Frequently Asked Questions – ISAO Standards Organization

Frequently Asked Questions

1What is an ISAO?

An ISAO is any group of individuals or organizations established for purposes of collecting, analyzing and disseminating cyber or relevant information in order to prevent, detect, mitigate, and recover from risks, events or incidents against the confidentiality, integrity, availability and reliability of information and systems.

According to the Critical Infrastructure Information ACT of 2002 and Executive Order 13691 – Promoting Private Sector Cyber Security Information Sharing the term “Information Sharing and Analysis Organization,” or ISAO, means any entity or collaboration created or employed by public- or private-sector organizations, for purposes of—

  1. gathering and analyzing critical cyber and related information in order to better understand security problems and inter-dependencies related to cyber systems, so as to ensure their availability, integrity, and reliability;
  2. communicating or disclosing critical cyber and related information to help prevent, detect, mitigate, or recover from the effects of an interference, compromise or incapacitation problem related to cyber systems; and
  3. voluntarily disseminating critical cyber and related information to its members; federal, state and local governments; or any other entities that may be of assistance in carrying out the purposes specified above.
2Why form an ISAO, and who should form one?

The cyber threat is one of the most serious economic and national security challenges we face as a Nation. Organizations engaged in sharing information related to cybersecurity risks and incidents play an invaluable role in our collective cybersecurity. Accordingly, private companies, nonprofit organizations, federal and local agencies, and other entities or interested individuals must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.

Several critical infrastructure sectors have dramatically improved their cybersecurity posture by creating and operating Information Sharing and Analysis Centers. However, numerous communities of interest within our broader national cyber ecosystem do not have the benefit of this type of collaborative support. These communities of interest can and should be defined by the community itself, and may include, for example, small and medium sized businesses, industry groups, and communities or municipalities. ISAOs may be organized on the basis of sector, sub-sector, region, or any other relationship, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sectors, or may consist of a combination of public- and private-sector organizations. ISAOs may be formed as for-profit or nonprofit entities.

3What is the role of the ISAO Standards Organization?

The mission of the ISAO Standards Organization is to improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices. Our vision is a more secure and resilient Nation that is connected, informed, and empowered.

The organization engages in an open, public dialogue to develop voluntary standards and guidelines for the formation and functioning of ISAOs. These standards address, but are not limited to, contractual agreements, business processes, operating procedures, technical specifications, and privacy protections. We will build on best practices and lessons learned from existing information sharing and analysis centers and other information sharing organizations. Given our global relationships and dependencies, we will also consider relevant voluntary international standards and practices. We are developing a consensus standards development process that leverages industry, government, and academic expertise through working groups. We also advise organizations on effectively creating and operating ISAOs. In addition, the Standards Organization will collect and publish metrics reflecting the effectiveness of cybersecurity information sharing.

4What is the role of the federal government in developing these standards and documents?

The ISAO Standards Organization is a non-governmental organization working with the private sector in the public interest. We work with existing information-sharing organizations; owners and operators of critical infrastructure; relevant federal, state, local, and tribal agencies; and other public- and private-sector stakeholders, through a consensus standards development process to identify a common set of voluntary standards and guidelines for creating and operating ISAOs. The federal government is an important partner in developing effective ISAO standards and guidelines, but does not control or direct standards development.

5When will the standards and other documents be produced?

The ISAO Standards Organization was established in October 2015. Using significant public input, more than 100 experts from various industry sectors, government agencies and academia established working groups to develop 13 documents that provide voluntary guidelines and processes that will help interested parties establish effective ISAOs. Currently, there are no new documents under development.

6What is the standards development process, and how do I provide comments on draft documents?

The ISAO Standards Organization leads an open and consensus-based development process with guidelines are in development. As the organization or its workings groups prepare documents, the public will be given an opportunity to comment through a portal on ISAO.org. Since there are no documents currently in development or open for comment, this feature is not available on the website.

7Where will the standards or documents be posted, and how do I find out about them?

Once documents are approved for release, they will be posted in the Published Products section of the isao.org website. If you are interested in being notified as documents are published, please contact us using our Contact page.

8Do I have to wait until the standards and other documents are created before forming an ISAO?

No. Communities of interest can begin sharing cyber information and join the broader information sharing effort as it develops. For more information or assistance, please contact the ISAO Standards Organization through our Contact page.

9How can I participate?

Public input is very important to the development of ISAO standards. To get involved, you can

  • provide feedback on future ISAO standards and guidelines when documents are under development;
  • fill out the contact form on ISAO.org and let the ISAO Standards Organization know you’re interested in joining a working group when an opportunity comes up;
  • visit the Contact page to share comments or questions for the ISAO Standards Organization.
10How can I join a working group?

Working group participation is open to anyone with an interest in and commitment to improving the nation’s cybersecurity posture through effective information sharing and analysis. Visit the Contact page and let the ISAO SO know you’d like to be considered for the next working group.

11Where can I go for assistance and more information?

Whether you want to create an ISAO, to find out more about them, to read about previous or upcoming meetings, or to get involved, visit our website at www.isao.org. We also encourage you to send your comments or requests for assistance to us through the Contact page of this website.