An Information Sharing and Analysis Organization (ISAO) is a voluntary, collaborative entity that collects, analyzes, and disseminates cybersecurity threat information among its members and with government partners. ISAOs were formally encouraged by U.S. Executive Order 13691, signed by President Barack Obama in February 2015, which directed the Department of Homeland Security (DHS) to promote the development of ISAOs and to designate a non-governmental Standards Organization to guide their formation.
ISAOs were created to broaden the existing sector-specific ISAC (Information Sharing and Analysis Center) model, which had been established under Presidential Decision Directive 63 in 1998 and focused on critical infrastructure sectors such as finance, energy, and water. Unlike ISACs, ISAOs are not tied to a specific critical infrastructure sector—they can be organized around any community of interest, including geographic regions, affinity groups, supply chains, or emerging technology areas. This flexibility was intended to bring smaller firms, non-profits, and local governments into the threat-sharing ecosystem.
The ISAO Standards Organization (ISAO SO), hosted by the University of Texas at San Antonio, was selected by DHS in 2015 to publish voluntary guidelines covering governance, privacy protections, analytic methodologies, and information-sharing mechanics. ISAOs typically exchange indicators of compromise, tactics, techniques, and procedures (TTPs), and vulnerability data, often using standards such as STIX and TAXII.
ISAOs interact with the federal government primarily through the Cybersecurity and Infrastructure Security Agency (CISA), including via its Automated Indicator Sharing (AIS) program. Liability protections and privacy safeguards for participants were strengthened by the Cybersecurity Information Sharing Act of 2015 (CISA 2015), which encourages private-to-private and private-to-government sharing of cyber threat indicators.
For policy researchers and MUN delegates, ISAOs illustrate the U.S. preference for voluntary, public-private cybersecurity collaboration over prescriptive regulation, and they offer a contrast to more centralized European models such as those coordinated by ENISA.
Example
In 2016, the Global Resilience Federation helped stand up several ISAOs to extend threat sharing beyond traditional critical-infrastructure ISACs to legal services and manufacturing communities.
Frequently asked questions
ISACs are organized around designated critical infrastructure sectors (e.g., finance, energy), while ISAOs can form around any community of interest, including geography, supply chains, or smaller industries not covered by an ISAC.
Keep learning