ISAO 200-1: Foundational Services and Capabilities v0.1

Request For Comment

The request for comment period for this draft concluded on Thursday, November 30. All comments are currently under review and adjudication by working groups. Comments received after the November 30th deadline are welcomed and may be included in future adjudication and revision periods.

Appendix A of the ISAO 100-2 publication introduced a list of services and capabilities that ISAOs offer and perform. Those services and capabilities were categorized into Foundational, Advanced, and Unique. The purpose of this document is to assist ISAOs by providing a comprehensive review of the foundational services and capabilities of an ISAO: collection and dissemination, facilitate member sharing, analyze information, and surveying members. This in turn will give ISAOs a deeper understanding of how they can operationalize the technical, analytical, and personnel aspects that are built around those capabilities and services.

The structure of this document is framed to begin with the easier, and then implemented to the more challenging capabilities and services. This will facilitate a natural progression for those ISAOs that are further along in their evolution to navigate to the area within the document that is appropriate for their current situation. Additionally, collection and dissemination have been split as separate services and capabilities, and thus each will have its own chapter. After evaluating the processes and technologies for collection and dissemination, WG2 felt that each was distinct enough to be independent services and capabilities.

Future documents will focus on the Advanced and Unique capabilities and services identified in ISAO 100-2.

Download This Draft Document
Having trouble viewing this document?

Submitted Comments

The ISAO SO invited the public to provide comments on this document from October 30 – November 29, 2017. The line reference and comment fields listed below are the exact contents as submitted by the commenter.

Line ReferenceCommentDisposition
8-9Should be: “that ISAOs could choose to perform, as necessary, to meet specific needs of their members.” Not all ISAOs provide (or will choose to provide) all the services listed in the document.Partial Acceptance
11instead of "expand on those services" do we mean "to provide more detail about each of the services and provide ideas to organizations on how they might define what services are of value to their members and how they might implement them, if they chose to implement them”?Partial Acceptance
13insert: with the goal of helping organizations identify what services they might want to provide to their members and suggestions on how to provide them.Rejected
19-20It is important to note the original appendix was not a complete list of services that ISAOs can provide. It also is worth emphasizing that not all ISAOs need to provide all (or any) of the services listed. Instead, the idea was that the services were a menu that organizations can pull from to meet their needs.Partial Acceptance
19-20Important to note that ISAO 100-2 Appendix A states that "ISAO services and capabilities are chosen by the organization and support the needs of its members. Of note, an ISAO does not need to provide all of the foundational services or capabilities enumerated hereafter to be considered an ISAO."Partial Acceptance
22-23This definition extends far beyond the fundamental, "baseline capabilities" of an ISAO enumerated within Executive Order 13691 and within ISAO 100-2 Guidelines for Establishing an ISAO. Within 200-1, the SO should clarify and reaffirm that an ISAO can offer a variety of services to its members based upon their unique needs, and these are just a few of the capabilities; not all are required.Partial Acceptance
25-26As stated above, this specific doc, 200-1, is focused on foundational capabilities. Rejected
26change “easier…” to the following, or similar language: Simpler capabilities and services, and progress to those that are more challenging. Accepted
27change “for those ISAOs” to: “for ISAOs”Accepted one method, or can be an effective tool to understand members' needs... An ISAO which consists of 3-4 people may not need to survey members' needs. Partial Acceptance
38delete "is a key" and insert "can be an effective"Accepted
48-49Typo, change to “it can be”Accepted
48-49When choosing to conduct a survey, it is can be easy to design a survey that will provide poor-quality results. Change to: When choosing to conduct a survey, it can be easy to design a survey that will provide poor-quality results.Accepted
50….involved in designing a survey that will produces high-quality results. Change to: ….involved in designing a survey that will produce high-quality results.Accepted
52-53This reads very awkwardly. Perhaps "There should be a clear, easily understood, purpose for the survey."Accepted
54Change from question mark to period.Accepted
63delete “you should have a good understanding of the overarching questions” to say just "understand the questions"Accepted
74This level of detail is not necessary in a foundational capabilities doc.Accepted
78…meaning of individuals or groups and is done usually done by gathering non-numerical data. Change to: …meaning of individuals or groups and is usually done by gathering non-numerical dataAccepted
225The SO should clarify that an ISAO may not need to survey its members. Partial Acceptance
225methods and ISAO can use to survey their members. Change to: methods an ISAO can use to survey their members.Accepted
226-227It's also worth noting that members can choose to not formally survey their members. For example, if the organization's leadership believe they understand the needs of their members or have a specific direction they want to pursue, there may not be a need to survey members. An organization might be small enough where there is no need to formally survey the members and instead they have a complete understanding of their considerations.Partial Acceptance
234As noted in Section 6.4.2 on page 14, ISAOs may enable the sharing of a variety of types of info, not just cyber threats. Accepted
234Are we limited to CTI? What if an ISAO wants to share other types of information?Accepted
241-242In terms of trust, information that comes directly from members is often easier to trust and verify. Member sharing also encourages sharing and fosters an environment other members feel safe to share.Accepted
242-243ISAOs may not necessarily collect and store cyber threat info in a repository; rather an ISAO may just enable the sharing of best practices and other cyber-related info. This section implies that an ISAO has to have a level of sophistication and governance that may not be required or desired by an its members. Partial Acceptance
252Don’t understand this--What is the centralized resource provided?Accepted
252Don't understand this. Can reduce the cost to who?Accepted
272Well, it depends. ONE approach is to start small and choose a few sources, but for a new ISAO that has companies with the ability to ingest a lot of information, starting small may not work for them.Accepted
279-280Well, it's a bit more complicated than this. You also need to see what information members are willing and are legally able to share.Partial Acceptance
302Thought we were not using the term "maturity level" since there is not a maturity scale. Instead we agreed to refer to an organization's capabilities.Accepted
311-313What are these?Rejected
318Why do we list this one vendor?Accepted
321This is not a foundational capability. Rejected
324-326Instead of turning this into a requirement, let's say that this provides an area of opportunity where an ISAO can add value to its members.Partial Acceptance
332Here are some tips on how to evaluate the value of feeds/information.Accepted
346This is not a foundational capability. Partial Acceptance
354-355The information sharing group has some guidelines on this as well we should reference. Where possible, we prefer referencing work done by the ISAO SO Working Groups.Accepted
361-362The information sharing group has some guidelines on this as well we should reference. Where possible, we prefer referencing work done by the ISAO SO Working Groups.Accepted
367-368Well, this is only one model. Why does an ISAO need to "collect" anything? Why can't members share directly with each other without it going to the ISAO? For example, is the ISAO “collecting” information that passes through its TAXI server? Is an ISAO “collecting” information members share with each other on a call or at a meeting?Rejected
373We also think this section generally focuses too much on automated sharing and does not provide enough guidance on human to human or email sharing. If this is covered in other WG products, perhaps we can reference products where this is covered in more detail.Partial Acceptance
375Consistent with 100-2 Appendix A, the foundational component of analysis is "Providing a forum for members to discuss and identify common issues and trends." Anything beyond that is a sophisticated capability (additional or unique), not foundational. By incorporating this section into the document, the SO is increasing the barriers to entry and participation in the ISAO ecosystem, thereby discouraging smaller, more resource-constrained organizations from participating. Partial Acceptance
379Not sure we agree with this statement. Why does an organization have to provide analysis? Why can't they share information and let the members do analysis of it? There’s a whole other working group doing analysis.Partial Acceptance
387Requirements for what?No Action Required
388What types of products?No Action Required
393-394ISAO analysis "should" produce each of these? We can't agree with that. The members should determine what type/level of analysis, if any, it wants from the ISAO.Accepted
393-395The language here is too strong. Not all ISAOs need to produce trend and analysis info, threat warnings, etc. Rather, an ISAO's members should determine how or even if an ISAO provides analysis of shared information. Further, this is a sophisticated capability that requires significant resources. Accepted
398-399The greatest value an ISAO can provide to its members is the trusted environment to share info. Partial Acceptance
399General comment is that this summary is not reflective of basic analysis and likely will scare people off from forming an ISAO. "Analysis" can be as simple as identifying what information to include in an open source news report to getting members to talk with each other. The “analysis” described here exceeds any initial capability most new ISAOs will have, and likely exceeds what many ISAOs will want to achieve.Partial Acceptance
403Can remove "analysis organization" as ISAO is stated right before.Accepted
403Can remove their (said twice)Accepted
506-510There are a lot of other ways to do this and we actually would not recommend this way, which is more resource intensive than other methods. An alternative suggestion is to create a system to label the emails so that the members know the urgency of the information being shared.Partial Acceptance
518Clarify that this is not a requirement as it is a sophisticated capabilityPartial Acceptance
518If we are suggesting that ISAOs provide mitigation recommendations, we should also suggest they have liability protections in place. For the record, we do not agree that providing mitigation recommendations is a foundational capability. It can be pretty complicated and tricky to provide sound mitigation recommendations to a community.Accepted
526TLP is only one example of a way to detail how information can be shared. TLP has its gaps and there are many other methods. This topic was addressed in great detail in the Information Sharing chapter.Partial Acceptance
533Instead of making this statement, (“It is necessary. . . “) why don't we encourage ISAOs to make decisions based on the needs of their members?Partial Acceptance
535This takes too narrow a view of information dissemination. There's tactical information and strategic information. With Strategic Information, timeliness is not as important and may not even be immediately actionable. Again the Information Sharing Chapter does a lot better job of detailing these.Partial Acceptance
553I would bring down some of the language from the Introduction so there is not such a discrepancy between advantage vs. disadvantageAccepted
571Can delete “implementing”Accepted
581Not sure TLP is a "standard."Accepted
583Not "require." How about "Having an organizational NDA"Partial Acceptance
585Not "requiring." How about "having a MOU or Member Agreement of some other common agreement among members."Partial Acceptance
Appendix BThis is one potential model and needs to be explained as such. We really oppose presenting one model as THE way something should be done. I believe the Information Sharing Chapter has other models.Accepted
Appendix DIncluding this list is a REALLY bad idea, for reasons we have previously detailed.Accepted
GeneralUnfortunately, the draft of 200-1 is more prescriptive and restrictive. From a macro perspective, the draft of 200-1 extends far beyond its mission, “a comprehensive overview of the foundational services and capabilities of an ISAO.” Rather, 200-1 highlights various capabilities that infer a level of sophistication that may not be present, required, or even desired by an ISAO in a foundational stage of development, and further implies that ISAOs need to be formal groups with established governance structures. As such, the
draft of 200-1 may (albeit inadvertently) exclude small businesses from participating in the ISAO development process – an important and perhaps vital population that the Executive Order sought to engage in the nation’s information sharing ecosystem through the ISAO model. For instance, surveying members and analyzing information are discussed in-depth within the draft of 200-1
as “foundational capabilities,” but this is in direct juxtaposition to previous SO documents which (1) provide flexibility for ISAOs to select the capabilities which suit their members’ needs, and (2) defines these specific capabilities much more broadly.6 For instance, regarding analysis, ISAO 100-2 broadly defines a foundational analytical capability as follows: “Providing a forum for members to discuss and identify common issues and trends.” This statement conflicts with the comprehensive analytical capabilities put forth as foundational requirements in the draft of 200-1, Section 5.
Partial Acceptance
GeneralFurther, although not specifically contemplated within the draft 200-1 v0.1, the SO recently introduced the idea of a self- and/or third-party certification regime. The current foundational capabilities draft is increasingly problematic when it may serve as a guideline for certification. By enacting a certification regime that is thereby tied to lofty minimum requirements, the SO would dramatically increase the barriers to entry and participation, thereby reducing the operational viability of the ISAO model for smaller, resource constrained organizations. Certification, even self-certification, will implicate significant resources. Further, this approach contradicts Executive Order 13691, which provided the legal basis and direction for the ISAO initiative and did not contemplate the use of a certification as a requirement for voluntary ISAO participation. NTCA urges the SO to revisit the concept of a certification regime. At a minimum, if there is going to be an ISAO certification developed, it should be voluntary, high-level, and private-sector driven. Certification should only serve a fundamental, basic purpose of ensuring organizations self-identify as an ISAO and express a commitment to cyber threat information sharing and analysis.No Action Required