Attending DHS Information Sharing and Analysis Organization (ISAO) Workshop
Tomorrow (June 9), I’m attending the Department of Homeland Security (DHS) Information Sharing and Analysis Organization (ISAO) Workshop. Federally-encouraged “ISAOs”are intended to augment or replace the existing “ISACs”. ISACs are “centers” organized by industry sectors (e.g. finance, research and education, health) to coordinate sharing of threat indicators and other security-related data among member organizations.
Background: On February 13, 2015, President Obama signed Executive Order (EO) 13691, which is intended to enable and facilitate “private companies, nonprofit organizations, and executive departments and agencies …to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.” The EO went on to note that feedback from industry suggests the sector-based ISAC model is too limited, and it should be possible to form other kinds of federally-mandated or supported sharing groups based on regional or other affiliations.
In the EO, DHS was directed to issue a Request for Proposal (RFP) for a private sector entity to establish a standards organization (SO) to define information sharing models to be used by ISAOs. On May 7, the DHS announced it would hold the June 9 ISAO to solicit input from industry. In the meantime, DHS has already issued the RFP for Standards Organizations and plans to award in August.
Given my long interest in security data sharing and participation in the Industrial Control System ISAC (ICS-ISAC) I decided to go to Boston myself. After this event, I hope to follow up with more detailed links and analysis.
Meanwhile, to whet your interest, here are a few nuggets:
The ISAO Workshop will be structured into three parallel tracks. The topics include: Forming ISAOs, Analysis, and Automated Threat Indicator Sharing.
The Agenda for the workshop stimulates discussion by asking a number of questions. Most of them are fairly obvious to those familiar with the subject, but these are most intriguing:
- How should the baseline capabilities specified by the SO relate to an organization’s recognition as an ISAO? Who should recognize it?
- What process should be used to determine if current Information Sharing and Analysis Centers (ISACs) meet the ISAO Standards once they are developed?
- Could there be specialized roles for ISAOs, or even SOs as Information Consumer, Information Producer, Information Capability Provider, Information Broker?
- Can ISAOs submit cyber threat indicators containing PII and PCII to DHS?