Request For Comment
The objective of this guide is to identify preliminary matters of policy and principles, state and local government perspectives, and relevant federal regulations regarding information sharing within the United States. Developing trust between the U.S. government and ISAOs is a major consideration for all parties, particularly in the area of information sharing and privacy. This document also addresses considerations for ISAO interaction with the intelligence community, law enforcement agencies, U.S. regulatory agencies, the Department of Homeland Security, and other government departments and agencies.
The primary sections of this voluntary ISAO Standards Organization (SO) guide are organized as follows:
- Section 2 outlines the scope, strategy, and outputs concerning the role of government with respect to ISAOs.
- Section 3 provides an overview of relevant federal regulations.
- Section 4 addresses issues and considerations from the perspective of state and local governments.
- Section 5 identifies government resources available to assist ISAOs.
This is the first complete draft of this voluntary guide on scope, strategy, and outputs concerning the role of government. Additionally, this document provides a wide range of available services to new and emerging ISAOs. This draft is intended to be a starting point and will be updated continuously through public input and working group research.
The ISAO SO invited the public to provide comments on this document from July 27, 2016 – August 5, 2016. Both fields listed below (line number and comment) are the exact contents as submitted by the commenter.
|38, 61||Line 38: "What is the best way to develop role of government issues for consideration?" This sentence is unclear and doesn't quite match the language of section 2.4. How about "Which government functions should be considered in identifying roles and responsibilities?" Alternatively, to match 2.4, perhaps "In which functions [in cybersecurity] does government have a legitimate role to play?" Line 61: The heading is "WHAT PRINCIPLES?" but the section contains no discussion of principles.||Accepted|
|413||Under Resources to Identify Threats, please add the following DHS resources: *Multi-State Information Sharing and Analysis Organization (MS-IAC) *Cyber Information Sharing and Collaboration Program (CISCP) *Automated Indicator Sharing (AIS)||Accepted|
|510||Under Resources to Protect Against Threats, please add the following DHS Resources: *Cyber Resilience Review (CRR) and Cyber Infrastructure Survey Tool (C-IST) *National Cybersecurity Assessment and Technical Services (NCATS) (including Cyber Hygiene (CH) and Risk Vulnerability Assessments (RVA)) *Federal Virtual Training Environment (FedVTE) *Multi-State Information Sharing and Analysis Organization (MS-ISAC) *National Cyber Exercise and Planning Program (NCEPP) *Continuous Diagnostics and Mitigation (CDM) *National Cyber Security Awareness Month (NCSAM) *Scholarship for Service (SFS) hiring by State, Local, Tribal, and Territorial (SLTT) entities||Accepted|
|660||Under Resources to Detect Threats, please add the following DHS resources: *Continuous Diagnostics and Mitigation (CDM) *Automated Indicator Sharing (AIS) *Multi-State Information Sharing and Analysis Organization (MS-ISAC) *US-CERT and ICS-CERT Alerts, Bulletins, Tips, and Technical Documents. Please delete FEMA Emergency Planning Exercises - it is not a detection resource||Accepted|
|693||Under Resources to Respond to Threats, please add the following topics: *National Cyber Exercise and Planning Program (NCEPP) Exercise Team *Multi-State Information Sharing and Analysis Organization (MS-ISAC)||Accepted|
|851-901||There are many more NIST 800-series special publications which are highly relevant to cybersecurity; the series as a whole should be called out. In particular, since the topic here is information sharing, NIST 800-150, Guide to Cyber Threat Information Sharing, is worthy of note even though it is currently in Second Draft.||Accepted|
|851-901||In the section on Other Sources, the Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP) framework is worthy of reference. The FIRST IEP is designed to be useful for determining policies about information sharing which can also be applied to automated sharing.||Accepted|