The Federal Register has the original solicitation where DHS is requesting public comments regarding Information Sharing and Analysis Organizations:

On February 13, 2015, President Obama signed Executive Order 13691 intended to enable and facilitate “private companies, nonprofit organizations, and executive departments and agencies . . . to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible.” The order addresses two concerns the private sector has raised:

  • How can companies share information if they do not fit neatly into the sector-based structure of the existing Information Sharing and Analysis Centers (ISACs)?
  • If a group of companies wants to start an information sharing organization, what model should they follow? What are the best practices for such an organization?

ISAOs may allow organizations to robustly participate in DHS information sharing programs even if they do not fit into an existing critical infrastructure sector, seek to collaborate with other companies in different ways (regionally, for example), or lack sufficient resources to share directly with the government. ISAOs may participate in existing DHS cybersecurity information sharing programs and contribute to near-real-time sharing of cyber threat indicators.

This effort in support of President Obama’s recent Executive Order 13691 with the goal of creating a public/private industry/government information sharing partnership. The only way to fight malicious attackers is to share threat data.

Hopefully the government comes to their senses and restrains from classifying every last little iota of cyber threat information they touch. Like a young child who can reach the cookie jar when Mom isn’t looking, sadly, I doubt the US government will keep the data unclassified.

PR Newswire on the Defense Security Information Exchange finally being formalized and named the Defense Industrial Base Information Sharing And Analysis Organization:

Following President Obama’s signature of Executive Order 13961 on cyber intelligence sharing, the Defense Security Information Exchange (DSIE) has officially incorporated as the Defense Industrial Base Information Sharing and Analysis Organization, the nation’s first organization named as an Information Sharing and Analysis Organization (ISAO) since the release of the Executive Order.

The DSIE, which has been operating since 2008 as an industrial working group of the National Defense Industrial Association (NDIA), is now a formal 501(c)(6) legal entity, and has appointed Carlos Kizzee as the organization’s new executive director.

Executive Order 13961 was enacted to encourage the voluntary formation of organizations to partner together and with the federal government to share information related to cybersecurity risks, enabling them to collaborate and respond to vulnerabilities in a timely manner. The executive order mandates that information sharing must be conducted in such a way that individual privacy and business confidentiality interests will be protected.

It will be interesting to see how the ISAO is both used by industry and leveraged by the government. I do not expect anything substantial to happen short-term, but long-term may prove quite different.