AIS and are regularly tested. To ensure that Personally Identifiable Information (PII) is protected, AIS has processes that provide the following functions:
- perform automated analyses and technical mitigations to delete PII that is not directly related to a cyber threat;
- incorporate elements of human review on select fields of certain IOCs to ensure the automated processes are operating properly;
- minimize the amount of data included in an IOC to ensure that its information is directly related to a cyber threat;
- retain only the information needed to address cyber threats; and
- ensure that any information collected is used only for network defense or limited law enforcement purposes.
- Sharing at machine speed - AIS enables the bidirectional sharing of IOCs between the Federal Government and AIS partners in real-time by leveraging industry standards for machine-to-machine communication through the sharing of STIX files through the Trusted Automated eXchange of Indicator Information (TAXII™)
- Non-attributal sharing - Participants who share indicators through AIS will not be identified as the source of those indicators unless they affirmatively consent to the disclosure of their identity.
For more information, or to sign up to participate in AIS, visit www.us-cert.gov/ais.
Protected Critical Infrastructure Information Program (PCII)
The Protected Critical Infrastructure Information (PCII) Program is an information-protection program that enhances voluntary information sharing between infrastructure owners and operators and the government. PCII protections mean that homeland security partners can be confident that sharing their information with the government will not expose sensitive or proprietary data.
Homeland Security Information Network
The Homeland Security Information Network (HSIN) is a trusted network for homeland security mission operations to share sensitive but unclassified information. Federal, SLTT, and private sector partners can use HSIN to manage operations, analyze data, send alerts and notices, and share the information they need to perform their duties. CISA Central-developed products are available to registered stakeholders in authorized communities of interest. These products include Traffic Light Protocol (TLP) GREEN and AMBER indicator bulletins and analysis reports. TLP is a set of designations used to facilitate greater sharing of sensitive information with the appropriate audience. Four colors are used to indicate expected sharing boundaries from most restricted to least restricted public disclosure: RED, AMBER, GREEN, and WHITE, respectively. For information on applying for a HSIN account, contact HSIN at 866-430-0162 or HSIN.HelpDesk@hq.dhs.gov. NCCIC TLP:WHITE products are available through www.us-cert.gov and www.ics-cert.gov.
HSIN uses enhanced security measures, including verifying the identity of all users the first time they register and ensuring users use two-factor authentication each time they log on. HSIN leverages the trusted identity of its users to provide simplified access to a number of law enforcement, operations, and intelligence information sharing portals.
Service benefits include:
- alerts and notifications
- basic Learning Management System
- comprehensive HSIN training
- document repository
- geographic information system mapping
- instant messaging (HSIN chat)
- managed workflow capabilities
- secure messaging (HSIN Box)
- web conferencing (HSIN Connect)
For more information, or to become a member, visit www.dhs.gov/homeland-security-information-network-hsin or email HSIN.Outreach@hq.dhs.gov.
Information Products: National Cyber Awareness System
NCCIC offers no-cost, subscription-based information products to stakeholders through the www.us-cert.gov and www.ics-cert.gov websites. CISA Central designed these products—part of the National Cyber Awareness System (NCAS)—to improve situational awareness among technical and non-technical audiences by providing timely information about cybersecurity threats and issues and general security topics. Products include technical alerts, control systems advisories and reports, weekly vulnerability bulletins, and tips on cyber hygiene best practices. Subscribers can select to be notified when products of their choosing are published.
Service benefits include:
- Current Activity provides up-to-date information about high-impact security activity affecting the community at-large.
- Alerts provide timely information about current security issues, vulnerabilities, and exploits.
- Advisories provide timely information about current ICS security issues, vulnerabilities, and exploits.
- Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.
- Tips provide guidance on common security issues.
For more information on available information products, visit www.us-cert.gov/ncas and www.ics-cert.us-cert.gov/. To subscribe to select products, visit public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new.
National Information Exchange Model (NIEM)
In January 2020, CISA officially became the Domain Steward of the National Information Exchange Model (NIEM) Cyber Domain. As the nation’s risk advisor, CISA is uniquely positioned to partner with community stakeholders to develop risk-informed decisions based on consistent cyber data and information sharing. Representing cyber data in a NIEM conformant way is critical to defend against cybersecurity threats and to inform a resilient posture to cyber risks.
What is NIEM?
NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations. NIEM enables a common understanding of commonly used terms and definitions, which provide consistent, reusable, and repeatable data terms, definitions and processes.
The Cyber Domain will ensure a coordinated community effort to increase broad visibility of cyber risks through consistent data and information sharing.
Where is NIEM Being Used?
For example, the Disaster Assistance Improvement Program (DAIP) uses NIEM to reduce the burden for disaster survivors through inter-agency information sharing. Using NIEM as the data layer foundation, DAIP connects partner agencies that provide disaster assistance to survivors, including the Small Business Administration and the Social Security Administration. By consolidating benefit information, application intake, and status information into a unified system, survivors can apply for assistance from 17 US government agencies with a single, online application.
CISA will manage the Cyber Domain through the Office of the Chief Technology Officer (OCTO). For more information about NIEM, visit www.niem.gov. To get involved in the NIEM Cyber Domain, visit https://www.niem.gov/communities/cyber or email us at firstname.lastname@example.org.