Standards group releases guidelines on cyber information sharing

concept cybersecurity art

The non-governmental Information Sharing and Analysis Organization Standards Organization has released an initial set of guidelines to promote private-sector cybersecurity information sharing.

ISAOs are the non-critical infrastructure version of Information Sharing and Analysis Centers, and were established under Executive Order 13691.  That directive, issued in February 2015, states:

"Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis."

Though voluntary, EO 13691 does call for the Department of Homeland Security to "strongly encourage the development and formation of [ISAOs]."

According to executive order, "ISAOs may be organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities." They can also be public sector, private sector or a mix, and can be either for-profit or nonprofit entities.

ISAOs are designed to complement DHS' existing information sharing programs. The National Cybersecurity and Communications Integration Center is tasked with coordinating with ISAOs that wish to voluntarily share information.

The ISAO SO brought together members of industry, government and academia who spent months preparing the initial guidelines. 

The four resulting documents, the organization said, are designed to be informational and not prescriptive. They generally pose questions for prospective ISAO members to consider before forming an ISAO.

For example:

  • How will the ISAO improve the cybersecurity position of the sharing partners and members of the ISAO? What information sharing problems will the ISAO solve?
  • What goals does the ISAO intend to achieve?
  • What is the ISAO's vision?
  • What is the ISAO planning to do differently from other ISAOs?

"The purpose of these efforts is ultimately to improve the ability of organizations to, as outlined in the EO, 'detect, investigate, prevent, and respond to cyber threats' while protecting the privacy and civil liberties of citizens," the guidelines state.

In addition to focusing on the structure, mission and membership of ISAOs, the guidelines also stress the importance of developing trust mechanisms to encourage effective information sharing.

"An ISAO can only function when a certain level of trust exists between its members, between the members and the ISAO, and between the ISAO and its partners," states the guidelines.

The larger question is trust between ISAOs and DHS. So far, efforts by the department to encourage the sharing of cyber threat and breach data with the government have met with a lukewarm response by private entities.

The guidelines issued by ISAO represent another evolutionary step in what has been a long process of trying to develop information sharing systems and mechanisms. And, the ISAO SO stressed that establishing an ISAO is an iterative process.

"The guidelines presented in this document are intended to assist in this process by raising the most critical strategic and operational factors for consideration," the guidelines state.  "ISAOs are encouraged to periodically reevaluate these guidelines as they evolve."

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.