FAQs

DHS states: “America’s cyber adversaries move with speed and stealth. To keep pace, all types of organizations, including those beyond traditional critical infrastructure sectors, need to be able to share and respond to cyber risk in as close to real-time as possible. Organizations engaged in information sharing related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. However, many companies have found it challenging to develop effective information sharing organizations—or Information Sharing and Analysis Organizations (ISAOs). In response, President Obama issued the 2015 Executive Order 13691 directing the Department of Homeland Security (DHS) to encourage the development of ISAOs.” Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing, directs DHS to:

• Develop a more efficient means for granting clearances to private sector individuals who are members of an ISAO via a designated critical infrastructure protection program;
• Engage in continuous, collaborative, and inclusive coordination with ISAOs via the DHS National Cybersecurity and Communications Integration Center (NCCIC), which coordinates cybersecurity information sharing and analysis amongst the Federal Government and private sector partners; and
• Select, through an open and competitive process, a non-governmental organization to serve as the ISAO Standards Organization. This ISAO Standards Organization will identify a set of voluntary standards or guidelines for the creation and functioning of ISAOs.

Key Goals Through public open-ended engagements, the ISAO Standards Organization will develop transparent best practices that align with the needs of all industry groups, not just those traditionally represented by ISACs. Although formation and operations standards must still be developed via open-ended public engagement run by the Standards Organization, the ISAO standards are intended to be:

• Voluntary – participation in and the formation of ISAOs is not mandatory. Rather, it is meant to be completely optional and voluntary.
• Transparent – through a collaborative and transparent process, public and private sector entities will have the opportunity to provide input on the developing standards.
• Inclusive – participants from any sector, non-profit or for-profit, expert or novice, should be able to participate in or form their own ISAO.
• Actionable – participants will receive a useful and practical set of voluntary standards and best practices to utilize as a guide if they choose to participate in or form an ISAO.
• Flexible – any affinity of interest should be able to form ISAOs. Standards are not intended to be prescriptive as to prevent ISAO formation or harming the current processes of existing information sharing organizations.

EO 13691 compliments ongoing DHS information sharing efforts such as the Cyber Information Sharing and Collaboration Program (CISCP), DHS’s flagship program for public-private information sharing. In CISCP, DHS and participating companies share information about cyber threats, incidents, and vulnerabilities. Information shared via CISCP allows all participants to better secure their own networks and helps support the shared security of CISCP partners. Further, CISCP provides a collaborative environment where analysts learn from each other to better understand emerging cybersecurity risks and effective defenses.

The following is from the National Council of ISACs: “Information Sharing and Analysis Centers (ISACs) help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency.” The concept of ISACs was introduced and promulgated pursuant to Presidential Decision Directive-63 (PDD-63), signed May 22, 1998, after which the federal government asked each critical infrastructure sector to establish sector-specific organizations to share information about threats and vulnerabilities. Some ISACs formed as early as 1999, and most have been in existence for at least ten years. ISACs are trusted entities established by critical infrastructure owners and operators to foster information sharing and best practices about physical and cyber threats and mitigation. Typically nonprofit organizations, ISACs reach deep into their sectors, communicating critical information far and wide and maintaining sector-wide situational awareness. Most ISACs have 24/7 threat warning and incident reporting capabilities, and may also set the threat level for their sectors. And many ISACs have a track record of responding to and sharing actionable and relevant information more quickly than government partners.

Information Sharing and Analysis Centers (ISACs) were created in 1998 under Presidential Decision Directive-63 (PDD-63) to advance the security of designated critical infrastructure sectors – those sectors deemed vital to the well-being of a nation. Information Sharing and Analysis Organizations (ISAOs), first defined in the Homeland Security Act of 2002 are entities or organizations, public or private, formal or informal, non-profit or for-profit that voluntarily form to share information with each other and are not necessarily tied to critical infrastructure sectors. While the community of faith is an important group for the nation and the government, working closely with government at all levels and with neighboring critical infrastructure in many communities, it is not one of the designated critical infrastructure sectors. As such, we have adopted the broader term, ISAO, to respect the unique mission and role of the critical infrastructure community and their respective ISACs.

FB-ISAO works with organizations across the community of faith to provide and share all-hazards information, analysis, operational coordination, preparedness, and other capabilities – combined with member collaboration and expertise – to help members reduce their risk while enhancing security and resilience. This includes member forums, reports, activities, and liaison to the broader information sharing community including critical infrastructure information sharing and analysis centers (ISACs), other trusted information sharing communities, and government partners at all levels.

FB-ISAO is open to US citizens that work at faith-focused facilities and organizations (such as churches, temples, mosques, and the organizations and associations that collaborate with those facilities), as well as partner charities and non-profits, and supply chain partners that may not be explicitly focused on the community of faith. FB-ISAO reserves the right to deny membership to organizations that are assessed as advocating violence or hatred.

Due to the trusted relationships we have with our government partners and information sharing restrictions, we will only allow US citizens to join member groups and access FB-ISAO and partner reports. Some information, when appropriately marked, may be further distributed.

Being a member of FB-ISAO can extend the scope and capabilities of your organization’s security and risk management activities and help bolster threat and risk awareness, preparedness capabilities and help connect you to organizations and insights that may not be readily available to individual organizations, particularly smaller faith-based organizations with limited staff. FB-ISAO is a “force multiplier.” Our adversaries – extremists of all stripes, cyber criminals, and others – share their tactics, techniques, and procedures to outsmart and out-maneuver us individually. Together, as we share information and cyber threat intelligence across the community, we decrease attackers’ chances of success.

FB-ISAO has three membership programs that were formulated after discussion with our Board Of Advisors. For more information on membership program benefits and price structure click here.

As with most ISACs and ISAOs, FB-ISAO is a non-profit organization sustained by membership dues. We do not receive any government funding. FB-ISAO offers a variety of value-added services, that are time and resource intensive. These value-added services focus on providing pertinent and timely information and analysis, much of which is not available to the general public, to our members.

To become an FB-ISAO member, an organization must:

• Complete a Membership Agreement. This includes FB-ISAO’s review of the organization to ensure it meets the profile of an FB-ISAO member;
• Provide FB-ISAO with designated individual(s) contact information for access credentials, and;
• Process a membership payment.

At that point, full membership is activated. This process can be completed in weeks depending on the organization’s internal processes. A typical on-boarding period is approximately 60 days from initiation of membership to receipt of user credentials.

Your organization will be granted security credentials for FB-ISAO. FB-ISAO staff will coordinate and conduct a new member on-boarding orientation meeting with your organization’s team to ensure a comprehensive understanding of FB-ISAO member services.

No. Information may be shared from FB-ISAO with government partners and organizations but only with the submitting organization’s explicit approval, under the agreed to Traffic Light Protocol (see below) designation and with or without member attribution, as desired by the member.

TLP is a commonly used best practice. The US Department of Homeland Security notes that TLP “was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience.” Most ISACs and many international organizations use a TLP to quickly articulate information sharing permissions. More general information can be found here.

Members can share on a real-time basis and then take that information, intelligence, and analysis and use it in their environments to prevent, protect against, mitigate, respond to, and recover from the cyber, physical, health, and natural threats and hazards that pose the greatest risk. Extremists and cyber threat actors share information. To counter their efforts and enhance our own security, preparedness, and resilience, we do too!

If you have additional questions, please contact our team.