On February 13, 2015 President Obama signed Executive Order 13691 (EO). This Executive Order was intended to promote the formation of Information Sharing and Analysis Organizations (ISAO). In accordance with the ISAO E.O., DHS entered into a cooperative agreement with a non-governmental Standards Organization (SO) Under this Cooperative Agreement, the ISAO SO works with existing information sharing organizations, owners and operators of critical infrastructure, relevant agencies, and other public and private sector stakeholders to identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs.
It has been one year since Mike Echols, then a Department of Homeland Security Director, stood-up the ISAO SO, and there has been great progress to date. Since their official standup, the ISAO SO has conducted, in partnership with DHS, public meetings and webinars to assure an open and transparent voluntary standards development process. However, the rumor mills have been buzzing with concerns surrounding who can and cannot join and form an ISAO and the constraints that may be placed on existing and forming ISAOs.
The International Association of Certified ISAOs (IACI) passionately stand behind the concept and the spirit behind Executive Order 13691. It was written to encourage and enable all communities of interest to form or join an information sharing and analysis organization to better protect themselves from cyber exploits. ISAOs may be formed on the basis of sector, sub-sector, region, or any other affinity of interest or community of trust. ISAOs may also be formed as for-profit or not-for-profit entities. Although each model presents its own pro’s and con’s, there is no preference or favor by DHS or IACI.
Aside from enabling various communities of interest, it is extremely important to mention that the goal is for the voluntary standards to serve as an enabler to ISAOs as an organization. IACI sees the ISAO voluntary standards as a method of building trust between ISAO and its Stakeholder, and between one ISAO and another. An organization that adopts the ISAO voluntary standards makes it clear to stakeholders and other ISAOs that they have the mechanisms in place to assure the baseline level privacy and security, for example.