Loading...
AG 17-1962/2017 I1 RETURN TO: Thomas Fichtner EXT: 2547 CITY OF FEDERAL WAY LAW DEPARTMENT ROUTING FORM 1. ORIGINATING 2. ORIGINATING 4. TYPE ❑ CONTRACTOR ❑ PUBLIC ❑ PROFESSIONAL El GOODS ❑ REAL ❑ ORDINANCE ❑ CONTRACT A OTHER 5. PROJECT 6. NAME ADDRESS: E SIGNATURE 7. EXHIBITS OTHER 8. TERM: 9. TOTAL (IF REIMBURSABLE IS SALES RETAINAGE: ❑ PURCHASING: 10. DOCUMENT ❑ PROJECT ❑ DIRECTOR ❑ RISK ❑ LAW 11. COUNCIL 12. CONTRACT ❑ SENT ❑ ATTACH: ❑ CREATE ❑ LAW 12cSIGNATORY ❑ CITY ❑ ASSIGNEDAG# ❑ SIGNED COMMENTS: DEPT./DIV: Information Technology STAFF PERSON: Thomas Fichtner EXT: 2547 3. DATE REQ. BY: ASAP OF DOCUMENT (CHECK ONE): SELECTION DOCUMENT (E.G., RFB, RFP, RFQ) WORKS CONTRACT ❑ SMALL OR LIMITED PUBLIC WORKS CONTRACT SERVICE AGREEMENT ❑ MAINTENANCE AGREEMENT AND SERVICE AGREEMENT ❑ HUMAN SERVICES / CDBG ESTATE DOCUMENT ❑ SECURITY DOCUMENT (E.G. BOND RELATED DOCUMENTS) ❑ RESOLUTION AMENDMENT (AG #): ❑ INTERLOCAL Member Agreement NAME: MS -ISAC Member Joining Agreement OF CONTRACTOR: Center for Internet Security, Multi -State ISAC Division 31 Tech Valley Drive, East Greenbush, NY 12061 TELEPHONE 518 - 266 -3460 -MAIL: contact @cisecurity.org FAX: 518 - 283 -3216 NAME: John M. Gilligan TITLE MS -ISAC Chair AND ATTACHMENTS: ❑ SCOPE, WORK OR SERVICES ❑ COMPENSATION ❑ INSURANCE REQUIREMENTS /CERTIFICATE ❑ ALL REFERENCED EXHIBITS ❑ PROOF OF AUTHORITY TO SIGN ❑ REQUIRED LICENSES ❑ PRIOR CONTRACT /AMENDMENTS COMMENCEMENT DATE: Upon Execution COMPLETION DATE: Perpetual COMPENSATION $ N/A (INCLUDE EXPENSES AND SALES TAX, IF ANY) CALCULATED ON HOURLY LABOR CHARGE - ATTACH SCHEDULES OF EMPLOYEES TITLES AND HOLIDAY RATES) EXPENSE: ❑ YES ❑ NO IF YES, MAXIMUM DOLLAR AMOUNT: $ TAX OWED ❑ YES ❑ NO IF YES, $ PAID BY: ❑ CONTRACTOR ❑ CITY RETAINAGE AMOUNT: ❑ RETAINAGE BY (SEE CONTRACT) OR ❑ RETAINAGE BOND PROVIDED PLEASE CHARGE TO: /CONTRACT REVIEW INITIAL / DATE REVIEWED INITIAL / DATE APPROVED MANAGER MANAGEMENT (IF APPLICABLE) t 41/5-111- APPROVAL (IF APPLICABLE) COMMITTEE APPROVAL DATE: COUNCIL APPROVAL DATE: SIGNATURE ROUTING �( TO VENDOR/CONTRACTOR DATE SENT: �G af'l� DATE RECD: lo/S SIGNATURE AUTHORITY, INSURANCE CERTIFICATE, LICENSES, EXHIBITS ELECTRONIC REMINDER/NOTIFICATION FOR 1 MONTH PRIOR TO EXPIRATION DATE (Include dept. support staff if necessary and feel free to set notification more than a month in advance if council approval is needed.) INITIAL / DATE SIGNED DEPARTMENT (MAYOR OR DIRECTOR) 1� iL CLERK /j% 0I 0 IOW . r , = AI /7 —rnel . d COPY RETURNED DATE SENT: 01-02-2018 -fr 2/2017 CENTER FOR INTERNET SECURITY MULTI -STATE ISAC Member Agreement This Agreement ( "Agreement ") is made between the City of Federal Way, WA and the Multi -State Information Sharing and Analysis Center of the United States (MS- ISAC), a division of the Center for Internet Security. The MS -ISAC will enable information sharing, analysis, gathering and distribution in a secure manner using facilities and methods designed to permit individual Members to submit information about security threats, vulnerabilities, incidents, and solutions securely. Only MS -ISAC members have access to review and retrieve this information. When submitting information to the MS -ISAC, Primary Custodians will identify information to the MS -ISAC in the following categories: Category A: information that is provided only to the MS -ISAC and will not be shared with the MS -ISAC members or others except as authorized by the Primary Custodian. Category A information also consists of any non- categorized information provided to the MS- ISAC and /or pre - cleansed category B information. Category B: information which is shared with the MS- ISAC and in consultation with the Primary Custodian is cleansed by the MS -ISAC of all identifying information and then, consistent with applicable laws, will be shared only with MS -ISAC members, or the Department of Homeland Security consistent with paragraph six (6). Category C: information which is shared with the MS- ISAC and does not need to be cleansed and may be shared within the MS -ISAC and outside the MS -ISAC as appropriate. MS -ISAC members acknowledge that Primary Custodian has certain cyber and/or critical infrastructure information and material that is exempt from disclosure to the public or other unauthorized persons under federal or state laws including the Homeland Security Act of 2002 (6 U.S.C. § 133). MS- ISAC members may provide access to this information and material in order to facilitate interstate communication regarding cyber and/or critical infrastructure readiness and response efforts. These efforts include, but are not limited to, disseminating early warnings of physical and cyber system threats, sharing security incident information between U.S. states, territories, the District of Columbia, tribal Multi -State ISAC I of 3 nations and local governments, providing trends and other analysis for security planning, and distributing current proven security practices and suggestions. As a participating member of the MS -ISAC, Primary Custodian agrees that when sharing this information with MS -ISAC members it will do so through the MS- ISAC in accordance with the categories established in this document. MS -ISAC members agree to the terms and conditions contained in this Agreement. NOW THEREFORE, in consideration of the above promises recited herein, the parties agree to the following: Definitions: 1. Primary Custodian — the entity that developed or owns the Data. Each collection of Data (database, file, etc.) shall have a single Primary Custodian. 2. MS -ISAC members —the members (U.S. states, territories, the District of Columbia, tribal nations and local governments) who may be in possession or use of Data acquired from the Primary Custodian or from the MS -ISAC. Purpose: 3. MS -ISAC members acknowledge that the protection of Category A information is essential to the security of Primary Custodian and the mission of the MS -ISAC. The purpose of this Agreement is to enable Primary Custodian to make disclosures of Category A information to MS -ISAC while still maintaining rights in, and control over, Category A information. The purpose is also to preserve confidentiality of the Category A information and to prevent its unauthorized disclosure. It is understood that this Agreement does not grant MS- ISAC or members an express or implied license or an option on a license, or any other rights to or interests in the Category A information, or otherwise. If Primary Custodian retracts any information it sent to the MS -ISAC, then, upon notification by the Primary Custodian, the MS- ISAC will destroy such information and all copies thereof, and notify MS -ISAC members to destroy the information. If an MS -ISAC member is unable to destroy the information based on applicable law, then the member will continue to maintain the confidentiality of the information consistent with Member Agreement 1/1/2012 this agreement. Upon receiving such notification, MS ISAC members will destroy such information and all copies thereof MS -ISAC and Member Duties: 4. MS -ISAC and members who are authorized by the Primary Custodian to receive Category A information shall, and shall cause their contractors, subcontractors, agents or any other entities acting on their behalf (hereinafter referred to as the "Affiliates ") to: (a) copy, reproduce or use Category A information only for the purposes of the MS -ISAC mission and not for any other purpose unless specifically authorized to do so in writing by Primary Custodian; and (b) not permit any person to use or disclose the Category A information for any purpose other than those expressly authorized by this Agreement; and (c) implement physical, electronic and managerial safeguards to prevent unauthorized access to or use of Category A information. Such restrictions will be at least as stringent as those applied by the MS -ISAC and /or members to their own most valuable and confidential information. MS -ISAC agrees to promptly notify Primary Custodian of any unauthorized release of Category A information. 5. MS -ISAC and members will not remove, obscure or alter any notice of patent, copyright, trade secret or other proprietary right from any Category A information without the prior written authorization of Primary Custodian. Multi -State ISAC Duties: 6. The MS -ISAC and members may share with the Department of Homeland Security (DHS) pursuant to 6 U.S.C. § 133, Category A, B, and C information, unless the Primary Custodian has designated in writing that the information in question cannot be shared with our federal partners. All other information is voluntarily submitted and may be shared with the Federal Government with expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002. Multi -State ISAC 2 of 3 7. If any third party makes a demand for any Category A or B information, the MS -ISAC or member shall immediately forward such request to the Primary Custodian and consult and cooperate with the Primary Custodian and will make reasonable efforts, consistent with applicable law to protect the confidentiality of the information. Primary Custodian will, as needed, have the opportunity to seek judicial or other appropriate avenues of redress to prevent any release. 8. In non- emergency situations, as part of its multi- state communication sharing efforts, the MS -ISAC may prepare written reports. For such reports, the Primary Custodian shall be provided a period of time to review such reports, papers, or other writings and has the right to edit out its Category A information, correct factual inaccuracies, make recommendations and comments to the content of the report, and append comments to the final version of the report. The MS -ISAC members and Primary Custodian agree to work together in good faith to reach mutually agreed upon language for the report. If the parties are unable to reach agreement on an issue, Primary Custodian has the right to edit out its Category A information. General Terms: 9. Should any court of competent jurisdiction consider any provision of this Agreement to be invalid, illegal, or unenforceable, such provisions shall be considered severed from this Agreement. All other provisions, rights, and obligations shall continue without regard to the severed provision(s). 10. The term of the Agreement shall continue so long as Primary Custodian remains a member of the MS -ISAC, and paragraph 3 the obligations of confidentiality as provided herein shall survive the expiration of this Agreement. 11. This Agreement will be construed and enforced in all respects in accordance with United States (U.S.) federal law or other applicable laws as addressed herein. 12. This Agreement contains the entire understanding between the parties with respect to the proprietary information described herein and supersedes all prior understandings whether written or oral. Any modification, amendment, assignment or waiver of the terms of this Agreement shall require the written approval of the authorized representative of each party. Member Agreement 1/1/2012 The foregoing has been agreed to and accepted by the authorized representatives of each party whose signatures appear below: AGREED BY: Primary Custodian: 164‘7 7 Center for Internet Security Multi -State ISAC Division r /'Ti ol Amt*Cs MS -ISAC Chair Print or Type Mtnne Tide Multi -State 1SAC 3of3 /6/y1 Member Agreement 1/112012 Information Sharing & Analysis CenterTM The Multi -State Information Sharing and Analysis Center (MS -ISAC) is a voluntary and collaborative effort designated by the Department of Homeland Security as the key resource for cyber threat prevention, protection, response and recovery for the nation's State, Local, Tribal and Territorial governments. Multi -State Information Sharing and Analysis Center 31 Tech Valley Drive East Greenbush, NY 12061 info @msisac.org soc @msisac.org 518- 266 -3460 Table of Contents: MS -ISAC Overview MS -ISAC Membership Overview MS -ISAC Member Responsibilities The MS -ISAC Security Operations Center Reporting an Incident Network Monitoring and Analysis Services Malicious Code Analysis Platform (MCAP) Vulnerability Management Program (VMP) Cyber Threat Informational & Analytical Products MS -ISAC Member Initiatives & Collaborative Resources MS -ISAC Workgroups Nationwide Cyber Security Review Cybersecurity Education Fee -Based Services for SLTT Entities Security Benchmarks Membership Overview 10 11 12 14 16 17 18 The Multi -State Information Sharing and Analysis Center (MS -ISAC) What We Offer The MS -ISAC provides real -time network monitoring, threat analysis, and early warning notifications through our 24x7 cybersecurity operations center. We perform incident response and remediation through our team of security experts. We continually develop and distribute strategic, tactical and operational intelligence to provide timely, actionable information to our members. Who We Serve CISOs, CIOs, and other security professionals from: • U.S. State, Local, Tribal and Territorial Governments • U.S. State /Territory Homeland Security Advisors • State and Local Government Fusion Centers and Local Law Enforcement Entities The U.S. Department of Homeland Security has designated the MS -ISAC as its key cybersecurity resource for State, Local, Tribal and Territorial governments, including chief information security officers, homeland security advisors and fusion centers. The MS -ISAC conducts training sessions and webinars across a broad array of cybersecurity related topics. We provide cybersecurity resources for the public, including daily tips, monthly newsletters, guides and more. How We Do Business • We cultivate a collaborative environment for information sharing. • We focus on readiness and response, especially where the cyber and physical domains meet. • We facilitate partnerships between the public and private sectors. • We focus on excellence to develop industry- leading, cost - effective cybersecurity resources. • Collectively we achieve much more than we can individually. "All services performed by the MS -ISAC were not only prompt, but professional and efficient. Communication was handled very well, and the report was fantastic." - MS -ISAC Member Page 4 of 20 MS -ISAC Membership Overview The Multi -State Information Sharing and Analysis Center (MS- ISAC), is part of the nonprofit Center for Internet Security (CIS). The MS -ISAC is a voluntary community focused on improving cybersecurity for State, Local, Tribal and Territorial (SLTT) governments. The MS -ISAC started in 2004. Since then, we have built and nurtured an environment of collaboration and information sharing. The U.S. Department of Homeland Security (DHS) has designated the MS -ISAC as its key cybersecurity resource for State, Local Tribal and Territorial governments, including chief information security officers, homeland security advisors and fusion centers. There is no cost to join the MS -ISAC, and membership is open to all SLTT government entities. The only requirement is the completion of a membership agreement, which outlines member's responsibilities to protect information that is shared. MS -ISAC Member Responsibilities In order to maintain the MS- ISAC's trusted, collaborative environment, each member understands that the following principles of conduct will guide their actions. Each member agrees to: • share appropriate information between and among the members to the greatest extent possible; • recognize the sensitivity and confidentiality of the information shared and received; • take all necessary steps to protect confidential information; • transmit sensitive data to other members only through the use of agreed -upon secure methods; and • take all appropriate steps to help protect our critical infrastructure. Members are also asked to share their public- facing IP ranges and domain space with the MS -ISAC to facilitate efficient and effective discovery and notification of system compromises. "We so appreciate all that you have done to help! I can't tell you how much it helped to know that you were with us through this (incident)." - MS -ISAC Member "I can honestly say that your organization has made an immediate impact in our overall security readiness. Thank you." - MS -ISAC Member Page 5 of 20 The MS -ISAC Security Operations Center What is the MS -ISAC SOC? The MS -ISAC operates the Security Operations Center (SOC), a 24x7 joint security operations and analytical unit that monitors, analyzes and responds to cyber incidents targeting U.S. State, Local, Tribal, and Territorial (SLTT) government entities. Core Services of the MS -ISAC SOC: The SOC provides real -time network monitoring, early cyber threat warnings and advisories, and vulnerability identification and mitigation. The MS -ISAC SOC Core Services: • Cyber Vulnerability & Threat Research: Analysts monitor federal government, third party, and open sources to identify, analyze and then distribute pertinent information. • Compromised System Notifications: Provided to members in the event of a potential compromise identified based on the MS- ISAC's unique awareness of the threat landscape. • Cyber Security Exercises: The MS -ISAC participates in federally sponsored cyber security exercises and acts as a voice for SLTT governments in planning meetings. • Monitoring Services: We currently provide monitoring services for 6o+ SLIT government entities through a variety of security devices. (See pages 8 & 17) • Soltra Edge: Soltra Edge is a platform that utilizes STIX and TAXII in order to automate cybersecurity threat intelligence sharing. Leveraging these standards enables users to send and receive threat information from machine to machine. We currently maintain an Internet facing instance of Soltra Edge available to our MS -ISAC members. • Fee Based Services: The MS -ISAC offers a variety of fee based services for SLTT government entities to take advantage of. (See pages 17 -19) Additional Services Include: The Computer Emergency Response Team (CERT) provides malware analysis, computer and network forensics, malicious code analysis, and mitigation recommendations. The Intel Analysis unit takes known information about situations and entities and makes forward- leaning assessments regarding the cyber trends, actors, tactics, techniques, and procedures (TTPs). The Partner Liaison group includes MS -ISAC employees located at the National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, V.A. The NCCIC is a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement. "We appreciated the time the MS -ISAC CERT provided to us to validate our findings and provide valuable insight on opportunities for future improvement. The states are very blessed to have access to the talents of the MS -ISAC CERT in times of crisis." - MS -ISAC Member Page 6 of 20 Reporting an Incident and Requesting Assistance Members are encouraged to report incidents, even if they are not requesting direct assistance, to improve situational awareness to benefit all members. Types of incidents to report include the following: • Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent • Compromised password(s) • Execution of malware, such as viruses, trojans, worms or botnet activity • Defacement of a government web page • Disruption or attempted denial of service (DoS) • Unauthorized access to information • Unauthorized use of a system for transmitting, processing or storing data • Unauthorized use of system privileges To report an incident, please contact the MS -ISAC SOC for 24x7 assistance: Phone: 1- 866 -787 -4722 Email: soc(&msisac.org If the incident you are reporting requires direct assistance, the Computer Emergency Response Team (CERT), a unit comprised of highly trained staff, are able to assist you with a cybersecurity incident at no cost. Our incident response experts can assist with the following: • Emergency conference calls • Forensic analysis • Log analysis • Mitigation recommendations • Reverse engineering • Verbal report 24 hours following the reported incident • Written report 1 week following the close of the incident "I will continue to leverage this expert and valuable service as long as it exists. The MS -ISAC CERT was once again very efficient and provided a robust root cause analysis in a timely fashion." - MS -ISAC Member "Thank you for providing this invaluable service!" - MS -ISAC Member Page 7 of 20 Network Monitoring and Analysis Services The MS -ISAC offers a network monitoring service known as Albert. The Albert service consists of an IDS sensor placed on an organization's network — typically inside the perimeter firewall and Internet connection —that collects network data and sends it to the MS -ISAC for analysis. Based on the MS- ISAC's vast repository of indicators of compromise, we are able to identify malicious activity and alert the organization. This service is committed to building and maintaining the most comprehensive set of detection rules and signatures impacting SLTT entities. Why is the Albert Service Unique? • Government- specific focus and tailoring to SLTT governments' cybersecurity needs • Correlation of data from multiple public and private partners; • Historical log analysis performed on all logs collected for specific threats reported by partners and /or trusted third parties. • When a major new threat is identified, the MS -ISAC will search logs for prior activity. (Traditional monitoring services only alert going forward, from the date a signature is in place. There is no "look behind" to assess what activity may have already occurred.) • Statistical analysis of traffic patterns to areas of the world known for being major cyber threats. If abnormal traffic patterns are detected, analysts review the traffic to determine the cause, looking for malicious traffic that is not detected by signatures. • Signatures from forensic analysis of hundreds of SLTT cyber incidents are added to the signature repository. • Integration of research on threats specific to SLTTs, including nation -state attacks. • MS -ISAC staff are deployed at the National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, VA. This staffing structure facilitates valuable real -time information sharing with federal partners and critical infrastructure sectors. • Experienced cybersecurity analysts review each cybersecurity event, which results in minimizing the number of false - positive notifications. This system allows first responders to focus on actionable events. • Availability of an Incident Response Team for forensic and malware analysis which is part of the no cost MS -ISAC membership. • Cost effective solution that is significantly less expensive than the purchase and maintenance of a typical commercial IDS /IPS solution. (See Page 17) In addition to the Albert monitoring service, we also have the ability to monitor traditional network security devices such as firewalls, IDS /IPS, web proxies, and host based intrusion detection devices. This monitoring is accomplished with our Managed Security Services (MSS) offering in partnership with a third party provider. All events generated by MSS are evaluated by our SOC analysts and escalated to the affected entity. (See Page 17) Page 8 of 20 Malicious Code Analysis Platform The Malicious Code Analysis Platform (MCAP) is a web -based service that enables members to submit suspicious files, including executables, dlls, documents, quarantine files and archives for analysis in a controlled and non - public fashion. Additionally, the platform enables users to perform threat analysis based on domain, IP address, URL, HASH, and various IOCs. This platform allows users to obtain the results from analysis, behavioral characteristics and additional detailed information that enables them to remediate the incident in a timely manner. This communication with our members provides the MS -ISAC with the situational awareness needed to assess the malware threat characteristics facing our SLTT government entities on a national level. This platform is available to all members free of charge. To register for an account, send an email to mcap @msisac.org using the following format: Subject Line: "MCAP - Account Request" -Body for the Email: • First Name • Last Name • Name of State, Local, Tribal or Territorial government entity • Email Address (must be affiliated with an MS -ISAC member) Vulnerability Management Program The Vulnerability Management Program alerts our membership on a monthly basis about out of date software that could potentially be a threat to your assets. A scripted GET request is sent to each of the over 24,000 SLTT domains we maintain to pull data on versioning information related to each domain. What Data Are We Collecting? • Server Type and Version (IIS, Apache, Nginx, etc.) • Web Programming Language and Version (PHP, ASP, etc.) • Content Management System and Version (WordPress, Joomla, Drupal, etc.) Following the analysis and review of the information returned, data will be broken out into two categories: vulnerable and not vulnerable systems. If the system is located in the `vulnerable' file, an associated portion of that system is not up to date. Conversely, if the system is located in the `not vulnerable file, the system's patch level is up to date. Systems identified as vulnerable include the CVE score and a link to the CVE. Members should use this monthly notification to conduct further internal analysis to ensure that Internet facing systems are patched and running the most up to date software. For questions regarding the domains that the MS -ISAC has on file for your organization, please contact infoamsisac.org. Domain listings can be edited at any point in time during your membership. Page 9 of 20 Cyber Threat Informational & Analytical Products • Cyber Advisories: Cyber Advisories are short and timely emails containing technical information regarding vulnerabilities in software. • Cyber Alerts: Cyber Alerts are extremely short and timely non - technical emails containing information on a specific cyber incident or threat. • Cyber Intel Advisories: Cyber Intel Advisories provide detailed information and warning notices with limited analysis. Recipients are invited to attach their own seals/ shields and republish the document as a joint shield paper. • Cyber Threat Briefings: The MS -ISAC SOC provides cyber threat briefings based on our expertise of the cyber threat landscape and incidents targeting SLTT governments. • Desk References: Desk references provide in -depth information and intelligence analysis on specific topics, such as active hacktivist groups and the most common malware, frauds and scams. • Intel Bytes: Intel Bytes are brief analytical summaries on timely local or world events or significant threats, and provide analytical intelligence. • Intel Papers: Intel Papers provide in -depth analysis and detailed information regarding the background, history, tools, techniques, and /or procedures on a particular topic. They provide our members with a deeper level of understanding. • Joint Papers: The MS -ISAC coordinates with federal and SLTT governments, fusion centers and other agencies to produce joint analytical papers on a variety of topics. • HSA Update: A newsletter produced for the National Governors Association Governors Homeland Security Advisory Council that summarizes and provides analysis on recent news articles. Members may attach their own seals /shields and redistribute the newsletter as a joint shield paper. • Security Primers: Security Primers are a one -page summary that recommend the best response to a specific scenario. The Primers increase security awareness and encourage secure behavior. • Seminars: MS -ISAC Seminars are monthly meetings that provide training on a variety of topics. Continuing Professional Education (CPE) credit is available upon request. • Monthly Situational Awareness Report (SAR): This highlights the MS- ISAC's previous month's activities and statistics related to incident response, network monitoring and general information gathering. • White Papers: The SOC produces white papers to explain technical topics of interest to members and partners. • Weekly Attacking IPs and Domains: Weekly reports are provided highlighting malicious IPs and domains attacking SLTT networks over the past seven days. "It was very helpful to have the MS -ISAC to turn to at this difficult time. They were extremely helpful every step of the project." - MS -ISAC Member Page 10 of 20 MS -ISAC Member Initiatives & Collaborative Resources MS -ISAC membership enables entities to participate with their peers across the country, sharing knowledge, building relationships, and improving cybersecurity readiness and response. • Annual In- Person Meeting: Each year, the MS -ISAC hosts an annual multi-day event bringing all members together, along with the federal government and other partners. We focus on action- oriented deliverables that are most important to the members. The meeting is open to all MS -ISAC members interested in attending. There is no registration fee for this event. • Emergency Conference Calls: Members have access to conference calls to brief all members on major incidents or emerging events. • ESP Tool: The CIS Enumeration and Scanning Program (CIS -ESP) is an application built to be deployed in an enterprise Windows environment to assist in the collection of data to determine if a compromise has occurred. The information collected will enhance understanding the scope of an incident and identify active host -based threats on a computer network. The application works by enumerating and polling systems within an Active Directory environment by way of Windows Management Instruction (VMI) queries. This process is used entirely for data collection and no modifications are made to the systems being scanned. • Members -Only Secure Portal: The MS -ISAC has a compartment on the US- CERT portal which allows our membership a secure and confidential platform for sharing information. The portal includes the MS -ISAC cyber alert level map —a visual representation of current cyber status of each state, updated on a monthly basis; and a library of policies, guides, recorded webcasts, and many additional member resources. • Monthly Threat Briefing: One -hour webcast briefings that provide members with updates on the threat landscape, status of national initiatives impacting them, and relevant news from members; DHS has a standing agenda item on each call. • Monthly Vendor Patch Release Calls: Technical discussions regarding patches and updates. • Security Benchmarks: Consensus -based security configuration PDF guides that help to improve your cyber security posture. • Workgroups: focused working committees to share ideas, generate recommendations and produce deliverables to support the MS -ISAC and member - related programs. (See pages 12 -13) • Membership Discounts • Security Benchmarks Membership: MS -ISAC members can receive discounts off of a Security Benchmarks Membership, leveraging over loo configuration benchmarks covering more than 14 technology groups, and can use CIS -CAT to assess an unlimited number of assets for a single upfront cost. • CIS -CAT: MS -ISAC members have access to a free trial of CIS -CAT, a Configuration Assessment Tool, containing 6o+ CIS Benchmarks. (See Pages 18 & 19) • Trusted Purchasing Alliance (TPA): The TPA works with organizations in the public and private sectors to provide cost - effective, high - quality cybersecurity solutions for our nation's SLTT governments and non -profit entities. Page 11 of 20 MS -ISAC Workgroups These workgroups are voluntary committees focused on specific initiatives and deliverables in support of the MS -ISAC mission. Who can participate in a workgroup? Any member from any State, Local, Tribal or Territorial (SLTT) government. What do the workgroups do? They serve a significant role in the creation and implementation of MS -ISAC initiatives. These workgroups are also a tremendous opportunity to collaborate with your peers across the country. They identify current issues facing SLTT governments and help determine the future course of addressing cybersecurity challenges. They have been responsible for: • authoring the Nationwide Cyber Security Review question set and analyzing the results; • participating in the development and execution of cyber security exercises; • increasing participation in National Cyber Security Awareness Month activities; and • creating important membership materials. How much time will I need to commit? • Level of commitment varies by group. • Groups generally meet by phone monthly and in person annually. • Extent of involvement is completely your choice. How do I join a workgroup? Send an email to info(msisac.org with "Workgroup Request" in the subject line, and include the following: • Name • Workgroup of interest • Entity /Agency Name • Email and telephone number Share your expertise by joining a Workgroup today! Page 12 of 20 Current Workgroups: Business Continuity, Recovery, and Cyber Exercise Focuses on the processes, tools, and best practices related to public sector business continuity and recovery—not only of technology assets, but also recovery of the entire organization, including people, locations, and communications. Cyber Security Metrics Focuses on recommending and implementing methodologies to help SLIT entities with cyber security metrics and compliance inventory, assessment, and audit of their cyber security assets. This workgroup works jointly with DHS, NASCIO and NACo to support the DHS Nationwide Cyber Security Review. Education and Awareness Focuses on implementing innovative strategies, improving existing programs, and promoting successful localized initiatives for national cybersecurity education, awareness, and training content to support the overall mission of the MS -ISAC. Intel and Analysis Focuses on promoting the development, understanding, and awareness of actionable intelligence and analysis. Mentoring Program Focuses on pairing new security leaders in management positions (such as Chief Information Security Officers and Chief Security Officers) with more experienced security leaders to enhance their skillsets and foster personal and professional growth. Page 13 of 20 Nationwide Cyber Security Review The Nationwide Cyber Security Review (NCSR) is a voluntary self - assessment survey to evaluate cybersecurity management. The Senate Appropriations Committee has requested an ongoing effort to chart nationwide progress in cybersecurity and identify emerging areas of concern. In response, the U.S. Department of Homeland Security (DHS) has partnered with the MS -ISAC, the National Association of State Chief Information Officers (NASCIO), and the National Association of Counties (NACo) to develop and conduct the NCSR. Who can participate? All States (and agencies), Local governments (and departments), and Tribal and Territorial governments. Advantages of Participation: • Free and voluntary self - assessment to evaluate your cybersecurity posture; • Customized reports to help you understand your cybersecurity maturity, including: * a detailed report of your responses along with recommendations to improve your organization's cybersecurity posture; * additional summary reports that gauge your cybersecurity measures against peers (using anonymized data); and * insight to help prioritize your effort to develop security controls. • Benchmark to gauge your own year -to -year progress; • Metrics to assist in cybersecurity investment justifications; and • Contribute to the nation's cyber risk assessment process. How does the Nationwide Cyber Security Review work? • Hosted on a secure portal • Based on the NIST Framework • Based on key milestone activities for information risk management • Closely aligned with security governance processes and maturity indexes embodied in accepted standards and best practices • Covers the core components of cybersecurity and privacy programs • Designed to be completed in about an hour When does the survey take place? The survey will be available from November to December each year. For more information and to register, visit: http: / /msisac.cisecurity.org /resources /ncsr Page 14 of 20 Survey The NCSR provides survey participants with instructions and guidance. Additional support is available, including supplemental documentation and the ability to contact the NCSR helpdesk directly from the survey. Once the NSCR is complete, participants will have immediate access to an individualized report measuring the level of adoption of security controls within their organization. This report includes recommendations on how to raise your organization's risk awareness. The MS -ISAC and DHS will aggregate all review data and share a high level summary with all participants. The names of participants and their organizations will not be identified in this report. This report is provided to Congress in alternate years (odd numbered years) to highlight cyber security gaps and capabilities among our State, Local, Territorial and Tribal Governments. Partners DHS is responsible for safeguarding our nation's critical infrastructure from physical and cyber threats that can affect national security, public safety, and economic prosperity. National Protection & Programs Directorate leads DHS's efforts to secure cyberspace and cyber infrastructure. For additional information, please visit www.dhs.gov /cyber. NASCIO's mission is to foster government excellence through quality business practices, information management, and technology policy. Founded in 1969, the National Association of State Chief Information Officers (NASCIO) is a nonprofit, 501(c)3 association representing state chief information officers and information technology executives and managers from the states, territories, and the District of Columbia. The primary state members are senior officials from state government who have executive -level and statewide responsibility for information technology leadership. State officials who are involved in agency level information technology management may participate as associate members. Representatives from federal, municipal, international government and non -profit organizations may also participate as members. Private- sector firms may join as corporate members and participate in the Corporate Leadership Council. The National Association of Counties (NACo) is the only national organization that represents county governments in the United States. Founded in 1935, NACo provides essential services to the nation's 3,069 counties. NACo advances issues with a unified voice before the federal government, improves the public's understanding of county government, assists counties in finding and sharing innovative solutions through education and research, and provides value -added services to save counties and taxpayers money. For more information about NACo, visit www.naco.org. Page 15 of 20 Cybersecurity Education We promote proactive education of cybersecurity. The MS -ISAC produces numerous communications to engage our members and help national efforts for better cybersecurity. Education and Awareness Materials • Daily Cyber Tips • Monthly Newsletters: These newsletters use non - technical language, and they can be rebranded to suit individual member needs. Newsletter topics include details on the most current threats and suggested best cybersecurity practices. • Bi- Monthly National Webcasts: These feature timely topics and experts from the public and private sector sharing insight on addressing cyber challenges. Cybersecurity Awareness Toolkit This Cyber Security Toolkit features educational materials designed to raise cybersecurity awareness. Digital and hard copy materials are distributed to members. Members are encouraged to brand these materials for their own organizations. Best of the Web Contest The MS -ISAC conducts an annual Best of the Web contest to recognize state and local governments who use their websites to promote cybersecurity. We review these cybersecurity websites for all 50 state governments and the many local governments that decide to participate. The judging is based upon several criteria including cybersecurity content, usability, accessibility, and appearance. The contest recognizes outstanding websites and highlights them as examples for others to consider when they are developing or redesigning their own sites. One overall winning website will be chosen in the state /territory category and one will be chosen in the local government category. The Best of the Web Contest kicks off in the beginning of October, which is National Cyber Security Awareness Month. The winners are announced at the end of the month. Poster Contest The MS -ISAC conducts an annual National K -12 Computer Safety Poster Contest to encourage young people to use the Internet safely. The contest encourages young people to create cybersecurity messages other kids will appreciate and apply to their own lives. The contest is open to all public, private or home - schooled students in kindergarten through twelfth grade. Winning entries of the National Poster Contest are what make up the next year's MS -ISAC Calendar, which is distributed to every MS -ISAC member as part of the cybersecurity toolkit. The MS -ISAC Poster Contest is launched at the beginning of Cyber Security Awareness Month, and submissions are due the following January. FedVTE The Federal Virtual Training Environment (FedVTE) is the Department of Homeland Security's online, on- demand training center. FedVTE provides government IT professionals with hands -on labs and training courses. For questions regarding education and awareness materials or participation in any of the items listed above, please contact infoPmsisac.org. Page 16 of 20 Fee Based Services for SLTT Entities Network Monitoring and Analysis Service (Albert) is a near real -time, 24x7 network monitoring and analysis service that identifies and alerts on traditional and advanced threats within an enterprise network. Pricing is based on Average Internet Utilization Size. A one -time initiation fee of $900 applies. • Up to 100 Mbps - $62o /Month • >100 Mbps - 1 Gbps - $940 /Month • >1 Gbps - $1,46o /Month Managed Security Services (MSS) is comprised of monitoring and /or management of security devices: • Security Event Analysis & Notifications 24x7 • Monitoring and Management services are available for the following security devices. • Firewall monitoring • Host -based Intrusion Detection System monitoring • IDS /IPS monitoring and management • Proxy monitoring Vulnerability Assessment Services can identify, prioritize and report critical vulnerabilities within the MS -ISAC network and web application assessments. • Network Assessment • Web Application Assessment, including manual analysis of reported vulnerabilities • Prioritization of vulnerability remediation • Customized reporting & vulnerability remediation support included • Payment Card Industry (PCI) compliance scanning available • Scheduled (Monthly, Quarterly, Yearly) services Web Application Assessment Annual Cost per Web App Scanned One Time Assessment Quarterly Assessments Monthly Assessments Monthly Assessments 1st Web App per Entity $1,025 $1,322 $1,918 Additional Web App per Entity $569 $867 $1,463 Network Assessment Annual Cost per Live IP Scanned Service Level Based on the Number of Live IPs Scanned per period per Reporting Entity One Time Assessment Quarterly Assessments Monthly Assessments 10 $88 $120 $189 16 -25 $67 $92 $151 26 -50 $55 $75 $128 51 -100 $44 $59 $105 101 -200 $26 $38 $77 201 -500 $22 $32 $65 501 -2,000 $19 $27 $53 Page 17 of 20 MS -ISAC Consulting Services (Statement of Work Required): • Social Engineering (Phishing Exercises) • External Network Penetration Testing • Web Application Penetration Testing • Comprehensive Security Review Membership Discounts Trusted Purchasing Alliance (TPA) The TPAserves SLTT governments and nonprofit entities in achieving a greater cybersecurity posture through trusted expert guidance and cost - effective procurement. The TPA builds public and private partnerships and works to enhance collaboration that improves the nation's cybersecurity posture. The TPA makes cybersecurity purchasing effective, easy and economical. Security Benchmarks Membership CIS is a leader in the development and distribution of consensus - based, internationally recognized best practices for assessing and improving cybersecurity for private industry, government and academia. CIS secure configuration benchmarks and automated assessment tools are used by hundreds of organizations worldwide and are accepted for compliance with many industry standards, including FISMA, PCI, and HIPAA. CIS Security Benchmarks members can leverage more than ioo CIS configuration benchmarks covering over 14 technology groups. These members can also use CIS -CAT to assess an unlimited number of assets for a single, upfront, fixed cost. How can CIS Benchmarks Membership and the member only resources benefit my organization? CIS offers affordable, industry- recognized solutions to help your organization save time and money by providing resources that: • Rapidly identify security vulnerabilities • Measure security performance against industry best practices • Satisfy compliance obligations http: / /benchmarks.cisecurity.org /compliance • Improve internal security policies and procedures by leveraging best - practice guidance • Assess system compliance with security requirements by using the CIS Configuration Assessment Tool (CIS -CAT) • Quickly implement benchmark guidance by using CIS remediation resources • Measure and report compliance over time per device, technology, or overall What are the benefits of Security Benchmarks membership? • The right to distribute the Security Benchmarks resources within your organization • Access to CIS -CAT ( See Page 19) • Access to the member only resources on the CIS Community Website, including: • Benchmarks in XML /XCCDF /OVAL format which facilitates automated configuration assessment • Automated remediation content (i.e., Group Policy Objects) • Tutorials and webcasts • Word /Excel versions of Benchmarks • Member only discussion areas Page 18 of 20 • Timely electronic notification of new and updated resources • Enhanced support from staff and developers • Visibility of your organization's commitment to Internet security through its inclusion on the CIS member list http : / /benchrnarks.cisecurity.org /members • Use of the CIS Security Benchmarks Membership Mark on your organization's website and documents For a complete list of benefits, see http : / /benchnrarks.cisecurity.org /membership Free trial of CIS -CAT A 14 -day trial of CIS -CAT is available to companies considering membership. To start your trial today, visit https: //benchrnarks .cisecurity.org /freetrial Security Benchmarks Membership allows the government entity the right to use and distribute the Security Benchmarks resources throughout their organizations to secure internal systems only. Membership fees are based on the total number of people employed at an organization. A detailed agency list is required at time of membership quote and /or enrollment. The annual fee and multi -year discount option schedule for SLTT governments is below. Contact us at info(a)msisac.org for more information. Security Benchmarks Membership Organization 1-Year 2 -Year 3 -Year Membership Cost Membership Cost Membership Cost Employee Range (no/ Savings) (30% Savings) (30% Savings) 250,000 or more $9,926 $ 19,852 $ 29,778 100,000 to 240.009 $9,191 $ 18,382 $ 27,573 50,000 to 00,909 $8,456 $ 16,912 $ 25,368 25,000 to 49.999 $7,721 $ 15,442 $ 23,163 10,000 to 24,099 $7,350 $ 14,700 $22,050 5.000 to 9,900 $6,986 $13,972 $2o,958 1,000 to 4.999 $6,615 $13,23o $19,845 Soo to 999 $4,781 $9,562 $14,343 250 to 409 $3,311 $6,622 $9,933 100 to 249 $2,394 $4,788 $7,182 50 to 90 $1,470 $2,940 $4,410 Up to 49 $924 $1,848 $2,772 Page 19 of 20