Today the Department of Homeland Security published a request for comments in the Federal Register (81 FR 29289-29290) for a series of draft documents published by the Information Sharing and Analysis Organization (ISAO) Standards Organization (SO). The ISAO SO was established by EO 13691 to aid in the establishment of industry ISAOs.
The ISAO SO has published a draft of nine documents that are intended to help standardize the establishment and operation of cybersecurity ISAOs. These documents include:
The links provided above go to a landing page for the particular documents. That page includes a link to the actual .PDF draft documents. For people that are not registered with the ISAO (very simple, minimal information registration) the also provides a link to submit comments about that particular document on-line. For ISAO SO registered personnel, the page includes a direct method of submitting comments on-line.
Cybersecurity-Related Information Sharing Guidelines
I am not going to do a detailed review of any of these documents in this post, but I will use what I consider (from my point of view) to be the core document to look at what these documents generally look like and what the ISAO SO is trying to accomplish with this request for information.
The document starts out with a typical executive summary. Included in this draft is an interesting section entitled ‘Note to Reviewers’. This is a comment from the crafters of the document explaining how the document is organized and listing a general overview of comments that the crafters are looking for on the presentation of the information and the level of detail included in the presentation. Needless to say, this section will not be included in the final document.
The next section of the document is ‘Objectives’. This helps to explain both the objective of the document and the ISAO with regards to the topic. It is made clear that the document is not prescriptive but conceptual and is meant to illustrate options.
We then get into the meat of the document. In this case it includes sections on:
• Supporting cybersecurity risk and incident management;
• ISAO information sharing value proposition and policies;
• Categories of information an ISAO may want to share;
• Collection, dissemination and analysis—functional decomposition;
• Applying shared information; and
• Architectural considerations;
Crafters of the document include additional ‘Note to Reviewers’ sections within the document. Again this is done to clarify editorial decisions and to request specific feedback from commenters.
DHS and the ISAO SO are requesting public feedback on this series of draft documents. As I noted earlier, each document landing page includes provisions for submission of comments on-line from that landing page. For more general comments about the program or the need for additional documents commenters may use the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2015-0017). Comments should be submitted by June 17th, 2016.