ISAO 600-1 U.S. Government Relations, Programs, and Services v0.4 (SWG6)

Request For Comment

The objective of this guide is to identify preliminary matters of policy and principles, state and local government perspectives, and relevant federal regulations regarding information sharing within the United States. Developing trust between the U.S. government and ISAOs is a major consideration for all parties, particularly in the area of information sharing and privacy. This document also addresses considerations for ISAO interaction with the intelligence community, law enforcement agencies, U.S. regulatory agencies, the Department of Homeland Security, and other government departments and agencies.

The primary sections of this voluntary ISAO Standards Organization (SO) guide are organized as follows:

  • Section 2 outlines the scope, strategy, and outputs concerning the role of government with respect to ISAOs.
  • Section 3 provides an overview of relevant federal regulations.
  • Section 4 addresses issues and considerations from the perspective of state and local governments.
  • Section 5 identifies government resources available to assist ISAOs.

This is the first complete draft of this voluntary guide on scope, strategy, and outputs concerning the role of government. Additionally, this document provides a wide range of available services to new and emerging ISAOs. This draft is intended to be a starting point and will be updated continuously through public input and working group research.

Download This Draft Document
Having trouble viewing this document?

Submitted Comments

The ISAO SO invited the public to provide comments on this document from July 27, 2016 – August 5, 2016. Both fields listed below (line number and comment) are the exact contents as submitted by the commenter.

Line
Reference
CommentDisposition
38, 61Line 38: "What is the best way to develop role of government issues for consideration?" This sentence is unclear and doesn't quite match the language of section 2.4. How about "Which government functions should be considered in identifying roles and responsibilities?" Alternatively, to match 2.4, perhaps "In which functions [in cybersecurity] does government have a legitimate role to play?" Line 61: The heading is "WHAT PRINCIPLES?" but the section contains no discussion of principles.Accepted
413Under Resources to Identify Threats, please add the following DHS resources: *Multi-State Information Sharing and Analysis Organization (MS-IAC) *Cyber Information Sharing and Collaboration Program (CISCP) *Automated Indicator Sharing (AIS)Accepted
510Under Resources to Protect Against Threats, please add the following DHS Resources: *Cyber Resilience Review (CRR) and Cyber Infrastructure Survey Tool (C-IST) *National Cybersecurity Assessment and Technical Services (NCATS) (including Cyber Hygiene (CH) and Risk Vulnerability Assessments (RVA)) *Federal Virtual Training Environment (FedVTE) *Multi-State Information Sharing and Analysis Organization (MS-ISAC) *National Cyber Exercise and Planning Program (NCEPP) *Continuous Diagnostics and Mitigation (CDM) *National Cyber Security Awareness Month (NCSAM) *Scholarship for Service (SFS) hiring by State, Local, Tribal, and Territorial (SLTT) entitiesAccepted
660Under Resources to Detect Threats, please add the following DHS resources: *Continuous Diagnostics and Mitigation (CDM) *Automated Indicator Sharing (AIS) *Multi-State Information Sharing and Analysis Organization (MS-ISAC) *US-CERT and ICS-CERT Alerts, Bulletins, Tips, and Technical Documents. Please delete FEMA Emergency Planning Exercises - it is not a detection resourceAccepted
693Under Resources to Respond to Threats, please add the following topics: *National Cyber Exercise and Planning Program (NCEPP) Exercise Team *Multi-State Information Sharing and Analysis Organization (MS-ISAC)Accepted
851-901There are many more NIST 800-series special publications which are highly relevant to cybersecurity; the series as a whole should be called out. In particular, since the topic here is information sharing, NIST 800-150, Guide to Cyber Threat Information Sharing, is worthy of note even though it is currently in Second Draft.Accepted
851-901In the section on Other Sources, the Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP) framework is worthy of reference. The FIRST IEP is designed to be useful for determining policies about information sharing which can also be applied to automated sharing.Accepted