The Department of Homeland Security (DHS) has announced a public meeting on May 18-19, 2016 to “discuss and debate Voluntary Standards for Information Sharing and Analysis Organizations (ISAOs) as they relate to” Executive Order 13691 (EO 13691).  See 81 Fed. Reg. 23506.  This meeting follows the recent passage of the Cybersecurity Act of 2015, which offers liability protections in Title 1 of the Act for the voluntary sharing of cyber threat information and “defensive measures” among federal and non-federal entities.  These liability protections may help with the expansion of ISAOs.

EO 13691 requires the Secretary of DHS to “strongly encourage” the development of ISAOs. The purpose of these ISAOs is to facilitate the voluntary sharing of information to allow for collaboration and response to cyber incidents “in as close to real time as possible.”  EO 13691 at § 1.  These ISAOs are intended to be broader than the Information Sharing and Analysis Centers (ISACs) that have developed on a sector-specific basis.  Indeed, the White House Fact Sheet on EO 13691 recognizes that an ISAO also could be an individual company sharing information with customers or partners.

DHS recently awarded a grant to the ISAO Standards Organization to help develop the standards that will apply to ISAOs. These standards are intended to facilitate automated sharing and will represent “baseline capabilities” for ISAOs in the areas of contractual agreements, operating procedures, technical means of sharing, and privacy protections.  EO 13691 at Sec. 3(a).  In developing these standards, the ISAO Standards Organization is required to solicit public input from organizations already engaged in information sharing, critical infrastructure owners and operators, agencies, and other stakeholders. See EO 13691 at Sec. 3(c).  The standards that are developed also should be consistent with voluntary international standards that would advance the objectives of the EO. See EO 13691 at Sec. 3(d).

The ISAO Standards Organization has formed six key working groups to spearhead the process of drafting ISAO standards. The first draft of these standards are expected in June 2016.  The Federal Register Notice indicates that that the following questions will be addressed in these draft standards:

  • What needs to be considered by a newly-forming ISAO and what are the first steps?
  • What capabilities might an ISAO provide?
  • What types of information will be shared and what are some mechanisms for doing so?
  • What security and privacy is needed for a newly-forming ISAO?
  • What mentoring support is available for newly-forming ISAOs?
  • What government programs and services are available to assist ISAOs?
  • What concerns do regulators and law enforcement have about the new ISAO construct?

The ISAO Standards Group will consider input on the voluntary standards in a number of ways:  (1) in person at the May 19th public meeting; (2) by email to ISAO@lmi.org; (3) through the federal rulemaking portal at http://www.regulations.gov, and/or (4) through hard copy mail to the ISAO Standards Organization, c/o LMI, 1777 NE Loop 410, Suite 808, San Antonio, TX  78217-5217. The Federal Register notice states that comments must be submitted to the online docket or received by the ISAO Standards Organization by November 4, 2015.  Presumably that date should be 2016.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.