[OpenID board] FYI: Executive Order -- Promoting Private Sector Cybersecurity Information Sharing

Nat Sakimura sakimura at gmail.com
Tue Feb 24 15:16:42 UTC 2015

Somewhat timely since group of companies has just applied for the creation
of Abuse and Account Takeover Coordination (AATOC) Working Group.

*Sec. 3. ISAO (Information Sharing and Analysis Organization) Standards
Organization*. (a) The Secretary, in consultation with other Federal
entities responsible for conducting cybersecurity and related activities,
shall, through an open and competitive process, enter into an agreement
with a nongovernmental organization to serve as the ISAO Standards
Organization (SO), which shall identify a common set of voluntary standards
or guidelines for the creation and functioning of ISAOs under this order.
The standards shall further the goal of creating robust information sharing
related to cybersecurity risks and incidents with ISAOs and among ISAOs to
create deeper and broader networks of information sharing nationally, and
to foster the development and adoption of automated mechanisms for the
sharing of information. The standards will address the baseline
capabilities that ISAOs under this order should possess and be able to
demonstrate. These standards shall address, but not be limited to,
contractual agreements, business processes, operating procedures, technical
means, and privacy protections, such as minimization, for ISAO operation
and ISAO member participation.

(b) To be selected, the SO must demonstrate the ability to engage and work
across the broad community of organizations engaged in sharing information
related to cybersecurity risks and incidents, including ISAOs, and
associations and private companies engaged in information sharing in
support of their customers.

(c) The agreement referenced in section 3(a) shall require that the SO
engage in an open public review and comment process for the development of
the standards referenced above, soliciting the viewpoints of existing
entities engaged in sharing information related to cybersecurity risks and
incidents, owners and operators of critical infrastructure, relevant
agencies, and other public and private sector stakeholders.

(d) The Secretary shall support the development of these standards and, in
carrying out the requirements set forth in this section, shall consult with
the Office of Management and Budget, the National Institute of Standards
and Technology in the Department of Commerce, Department of Justice, the
Information Security Oversight Office in the National Archives and Records
Administration, the Office of the Director of National Intelligence,
Sector-Specific Agencies, and other interested Federal entities. All
standards shall be consistent with voluntary international standards when
such international standards will advance the objectives of this order, and
shall meet the requirements of the National Technology Transfer and
Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-board/attachments/20150225/c276596d/attachment.html>

More information about the board mailing list