Request For Comment
The request for comment period for this draft concluded on Monday, January 15. All comments are currently under review and adjudication by working groups. Comments received after the January 15th deadline are welcomed and may be included in future adjudication and revision periods.
The cybersecurity information sharing ecosystem is expanding and gaining momentum. Initially, over a dozen ISACs focused on the nations’ critical infrastructure, today dozens of ISAOs exist and are projected to grow into hundreds. Growth is good, but can come with a cost: trust.
How should we build and promote trust in the Cybersecurity Information Sharing Ecosystem? Additionally, with no control over who can utilize the ISAC or ISAO title, how does anybody know what either of these names mean for a given organization? As an ecosystem we need to examine trust from several aspects including:
- How does an ISAO know what information it may receive from another ISAO or information sharing organization can be trusted to be accurate?
- How does an ISAO know it can trust another ISAO or organization it shares information with will not misuse that information?
- How can an individual or company wishing to join an information sharing organization trust the claims of the information sharing organization?
- How does an individual or company know what services or capabilities an ISAO is truly offering and how it compares to those offered by another?
- For a company just entering the ecosystem or a new group of organizations that have come together to form an ISAO, how do they know minimally what they should be doing or expecting?
For already existing information sharing organizations with established relationships there is less of a need to address these issues. With new and forming ISAOs, however, these issues are more critical as they don’t have any established relationships and may be very new to the concepts of information sharing and analysis. One idea under development that we believe will address these issues is the ISAO Certification Model. It proposes two types of voluntary certification: self and third party certification. The attached document, Solicitation for a Discussion on an ISAO Certification Model, is meant to start a conversation on how to promote trust between information sharing entities in the ecosystem in a timely manner which is another aspect to this problem.
The ISAO Standards Organization is requesting public review and comment on ISAO certification and is open to hearing alternative ideas for building trust in a timely manner within the ecosystem. The focus is not primarily on certification but rather on the issues surrounding trust. The attached certification document is a proposed approach but may not be the only one or the best. We need your comments and recommendations to arrive at the best approach and solution to handling the issues outlined. The Request For Comment period is December 1, 2017 to January 15, 2018.