San Antonio, TX (November 6, 2017)—The Information Sharing and Analysis Organization Standards Organization (ISAO SO) announced at the recent International Information Sharing Conference (IISC) held in Washington D.C. October 31 – November 1 the intent to move forward on a potential certification program. The purpose of the program, as outlined in a presentation by Dr. Gregory White, the Executive Director of the ISAO SO, is to address the future needs of the ISAO ecosystem in terms of several factors:
- How does a prospective member of an ISAO know which ISAO they may want to be a member of? How does the prospective member know what services and capabilities are important and whether a specific ISAO can provide those services and capabilities?
- How is trust established in a TIMELY MANNER between ISAOs or between an ISAO and the government? How is this accomplished when the ecosystem consists of hundreds or thousands of ISAOs? How is this accomplished across international borders?
- Currently there is no control regarding who can call their organization an ISAO or an ISAC. A prospective member considering joining an ISAO would not have any way to know what that means in a given situation. If the ISAO was self-certified the prospective member would know that the organization at least claims to provide certain services and capabilities and there would be some consistency between ISAOs. If the ISAO was third-party certified then the prospective member would know even more and would have some level of confidence because of the certification that the ISAO is providing the stated services and capabilities.
Dr. White stated that the ISAO SO proposes to develop initial thoughts on a voluntary certification program that could address the above issues and to publish it in November for comments from the public. At the same time, the ISAO SO plans to explore other alternatives to establish trust in a timely manner for a growing ecosystem.
The initial thoughts on the voluntary certification program included a self-certification, a baseline certification, and certification of additional services and capabilities important to ISAOs. The baseline and additional certifications would be based on documents such as the ISAO 200-1 Foundational Services and Capabilities which was released for public comment on October 30, 2017.
It should be stressed that the intended certifications are to be voluntary. An organization wishing to become an ISAO does not need to either self-certify or have a third-party certification accomplished. There are a number of existing organizations that have already established trust relationships between themselves and the federal government who will probably not be interested in certifying their ISAO. An example of this would be the current members of the National Council of ISACs who have been meeting and working together for many years and who have an already well-established trusted relationship. This certification or some other mechanism is intended for new and emerging ISAOs who are facing the three issues as outlined above.
“We welcome thoughts and ideas on how to establish the trust needed by ISAOs and other members of the information sharing ecosystem, whether through a certification or some other means” stated Mr. Rick Lipsey, the Deputy Director of the ISAO SO. “We are expecting a lively discussion on this issue and welcome all suggestions,” he went on to say.
Dr. White proposed that the ISAO SO will conduct any third-party certifications until such time as the standards for the criteria and certification process has been validated. At that point, the ISAO SO would accredit other organizations to perform third-party certifications. The accreditation would ensure consistency between certifications issued by third-party certification authorities.
