Request For Comment
The request for comment period for this draft concluded on Friday, June 17, 2016. All comments were reviewed and adjudicated by working groups. Comments received after the June 17 deadline may be included in future adjudication and revision periods.
The ISAO Standards Organization recognizes that not all new ISAOs may initially be able or desire to fully achieve these objectives. The information sharing guideline is structured to provide a new or existing ISAO with a context identifying outcomes to be considered when selecting and implementing its information sharing and collaboration efforts. In addition to a context framework and information uses, we also present a functional decomposition of possible ISAO information sharing activities. This guideline also offers a path to consider for maturing an ISAO’s information sharing capabilities. Note that the framework is conceptual as opposed to prescriptive, and its inclusion is meant to illustrate options rather than mandate them.
The ISAO SO invited the public to provide comments on this document from May 3 – June 17, 2016. The line reference and comment fields listed below are the exact contents as submitted by the commenter.
|General||There should be plans to assist ISAOs in leveraging the Trusted Automated eXchange of Indicator Information (TAXII (TM)) and the Structured Threat Information eXpression (STIX (TM)). https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-resources/standards||Accepted|
|General||These comments were submitted by The InfraGard National Capital Region Members Alliance (INCRMA), Regulatory & Policy Working Group, whose members hail from both government and industry. The InfraGard National Capital Region Members Alliance (INCRMA) is an alliance with the FBI's Washington Field Office and individuals committed to protecting the nation's critical infrastructure. Our chapter has the same footprint as the FBI field office with which we are aligned - Washington, DC and northern Virginia. Our mission is to improve and extend information sharing between critical infrastructure stakeholders, in both the private and public sectors, with the government, particularly the FBI, to protect those infrastructure assets from physical and/or cyber attack. As a result of this exchange, timely information and intelligence is delivered, investigations are initiated and/or enhanced, vital economic and national security assets are protected, and lasting relationships are formed between law enforcement and infrastructure owners/operators.||Rejected|
|General Comments||*Recommend clarifying terms such as environment, situation, or situational awareness. They appear to be used interchangeably to mean threat landscape. Providing clarification and consistent use of terms will increase ease of understanding of the standards. *Streamlined the authors use of Situational Awareness, Decision-Making, Action to something that reflects the commonly used intel processes such as Awareness, Analysis, Action. Analysis or synthesis of information into assessments or recommendations is vital toward taking action. Good decision-making requires awareness and analysis in order to command appropriate action. Awareness, Analysis, and Action represent three distinct phases.||Accepted|
|Figure 1||Context for information sharing: Suggest the first bullet in Organizational Objective: Managing Cyber Related Risk be to understand their organization's security posture and its ability to implement actions. If ISAOs won't provide a common framework for evaluating risk, then a statement defining an ISAO members' experience in identifying and evaluating risk would serve as a great trust building mechanism and enable other ISAO members to evaluate the information shared. This would not serve to establish ISAO member's security maturity but the bona fides of a contributor. Overall make-up of an ISAO could be impacted if member's experience greatly varies between elementary to advance.||Under Review|
|Figure 3||Recommend starting the process with normalized and structured data from an organization based on the ISAOs ability to provide an evaluation of the value. Raw data is most useful when looking for trace evidence after a breach has occurred. Defining the cyber threat environment by relating threats to other threats, incidents, and vulnerabilities may introduce subjectivity that may be difficult to prove useful. The information provided as part of the cyber threat environment should encompass threat activity, indicators, and vulnerabilities related to a threat such that network defender could respond along the threat life cycle.||Under Review|
|page 8||What this table actually describes are incident response actions and departs from the intent of the stated description. Is incident response in the scope of ISAO activities? How does it fit with ISAO definition?||Accepted|
|1||Greetings,You should consider review and collaboration with NISTRef. NIST Special Publication 800-150 (Draft)http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf Best regards||Accepted|
|6-10||Cyber-physical should be included if by the term "cyber-physical," the SWG3 means control systems and other automation technologies. IoT, IIoT convergence through smart cities, smart cars, supply chain integration with SAP, ERP, and Cloud integration needs to be addressed in threat sharing.||Under Review|
|24||Perhaps we need to define "secure" portal. Is a cloud-based system with a password secure (ie, Dropbox)?, is 2FA needed? or are there specific infosec requirements that need to be satisfied to meet this expectation?||Under Review|
|51||Recommend adding "understanding of organization's security posture" to list of issues that should be taken into consideration when devising a strategy to manage risks. The information model should reflect organizational awareness, the decisions made to achieve the awareness and the successful actions taken to act upon information received.||Accepted|
|55||This statement assumes that organizations will be able to act upon the information received. The standards should acknowledge that not all the organizations will have the expertise and resources necessary to act upon the information they receive through ISAO and will hire third party organizations to act on their behalf. As currently structured, the ability to respond appears to be a pre-requisite for an organization to participate in an ISAO.||Accepted|
|60-69||This sounds like an ISAC. How would the ISAOs be different? Should they be linked to an ISAC or should ISACs be modified to improve government and non government collaboration?||Under Review|
|154||Recommend that the guidelines suggest that an organization be transparent and open about their motivations for information sharing within an ISAO. Transparency will enhance trust between organizations which is a pre-requisite for information sharing.||Accepted|
|171||Recommend adding operational analysis. Operational Analysis as a category includes participant questions and fosters collaboration between those who are closest to analysis.||Under Review|
|194||Recommend providing clarification of the term coordination. Does coordination mean incident response? Or does coordination support findings when an analyst ask a question? For example, a "have you seen this before?" or "I believe this is Threat X, what other TTPs should I be looking for?" questions.||Accepted|
|198||What are the benchmarks for the determining the effectiveness of the recommendations? Is it private or public benchmarks or a blend of the two?||Under Review|
|199-207, 229-234||As part of the ongoing assessment of information sharing, there should be an assessment of the efficacy of information sharing as well as the potential for attacker behavior to change as a consequence of information sharing, either due to the attacker realizing that his TTPs are being detected and mitigated, or due to leakage of information from the ISAO to the attacker more directly. In addition, assessment should be made of the timeliness, relevance, and accuracy of information to its constituent members as part of a continuous improvement process and feedback loop.||Under Review|
|215||The current ISAO conceptual information uses (Figure 3) is currently a bit confusing. If it will be used interchangeable across all sectors, future consideration should be formulated for a more universally industry friendly key and flow chart. The goal is to have this information applied; complicated and confusing diagrams will not help in achieving this goal especially with the ISAO's blending private and public terminology.||Under Review|
|244||Low Mobile Applications for dynamic and robust communication ie, slack, broadcast text alerts.||Accepted|