1What is an ISAO?
The term “Information Sharing and Analysis Organization,” or ISAO, means any entity or collaboration created or employed by public- or private-sector organizations, for purposes of—
- gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems, so as to ensure their availability, integrity, and reliability;
- communicating or disclosing critical cyber and related information to help prevent, detect, mitigate, or recover from the effects of an interference, compromise, or incapacitation problem related to cyber systems; and
- voluntarily disseminating critical cyber and related information to its members; federal, state, and local governments; or any other entities that may be of assistance in carrying out the purposes specified above.
2Why form an ISAO, and who should form one?
The cyber threat is one of the most serious economic and national security challenges we face as a Nation. Organizations engaged in sharing information related to cybersecurity risks and incidents play an invaluable role in our collective cybersecurity. Accordingly, private companies, nonprofit organizations, federal and local agencies, and other entities or interested individuals must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.
Several critical infrastructure sectors have dramatically improved their cybersecurity posture by creating and operating Information Sharing and Analysis Centers. However, numerous communities of interest within our broader national cyber ecosystem do not have the benefit of this type of collaborative support. These communities of interest can and should be defined by the community itself, and may include, for example, small and medium sized businesses, industry groups, and communities or municipalities. ISAOs may be organized on the basis of sector, sub-sector, region, or any other relationship, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sectors, or may consist of a combination of public- and private-sector organizations. ISAOs may be formed as for-profit or nonprofit entities.
3What is the role of the ISAO Standards Organization?
The mission of the ISAO Standards Organization is to improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices. Our vision is a more secure and resilient Nation that is connected, informed, and empowered.
The organization engages in an open, public dialogue to develop voluntary standards and guidelines for the formation and functioning of ISAOs. These standards address, but are not limited to, contractual agreements, business processes, operating procedures, technical specifications, and privacy protections. We will build on best practices and lessons learned from existing information sharing and analysis centers and other information sharing organizations. Given our global relationships and dependencies, we will also consider relevant voluntary international standards and practices. We are developing a consensus standards development process that leverages industry, government, and academic expertise through working groups. We also advise organizations on effectively creating and operating ISAOs. In addition, the Standards Organization will collect and publish metrics reflecting the effectiveness of cybersecurity information sharing.
4What is the role of the federal government in developing these standards and documents?
The ISAO Standards Organization is a non-governmental organization working with the private sector in the public interest. We work with existing information-sharing organizations; owners and operators of critical infrastructure; relevant federal, state, local, and tribal agencies; and other public- and private-sector stakeholders, through a consensus standards development process to identify a common set of voluntary standards and guidelines for creating and operating ISAOs. The federal government is an important partner in developing effective ISAO standards and guidelines, but does not control or direct standards development.
5When will the standards and other documents be produced?
The ISAO Standards Organization was established in October 2015. Using significant public input, more than 100 experts from various industry sectors, government agencies, and academia have established working groups, which are now actively working to develop initial documents. We have established an aggressive schedule to publish an initial set of documents that meets the urgent need to confront growing cyber threats as soon as possible while protecting vital privacy and security concerns. We anticipate releasing drafts for public comment in Spring 2016, with a target of publishing our first documents in Fall 2016. Our initial focus is on producing voluntary guidelines and processes that will help interested parties establish effective ISAOs.
6What is the standards development process, and how do I provide comments on draft documents?
7Where will the standards or documents be posted, and how do I find out about them?
8Do I have to wait until the standards and other documents are created before forming an ISAO?
No. Communities of interest can begin sharing cyber information and join the broader information sharing effort as it develops. For more information or assistance, please contact the ISAO Standards Organization through our Contact page.
9How can I participate?
Public input is very important to the development of ISAO standards. To get involved, you can
- attend a public ISAO Standards Organization meeting, either in-person or online. Upcoming events are listed on the Events page.
- provide feedback on future ISAO standards and guidelines that are located on the Drafts page.
- join a working group. Descriptions of each group are found on the Working Groups Overview page, and you can apply to join a working group online.
- visit the Contact page to share comments or questions for the ISAO Standards Organization.
10How can I join a working group?
11Is there a fee to become a working group member?
There is no fee to be a working group member, but all members are expected to contribute time towards the standards development process.