For background on this requirement, please refer to the 2015 Presidential Executive Order -- Promoting Private Sector Cybersecurity Information Sharing.https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shariOn February 13, 2015,
President Obama signed Executive Order (EO)13691, which is intended to enable and facilitate “private companies, nonprofit organizations, and executive departments and agencies …to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.” As specified in the Quadrennial Homeland Security Review, this program addresses one of the five basic missions of DHS, “Safeguard and Secure Cyberspace.” In furtherance of this mission, this program is intended to strengthen the security and resilience of critical infrastructure, advance incident response and reporting capabilities, and overall, strengthen the cybersecurity ecosystem through enhanced cybersecurity information sharing and maturation of information sharing and analysis organizations.The EO addresses several concerns the private sector has raised:• If a company wants to join an Information Sharing and Analysis Centers (ISACs) or other information sharing organization, how does it readily assess the capabilities and effectiveness of that organization both to provide valuable information and to be a trustworthy steward of information provided to it by the company? Lacking consistent baseline standards or evaluation criteria for ISAOs, companies may incur significant transaction costs that serve as a barrier to joining ISACs or other information sharing organizations.
• How can companies share information if they do not fit neatly into the sector-based structure of the existing ISACs?• If a group of companies wants to start an information sharing organization, what model should they follow? What are the best practices for such an organization?To this end, the EO directs the Secretary of Homeland Security to:• Encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs), • Enter into an agreement with a nongovernmental organization (standards organization) to identify a common set of voluntary standards for the creation and functioning of ISAOs.
The standards will address the baseline capabilities that ISAOs under this order should possess and be able to demonstrate if they self-certify as an ISAO.To fulfill this requirement DHS will select a standards organization (SO) through an open and competitive process and enter into a cooperative agreement.
The SO will create standards to assist in the widespread establishment of ISAOs and the mechanisms by which they function and interact with the government and across the private sector.
The establishment of ISAOs will allow private sector companies and other entities to share cyber threat information with each other on a voluntary basis and, if they so choose, to participate in DHS information sharing programs even if they do not fit into an existing critical infrastructure sector.
As an example, ISAOs will accommodate entities who want to collaborate with others in their region rather than with others in their sector.
ISAOs will, if they so choose, have the opportunity to participate in existing DHS cybersecurity information sharing programs, including the opportunity to contribute to near-real-time sharing of cyber threat indicators within those programs.Under the cooperative agreement, that SO will be responsible for developing voluntary standards and guidelines for the creation and functioning of ISAOs, as contemplated under the EO.
ISAOs will then self-certify to the standards identified and developed by the SO.
The EO states:
The standards shall further the goal of creating robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information.
The standards will address the baseline capabilities that ISAOs under this order should possess and be able to demonstrate.
These standards shall address, but not be limited to, contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO member participation.As the EO envisaged a standards-setting process led by the private sector, DHS will move into the role of assisting the SO to assure:
1. The SO is developing a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order.
2. All standards are consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Technology Transfer and Advancement Act of 199 5. 3. The SO engages in an open, public review and comment process for the development of the referenced standards soliciting the viewpoints of existing entities engaged in sharing information related to cybersecurity risks and incidents, owners and operators, of critical infrastructure, relevant agencies, and other public and private sector stakeholders.