A research team led by the University of Texas at San Antonio has five years to develop standards for the Information Sharing and Analysis Organizations (ISAOs) under a $10 million contract awarded by the Department of Homeland Security. The team expects to have a set of usable standards well before the five years are up but it will be at least two years before the ISAOs are ready for primetime.

The proposal from UTSA — which includes researchers from the Retail Cyber Intelligence Sharing Center (R-CISC) and Logistics Management Institute — set up the process in three phases.

The process will be long but getting wide stakeholder input is critical to success, according to Richard Lipsey, senior strategic cyber lead at LMI.

"With a diverse group of players — government, individuals and private businesses — there are conflicting concerns to be balanced," he said. "This is done through a voluntary consensus standards development process, where we promote discussion and move toward a goal of common security and privacy of business and individuals."

The team hopes to have usable draft standards published well before the end of the five-year contract, according to Gregory White, director of UTSA's Center for Infrastructure Assurance and Security, which will be leading the effort.

Lipsey said interested parties should start sharing information well before then, at least on a limited basis.

"The practical experience will not only help improve their security posture, it will make them better participants as we work collaboratively to establish ISAO standards," he said. "By going through exercises now, organizations can provide practical insights during the formal standards development process."

Similarly, DHS is encouraging organizations to begin the process of forming ISAOs while the standards are being finalized.

Going broader

As the final standards near completion, the third phase will including helping other organizations begin setting up their own ISAOs to encourage the sharing of threat data as widely as possible.

Depending on the ultimate standards, those third-party ISAOs could operate independently or as satellites of the DHS-managed effort.

"We need to be as inclusive as possible, which would mean that we should make sure that organizations can be independent, if that is their desire, or part of a larger partnership if they are willing," White said.

"Obviously for folks to be able to receive certain information the federal government would share with them, there may be some minimum requirements levied upon them before information is released," White explained. "At the same time, there may be entities that do not want to agree to the requirements from the federal government but who may still want to share what information they can. The ISAO standards should allow for both types of entities."

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

Share:
In Other News
Load More