AG 17-196 - Center for Internet Security, Multi-State ISAC Division2/2017
I1
RETURN TO: Thomas Fichtner EXT: 2547
CITY OF FEDERAL WAY LAW DEPARTMENT ROUTING FORM
1. ORIGINATING
2. ORIGINATING
4. TYPE
❑ CONTRACTOR
❑ PUBLIC
❑ PROFESSIONAL
El GOODS
❑ REAL
❑ ORDINANCE
❑ CONTRACT
A OTHER
5. PROJECT
6. NAME
ADDRESS:
E
SIGNATURE
7. EXHIBITS
OTHER
8. TERM:
9. TOTAL
(IF
REIMBURSABLE
IS SALES
RETAINAGE:
❑ PURCHASING:
10. DOCUMENT
❑ PROJECT
❑ DIRECTOR
❑ RISK
❑ LAW
11. COUNCIL
12. CONTRACT
❑ SENT
❑ ATTACH:
❑ CREATE
❑ LAW
12cSIGNATORY
❑ CITY
❑ ASSIGNEDAG#
❑ SIGNED
COMMENTS:
DEPT./DIV: Information Technology
STAFF PERSON: Thomas Fichtner EXT: 2547 3. DATE REQ. BY: ASAP
OF DOCUMENT (CHECK ONE):
SELECTION DOCUMENT (E.G., RFB, RFP, RFQ)
WORKS CONTRACT ❑ SMALL OR LIMITED PUBLIC WORKS CONTRACT
SERVICE AGREEMENT ❑ MAINTENANCE AGREEMENT
AND SERVICE AGREEMENT ❑ HUMAN SERVICES / CDBG
ESTATE DOCUMENT ❑ SECURITY DOCUMENT (E.G. BOND RELATED DOCUMENTS)
❑ RESOLUTION
AMENDMENT (AG #): ❑ INTERLOCAL
Member Agreement
NAME: MS -ISAC Member Joining Agreement
OF CONTRACTOR: Center for Internet Security, Multi -State ISAC Division
31 Tech Valley Drive, East Greenbush, NY 12061 TELEPHONE 518 - 266 -3460
-MAIL: contact @cisecurity.org FAX: 518 - 283 -3216
NAME: John M. Gilligan TITLE MS -ISAC Chair
AND ATTACHMENTS: ❑ SCOPE, WORK OR SERVICES ❑ COMPENSATION ❑ INSURANCE REQUIREMENTS /CERTIFICATE ❑ ALL
REFERENCED EXHIBITS ❑ PROOF OF AUTHORITY TO SIGN ❑ REQUIRED LICENSES ❑ PRIOR CONTRACT /AMENDMENTS
COMMENCEMENT DATE: Upon Execution COMPLETION DATE: Perpetual
COMPENSATION $ N/A (INCLUDE EXPENSES AND SALES TAX, IF ANY)
CALCULATED ON HOURLY LABOR CHARGE - ATTACH SCHEDULES OF EMPLOYEES TITLES AND HOLIDAY RATES)
EXPENSE: ❑ YES ❑ NO IF YES, MAXIMUM DOLLAR AMOUNT: $
TAX OWED ❑ YES ❑ NO IF YES, $ PAID BY: ❑ CONTRACTOR ❑ CITY
RETAINAGE AMOUNT: ❑ RETAINAGE BY (SEE CONTRACT) OR ❑ RETAINAGE BOND PROVIDED
PLEASE CHARGE TO:
/CONTRACT REVIEW INITIAL / DATE REVIEWED INITIAL / DATE APPROVED
MANAGER
MANAGEMENT (IF APPLICABLE)
t 41/5-111-
APPROVAL (IF APPLICABLE) COMMITTEE APPROVAL DATE: COUNCIL APPROVAL DATE:
SIGNATURE ROUTING �(
TO VENDOR/CONTRACTOR DATE SENT: �G af'l� DATE RECD: lo/S
SIGNATURE AUTHORITY, INSURANCE CERTIFICATE, LICENSES, EXHIBITS
ELECTRONIC REMINDER/NOTIFICATION FOR 1 MONTH PRIOR TO EXPIRATION DATE
(Include dept. support staff if necessary and feel free to set notification more than a month in advance if council approval is needed.)
INITIAL / DATE SIGNED
DEPARTMENT
(MAYOR OR DIRECTOR) 1� iL
CLERK /j% 0I 0 IOW . r , =
AI /7 —rnel . d
COPY RETURNED DATE SENT: 01-02-2018 -fr
2/2017
CENTER FOR INTERNET SECURITY
MULTI -STATE ISAC
Member Agreement
This Agreement ( "Agreement ") is made between the
City of Federal Way, WA and the Multi -State
Information Sharing and Analysis Center of the United
States (MS- ISAC), a division of the Center for Internet
Security.
The MS -ISAC will enable information sharing,
analysis, gathering and distribution in a secure manner
using facilities and methods designed to permit
individual Members to submit information about
security threats, vulnerabilities, incidents, and solutions
securely. Only MS -ISAC members have access to
review and retrieve this information. When submitting
information to the MS -ISAC, Primary Custodians will
identify information to the MS -ISAC in the following
categories:
Category A: information that is provided only to the
MS -ISAC and will not be shared with the MS -ISAC
members or others except as authorized by the Primary
Custodian. Category A information also consists of
any non- categorized information provided to the MS-
ISAC and /or pre - cleansed category B information.
Category B: information which is shared with the MS-
ISAC and in consultation with the Primary Custodian is
cleansed by the MS -ISAC of all identifying information
and then, consistent with applicable laws, will be
shared only with MS -ISAC members, or the
Department of Homeland Security consistent with
paragraph six (6).
Category C: information which is shared with the MS-
ISAC and does not need to be cleansed and may be
shared within the MS -ISAC and outside the MS -ISAC
as appropriate.
MS -ISAC members acknowledge that Primary
Custodian has certain cyber and/or critical
infrastructure information and material that is exempt
from disclosure to the public or other unauthorized
persons under federal or state laws including the
Homeland Security Act of 2002 (6 U.S.C. § 133). MS-
ISAC members may provide access to this information
and material in order to facilitate interstate
communication regarding cyber and/or critical
infrastructure readiness and response efforts. These
efforts include, but are not limited to, disseminating
early warnings of physical and cyber system threats,
sharing security incident information between U.S.
states, territories, the District of Columbia, tribal
Multi -State ISAC
I of 3
nations and local governments, providing trends and
other analysis for security planning, and distributing
current proven security practices and suggestions. As a
participating member of the MS -ISAC, Primary
Custodian agrees that when sharing this information
with MS -ISAC members it will do so through the MS-
ISAC in accordance with the categories established in
this document. MS -ISAC members agree to the terms
and conditions contained in this Agreement.
NOW THEREFORE, in consideration of the above
promises recited herein, the parties agree to the
following:
Definitions:
1. Primary Custodian — the entity that developed or
owns the Data. Each collection of Data (database,
file, etc.) shall have a single Primary Custodian.
2. MS -ISAC members —the members (U.S. states,
territories, the District of Columbia, tribal nations
and local governments) who may be in possession
or use of Data acquired from the Primary
Custodian or from the MS -ISAC.
Purpose:
3. MS -ISAC members acknowledge that the
protection of Category A information is essential to
the security of Primary Custodian and the mission
of the MS -ISAC. The purpose of this Agreement is
to enable Primary Custodian to make disclosures of
Category A information to MS -ISAC while still
maintaining rights in, and control over, Category A
information. The purpose is also to preserve
confidentiality of the Category A information and
to prevent its unauthorized disclosure. It is
understood that this Agreement does not grant MS-
ISAC or members an express or implied license or
an option on a license, or any other rights to or
interests in the Category A information, or
otherwise. If Primary Custodian retracts any
information it sent to the MS -ISAC, then, upon
notification by the Primary Custodian, the MS-
ISAC will destroy such information and all copies
thereof, and notify MS -ISAC members to destroy
the information. If an MS -ISAC member is unable
to destroy the information based on applicable law,
then the member will continue to maintain the
confidentiality of the information consistent with
Member Agreement 1/1/2012
this agreement. Upon receiving such notification,
MS ISAC members will destroy such information
and all copies thereof
MS -ISAC and Member Duties:
4. MS -ISAC and members who are authorized by the
Primary Custodian to receive Category A
information shall, and shall cause their contractors,
subcontractors, agents or any other entities acting
on their behalf (hereinafter referred to as the
"Affiliates ") to:
(a) copy, reproduce or use Category A information
only for the purposes of the MS -ISAC mission
and not for any other purpose unless
specifically authorized to do so in writing by
Primary Custodian; and
(b) not permit any person to use or disclose the
Category A information for any purpose other
than those expressly authorized by this
Agreement; and
(c) implement physical, electronic and
managerial safeguards to prevent
unauthorized access to or use of Category A
information.
Such restrictions will be at least as stringent as
those applied by the MS -ISAC and /or members to
their own most valuable and confidential
information.
MS -ISAC agrees to promptly notify Primary
Custodian of any unauthorized release of Category
A information.
5. MS -ISAC and members will not remove, obscure
or alter any notice of patent, copyright, trade secret
or other proprietary right from any Category A
information without the prior written authorization
of Primary Custodian.
Multi -State ISAC Duties:
6. The MS -ISAC and members may share with the
Department of Homeland Security (DHS) pursuant
to 6 U.S.C. § 133, Category A, B, and C
information, unless the Primary Custodian has
designated in writing that the information in
question cannot be shared with our federal partners.
All other information is voluntarily submitted and
may be shared with the Federal Government with
expectation of protection from disclosure as
provided by the provisions of the Critical
Infrastructure Information Act of 2002.
Multi -State ISAC
2 of 3
7. If any third party makes a demand for any Category
A or B information, the MS -ISAC or member shall
immediately forward such request to the Primary
Custodian and consult and cooperate with the
Primary Custodian and will make reasonable
efforts, consistent with applicable law to protect the
confidentiality of the information. Primary
Custodian will, as needed, have the opportunity to
seek judicial or other appropriate avenues of
redress to prevent any release.
8. In non- emergency situations, as part of its multi-
state communication sharing efforts, the MS -ISAC
may prepare written reports. For such reports, the
Primary Custodian shall be provided a period of
time to review such reports, papers, or other
writings and has the right to edit out its Category A
information, correct factual inaccuracies, make
recommendations and comments to the content of
the report, and append comments to the final
version of the report. The MS -ISAC members and
Primary Custodian agree to work together in good
faith to reach mutually agreed upon language for
the report. If the parties are unable to reach
agreement on an issue, Primary Custodian has the
right to edit out its Category A information.
General Terms:
9. Should any court of competent jurisdiction
consider any provision of this Agreement to be
invalid, illegal, or unenforceable, such provisions
shall be considered severed from this Agreement.
All other provisions, rights, and obligations shall
continue without regard to the severed provision(s).
10. The term of the Agreement shall continue so long
as Primary Custodian remains a member of the
MS -ISAC, and paragraph 3 the obligations of
confidentiality as provided herein shall survive the
expiration of this Agreement.
11. This Agreement will be construed and enforced in
all respects in accordance with United States (U.S.)
federal law or other applicable laws as addressed
herein.
12. This Agreement contains the entire understanding
between the parties with respect to the proprietary
information described herein and supersedes all
prior understandings whether written or oral. Any
modification, amendment, assignment or waiver of
the terms of this Agreement shall require the
written approval of the authorized representative of
each party.
Member Agreement 1/1/2012
The foregoing has been agreed to and accepted by the authorized representatives of each party whose signatures
appear below:
AGREED BY:
Primary Custodian:
164‘7 7
Center for Internet Security
Multi -State ISAC Division
r /'Ti ol Amt*Cs MS -ISAC Chair
Print or Type Mtnne Tide
Multi -State 1SAC
3of3
/6/y1
Member Agreement 1/112012
Information Sharing
& Analysis CenterTM
The Multi -State Information Sharing and Analysis Center
(MS -ISAC) is a voluntary and collaborative effort designated by
the Department of Homeland Security as the key resource for cyber
threat prevention, protection, response and recovery for the nation's
State, Local, Tribal and Territorial governments.
Multi -State Information Sharing and Analysis Center
31 Tech Valley Drive
East Greenbush, NY 12061
info @msisac.org
soc @msisac.org
518- 266 -3460
Table of Contents:
MS -ISAC Overview
MS -ISAC Membership Overview
MS -ISAC Member Responsibilities
The MS -ISAC Security Operations Center
Reporting an Incident
Network Monitoring and Analysis Services
Malicious Code Analysis Platform (MCAP)
Vulnerability Management Program (VMP)
Cyber Threat Informational & Analytical Products
MS -ISAC Member Initiatives & Collaborative Resources
MS -ISAC Workgroups
Nationwide Cyber Security Review
Cybersecurity Education
Fee -Based Services for SLTT Entities
Security Benchmarks Membership Overview
10
11
12
14
16
17
18
The Multi -State Information Sharing and
Analysis Center
(MS -ISAC)
What We Offer
The MS -ISAC provides real -time
network monitoring, threat analysis, and
early warning notifications through our 24x7
cybersecurity operations center.
We perform incident response and
remediation through our team of security
experts.
We continually develop and distribute
strategic, tactical and operational
intelligence to provide timely, actionable
information to our members.
Who We Serve
CISOs, CIOs, and other security
professionals from:
• U.S. State, Local, Tribal and
Territorial Governments
• U.S. State /Territory Homeland
Security Advisors
• State and Local Government Fusion
Centers and Local Law Enforcement
Entities
The U.S. Department of Homeland
Security has designated the MS -ISAC as its
key cybersecurity resource for State,
Local, Tribal and Territorial governments,
including chief information security officers,
homeland security advisors and fusion
centers.
The MS -ISAC conducts training sessions
and webinars across a broad array of
cybersecurity related topics.
We provide cybersecurity resources
for the public, including daily tips, monthly
newsletters, guides and more.
How We Do Business
• We cultivate a collaborative
environment for information
sharing.
• We focus on readiness and
response, especially where the cyber
and physical domains meet.
• We facilitate partnerships between
the public and private sectors.
• We focus on excellence to develop
industry- leading, cost - effective
cybersecurity resources.
• Collectively we achieve much
more than we can individually.
"All services performed by the MS -ISAC were not only prompt, but professional and
efficient. Communication was handled very well, and the report was fantastic."
- MS -ISAC Member
Page 4 of 20
MS -ISAC Membership Overview
The Multi -State Information Sharing and Analysis Center (MS- ISAC), is part of the nonprofit
Center for Internet Security (CIS). The MS -ISAC is a voluntary community focused on
improving cybersecurity for State, Local, Tribal and Territorial (SLTT) governments. The
MS -ISAC started in 2004. Since then, we have built and nurtured an environment of
collaboration and information sharing. The U.S. Department of Homeland Security (DHS)
has designated the MS -ISAC as its key cybersecurity resource for State, Local Tribal and
Territorial governments, including chief information security officers, homeland security
advisors and fusion centers.
There is no cost to join the MS -ISAC, and membership is open to all SLTT
government entities. The only requirement is the completion of a membership
agreement, which outlines member's responsibilities to protect information that is shared.
MS -ISAC Member Responsibilities
In order to maintain the MS- ISAC's trusted, collaborative environment, each member
understands that the following principles of conduct will guide their actions. Each member
agrees to:
• share appropriate information between and among the members to the greatest
extent possible;
• recognize the sensitivity and confidentiality of the information shared and received;
• take all necessary steps to protect confidential information;
• transmit sensitive data to other members only through the use of agreed -upon secure
methods; and
• take all appropriate steps to help protect our critical infrastructure.
Members are also asked to share their public- facing IP ranges and domain space
with the MS -ISAC to facilitate efficient and effective discovery and notification of system
compromises.
"We so appreciate all that you have done to help! I can't tell you how much it
helped to know that you were with us through this (incident)."
- MS -ISAC Member
"I can honestly say that your organization has made an immediate impact in
our overall security readiness. Thank you." - MS -ISAC Member
Page 5 of 20
The MS -ISAC Security Operations Center
What is the MS -ISAC SOC?
The MS -ISAC operates the Security Operations Center (SOC), a 24x7 joint security operations and
analytical unit that monitors, analyzes and responds to cyber incidents targeting U.S. State, Local,
Tribal, and Territorial (SLTT) government entities.
Core Services of the MS -ISAC SOC:
The SOC provides real -time network monitoring, early cyber threat warnings and advisories, and
vulnerability identification and mitigation.
The MS -ISAC SOC Core Services:
• Cyber Vulnerability & Threat Research: Analysts monitor federal government, third
party, and open sources to identify, analyze and then distribute pertinent information.
• Compromised System Notifications: Provided to members in the event of a potential
compromise identified based on the MS- ISAC's unique awareness of the threat landscape.
• Cyber Security Exercises: The MS -ISAC participates in federally sponsored cyber security
exercises and acts as a voice for SLTT governments in planning meetings.
• Monitoring Services: We currently provide monitoring services for 6o+ SLIT government
entities through a variety of security devices. (See pages 8 & 17)
• Soltra Edge: Soltra Edge is a platform that utilizes STIX and TAXII in order to automate
cybersecurity threat intelligence sharing. Leveraging these standards enables users to send
and receive threat information from machine to machine. We currently maintain an Internet
facing instance of Soltra Edge available to our MS -ISAC members.
• Fee Based Services: The MS -ISAC offers a variety of fee based services for SLTT
government entities to take advantage of. (See pages 17 -19)
Additional Services Include:
The Computer Emergency Response Team (CERT) provides malware analysis, computer and
network forensics, malicious code analysis, and mitigation recommendations.
The Intel Analysis unit takes known information about situations and entities and makes
forward- leaning assessments regarding the cyber trends, actors, tactics, techniques, and procedures
(TTPs).
The Partner Liaison group includes MS -ISAC employees located at the National Cybersecurity
and Communications Integration Center (NCCIC) in Arlington, V.A. The NCCIC is a 24x7 cyber
situational awareness, incident response, and management center that is a national nexus of cyber
and communications integration for the Federal Government, intelligence community, and law
enforcement.
"We appreciated the time the MS -ISAC CERT provided to us to validate our
findings and provide valuable insight on opportunities for future improvement.
The states are very blessed to have access to the talents of the MS -ISAC CERT in
times of crisis." - MS -ISAC Member
Page 6 of 20
Reporting an Incident and
Requesting Assistance
Members are encouraged to report incidents, even if they are not requesting direct
assistance, to improve situational awareness to benefit all members. Types of incidents to
report include the following:
• Changes to system hardware, firmware, or software characteristics without the
owner's knowledge, instruction, or consent
• Compromised password(s)
• Execution of malware, such as viruses, trojans, worms or botnet activity
• Defacement of a government web page
• Disruption or attempted denial of service (DoS)
• Unauthorized access to information
• Unauthorized use of a system for transmitting, processing or storing data
• Unauthorized use of system privileges
To report an incident, please contact the MS -ISAC SOC for 24x7 assistance:
Phone: 1- 866 -787 -4722
Email: soc(&msisac.org
If the incident you are reporting requires direct assistance, the Computer Emergency
Response Team (CERT), a unit comprised of highly trained staff, are able to assist you with a
cybersecurity incident at no cost.
Our incident response experts can assist with the following:
• Emergency conference calls
• Forensic analysis
• Log analysis
• Mitigation recommendations
• Reverse engineering
• Verbal report 24 hours following the reported incident
• Written report 1 week following the close of the incident
"I will continue to leverage this expert and valuable service as long as it exists.
The MS -ISAC CERT was once again very efficient and provided a robust root
cause analysis in a timely fashion." - MS -ISAC Member
"Thank you for providing this invaluable service!"
- MS -ISAC Member
Page 7 of 20
Network Monitoring and Analysis Services
The MS -ISAC offers a network monitoring service known as Albert. The Albert service consists
of an IDS sensor placed on an organization's network — typically inside the perimeter firewall and
Internet connection —that collects network data and sends it to the MS -ISAC for analysis. Based
on the MS- ISAC's vast repository of indicators of compromise, we are able to identify malicious
activity and alert the organization.
This service is committed to building and maintaining the most comprehensive set of detection
rules and signatures impacting SLTT entities.
Why is the Albert Service Unique?
• Government- specific focus and tailoring to SLTT governments' cybersecurity needs
• Correlation of data from multiple public and private partners;
• Historical log analysis performed on all logs collected for specific threats reported
by partners and /or trusted third parties.
• When a major new threat is identified, the MS -ISAC will search logs for prior
activity. (Traditional monitoring services only alert going forward, from the date
a signature is in place. There is no "look behind" to assess what activity may have
already occurred.)
• Statistical analysis of traffic patterns to areas of the world known for being major cyber
threats. If abnormal traffic patterns are detected, analysts review the traffic to determine
the cause, looking for malicious traffic that is not detected by signatures.
• Signatures from forensic analysis of hundreds of SLTT cyber incidents are added to the
signature repository.
• Integration of research on threats specific to SLTTs, including nation -state attacks.
• MS -ISAC staff are deployed at the National Cybersecurity and Communications
Integration Center (NCCIC) in Arlington, VA. This staffing structure facilitates valuable
real -time information sharing with federal partners and critical infrastructure sectors.
• Experienced cybersecurity analysts review each cybersecurity event, which results in
minimizing the number of false - positive notifications. This system allows first responders
to focus on actionable events.
• Availability of an Incident Response Team for forensic and malware analysis which is part
of the no cost MS -ISAC membership.
• Cost effective solution that is significantly less expensive than the purchase and
maintenance of a typical commercial IDS /IPS solution. (See Page 17)
In addition to the Albert monitoring service, we also have the ability to monitor traditional
network security devices such as firewalls, IDS /IPS, web proxies, and host based intrusion
detection devices. This monitoring is accomplished with our Managed Security Services (MSS)
offering in partnership with a third party provider. All events generated by MSS are evaluated by
our SOC analysts and escalated to the affected entity. (See Page 17)
Page 8 of 20
Malicious Code Analysis Platform
The Malicious Code Analysis Platform (MCAP) is a web -based service that enables members to
submit suspicious files, including executables, dlls, documents, quarantine files and archives for
analysis in a controlled and non - public fashion. Additionally, the platform enables users to perform
threat analysis based on domain, IP address, URL, HASH, and various IOCs.
This platform allows users to obtain the results from analysis, behavioral characteristics and
additional detailed information that enables them to remediate the incident in a timely manner. This
communication with our members provides the MS -ISAC with the situational awareness needed to
assess the malware threat characteristics facing our SLTT government entities on a national level.
This platform is available to all members free of charge. To register for an account, send an email to
mcap @msisac.org using the following format:
Subject Line: "MCAP - Account Request"
-Body for the Email:
• First Name
• Last Name
• Name of State, Local, Tribal or Territorial government entity
• Email Address (must be affiliated with an MS -ISAC member)
Vulnerability Management Program
The Vulnerability Management Program alerts our membership on a monthly basis about out of date
software that could potentially be a threat to your assets. A scripted GET request is sent to each of
the over 24,000 SLTT domains we maintain to pull data on versioning information related to each
domain.
What Data Are We Collecting?
• Server Type and Version (IIS, Apache, Nginx, etc.)
• Web Programming Language and Version (PHP, ASP, etc.)
• Content Management System and Version (WordPress, Joomla, Drupal, etc.)
Following the analysis and review of the information returned, data will be broken out into two
categories: vulnerable and not vulnerable systems. If the system is located in the `vulnerable' file,
an associated portion of that system is not up to date. Conversely, if the system is located in the `not
vulnerable file, the system's patch level is up to date. Systems identified as vulnerable include the
CVE score and a link to the CVE.
Members should use this monthly notification to conduct further internal analysis to ensure that
Internet facing systems are patched and running the most up to date software.
For questions regarding the domains that the MS -ISAC has on file for your
organization, please contact infoamsisac.org. Domain listings can be edited at any
point in time during your membership.
Page 9 of 20
Cyber Threat Informational &
Analytical Products
• Cyber Advisories: Cyber Advisories are short and timely emails containing
technical information regarding vulnerabilities in software.
• Cyber Alerts: Cyber Alerts are extremely short and timely non - technical emails
containing information on a specific cyber incident or threat.
• Cyber Intel Advisories: Cyber Intel Advisories provide detailed information and
warning notices with limited analysis. Recipients are invited to attach their own seals/
shields and republish the document as a joint shield paper.
• Cyber Threat Briefings: The MS -ISAC SOC provides cyber threat briefings
based on our expertise of the cyber threat landscape and incidents targeting SLTT
governments.
• Desk References: Desk references provide in -depth information and intelligence
analysis on specific topics, such as active hacktivist groups and the most common
malware, frauds and scams.
• Intel Bytes: Intel Bytes are brief analytical summaries on timely local or world
events or significant threats, and provide analytical intelligence.
• Intel Papers: Intel Papers provide in -depth analysis and detailed information
regarding the background, history, tools, techniques, and /or procedures on a
particular topic. They provide our members with a deeper level of understanding.
• Joint Papers: The MS -ISAC coordinates with federal and SLTT governments, fusion
centers and other agencies to produce joint analytical papers on a variety of topics.
• HSA Update: A newsletter produced for the National Governors Association
Governors Homeland Security Advisory Council that summarizes and provides
analysis on recent news articles. Members may attach their own seals /shields and
redistribute the newsletter as a joint shield paper.
• Security Primers: Security Primers are a one -page summary that recommend the
best response to a specific scenario. The Primers increase security awareness and
encourage secure behavior.
• Seminars: MS -ISAC Seminars are monthly meetings that provide training on a
variety of topics. Continuing Professional Education (CPE) credit is available upon
request.
• Monthly Situational Awareness Report (SAR): This highlights the MS- ISAC's
previous month's activities and statistics related to incident response, network
monitoring and general information gathering.
• White Papers: The SOC produces white papers to explain technical topics of
interest to members and partners.
• Weekly Attacking IPs and Domains: Weekly reports are provided highlighting
malicious IPs and domains attacking SLTT networks over the past seven days.
"It was very helpful to have the MS -ISAC to turn to at this difficult time. They
were extremely helpful every step of the project." - MS -ISAC Member
Page 10 of 20
MS -ISAC Member Initiatives &
Collaborative Resources
MS -ISAC membership enables entities to participate with their peers across the country, sharing
knowledge, building relationships, and improving cybersecurity readiness and response.
• Annual In- Person Meeting: Each year, the MS -ISAC hosts an annual multi-day event
bringing all members together, along with the federal government and other partners.
We focus on action- oriented deliverables that are most important to the members. The
meeting is open to all MS -ISAC members interested in attending. There is no registration
fee for this event.
• Emergency Conference Calls: Members have access to conference calls to brief all
members on major incidents or emerging events.
• ESP Tool: The CIS Enumeration and Scanning Program (CIS -ESP) is an application
built to be deployed in an enterprise Windows environment to assist in the collection of
data to determine if a compromise has occurred. The information collected will enhance
understanding the scope of an incident and identify active host -based threats on a
computer network. The application works by enumerating and polling systems within
an Active Directory environment by way of Windows Management Instruction (VMI)
queries. This process is used entirely for data collection and no modifications are made to
the systems being scanned.
• Members -Only Secure Portal: The MS -ISAC has a compartment on the US-
CERT portal which allows our membership a secure and confidential platform for
sharing information. The portal includes the MS -ISAC cyber alert level map —a visual
representation of current cyber status of each state, updated on a monthly basis; and a
library of policies, guides, recorded webcasts, and many additional member resources.
• Monthly Threat Briefing: One -hour webcast briefings that provide members with
updates on the threat landscape, status of national initiatives impacting them, and
relevant news from members; DHS has a standing agenda item on each call.
• Monthly Vendor Patch Release Calls: Technical discussions regarding patches and
updates.
• Security Benchmarks: Consensus -based security configuration PDF guides that help
to improve your cyber security posture.
• Workgroups: focused working committees to share ideas, generate recommendations
and produce deliverables to support the MS -ISAC and member - related programs. (See
pages 12 -13)
• Membership Discounts
• Security Benchmarks Membership: MS -ISAC members can receive
discounts off of a Security Benchmarks Membership, leveraging over loo
configuration benchmarks covering more than 14 technology groups, and can use
CIS -CAT to assess an unlimited number of assets for a single upfront cost.
• CIS -CAT: MS -ISAC members have access to a free trial of CIS -CAT,
a Configuration Assessment Tool, containing 6o+ CIS Benchmarks.
(See Pages 18 & 19)
• Trusted Purchasing Alliance (TPA): The TPA works with organizations in
the public and private sectors to provide cost - effective, high - quality cybersecurity
solutions for our nation's SLTT governments and non -profit entities.
Page 11 of 20
MS -ISAC Workgroups
These workgroups are voluntary committees focused on specific initiatives and deliverables
in support of the MS -ISAC mission.
Who can participate in a workgroup?
Any member from any State, Local, Tribal or Territorial (SLTT) government.
What do the workgroups do?
They serve a significant role in the creation and implementation of MS -ISAC initiatives.
These workgroups are also a tremendous opportunity to collaborate with your peers across
the country. They identify current issues facing SLTT governments and help determine the
future course of addressing cybersecurity challenges. They have been responsible for:
• authoring the Nationwide Cyber Security Review question set and analyzing the
results;
• participating in the development and execution of cyber security exercises;
• increasing participation in National Cyber Security Awareness Month activities; and
• creating important membership materials.
How much time will I need to commit?
• Level of commitment varies by group.
• Groups generally meet by phone monthly and in person annually.
• Extent of involvement is completely your choice.
How do I join a workgroup?
Send an email to info(msisac.org with "Workgroup Request" in the subject line, and include
the following:
• Name
• Workgroup of interest
• Entity /Agency Name
• Email and telephone number
Share your expertise by joining a Workgroup today!
Page 12 of 20
Current Workgroups:
Business Continuity, Recovery, and Cyber Exercise
Focuses on the processes, tools, and best practices related to public sector business
continuity and recovery—not only of technology assets, but also recovery of the entire
organization, including people, locations, and communications.
Cyber Security Metrics
Focuses on recommending and implementing methodologies to help SLIT entities with
cyber security metrics and compliance inventory, assessment, and audit of their cyber
security assets. This workgroup works jointly with DHS, NASCIO and NACo to support
the DHS Nationwide Cyber Security Review.
Education and Awareness
Focuses on implementing innovative strategies, improving existing programs, and
promoting successful localized initiatives for national cybersecurity education, awareness,
and training content to support the overall mission of the MS -ISAC.
Intel and Analysis
Focuses on promoting the development, understanding, and awareness of actionable
intelligence and analysis.
Mentoring Program
Focuses on pairing new security leaders in management positions (such as Chief Information
Security Officers and Chief Security Officers) with more experienced security leaders to
enhance their skillsets and foster personal and professional growth.
Page 13 of 20
Nationwide Cyber Security Review
The Nationwide Cyber Security Review (NCSR) is a voluntary self - assessment survey to
evaluate cybersecurity management.
The Senate Appropriations Committee has requested an ongoing effort to chart nationwide
progress in cybersecurity and identify emerging areas of concern. In response, the U.S.
Department of Homeland Security (DHS) has partnered with the MS -ISAC, the National
Association of State Chief Information Officers (NASCIO), and the National Association of
Counties (NACo) to develop and conduct the NCSR.
Who can participate?
All States (and agencies), Local governments (and departments), and Tribal and Territorial
governments.
Advantages of Participation:
• Free and voluntary self - assessment to evaluate your cybersecurity posture;
• Customized reports to help you understand your cybersecurity maturity, including:
* a detailed report of your responses along with recommendations to improve your
organization's cybersecurity posture;
* additional summary reports that gauge your cybersecurity measures against peers
(using anonymized data); and
* insight to help prioritize your effort to develop security controls.
• Benchmark to gauge your own year -to -year progress;
• Metrics to assist in cybersecurity investment justifications; and
• Contribute to the nation's cyber risk assessment process.
How does the Nationwide Cyber Security Review work?
• Hosted on a secure portal
• Based on the NIST Framework
• Based on key milestone activities for information risk management
• Closely aligned with security governance processes and maturity indexes embodied in
accepted standards and best practices
• Covers the core components of cybersecurity and privacy programs
• Designed to be completed in about an hour
When does the survey take place?
The survey will be available from November to December each year.
For more information and to register, visit:
http: / /msisac.cisecurity.org /resources /ncsr
Page 14 of 20
Survey
The NCSR provides survey participants with instructions and guidance. Additional support
is available, including supplemental documentation and the ability to contact the NCSR
helpdesk directly from the survey.
Once the NSCR is complete, participants will have immediate access to an individualized
report measuring the level of adoption of security controls within their organization. This
report includes recommendations on how to raise your organization's risk awareness. The
MS -ISAC and DHS will aggregate all review data and share a high level summary with all
participants. The names of participants and their organizations will not be identified in
this report. This report is provided to Congress in alternate years (odd numbered years) to
highlight cyber security gaps and capabilities among our State, Local, Territorial and Tribal
Governments.
Partners
DHS is responsible for safeguarding our nation's critical infrastructure from physical and
cyber threats that can affect national security, public safety, and economic prosperity.
National Protection & Programs Directorate leads DHS's efforts to secure cyberspace and
cyber infrastructure. For additional information, please visit www.dhs.gov /cyber.
NASCIO's mission is to foster government excellence through quality business practices,
information management, and technology policy. Founded in 1969, the National Association
of State Chief Information Officers (NASCIO) is a nonprofit, 501(c)3 association representing
state chief information officers and information technology executives and managers from
the states, territories, and the District of Columbia. The primary state members are senior
officials from state government who have executive -level and statewide responsibility
for information technology leadership. State officials who are involved in agency level
information technology management may participate as associate members. Representatives
from federal, municipal, international government and non -profit organizations may also
participate as members. Private- sector firms may join as corporate members and participate
in the Corporate Leadership Council.
The National Association of Counties (NACo) is the only national organization that
represents county governments in the United States. Founded in 1935, NACo provides
essential services to the nation's 3,069 counties. NACo advances issues with a unified voice
before the federal government, improves the public's understanding of county government,
assists counties in finding and sharing innovative solutions through education and research,
and provides value -added services to save counties and taxpayers money. For more
information about NACo, visit www.naco.org.
Page 15 of 20
Cybersecurity Education
We promote proactive education of cybersecurity. The MS -ISAC produces numerous
communications to engage our members and help national efforts for better cybersecurity.
Education and Awareness Materials
• Daily Cyber Tips
• Monthly Newsletters: These newsletters use non - technical language, and they can be
rebranded to suit individual member needs. Newsletter topics include details on the most
current threats and suggested best cybersecurity practices.
• Bi- Monthly National Webcasts: These feature timely topics and experts from the public
and private sector sharing insight on addressing cyber challenges.
Cybersecurity Awareness Toolkit
This Cyber Security Toolkit features educational materials designed to raise cybersecurity awareness.
Digital and hard copy materials are distributed to members. Members are encouraged to brand these
materials for their own organizations.
Best of the Web Contest
The MS -ISAC conducts an annual Best of the Web contest to recognize state and local governments
who use their websites to promote cybersecurity. We review these cybersecurity websites for all 50
state governments and the many local governments that decide to participate. The judging is based
upon several criteria including cybersecurity content, usability, accessibility, and appearance.
The contest recognizes outstanding websites and highlights them as examples for others to consider
when they are developing or redesigning their own sites. One overall winning website will be chosen
in the state /territory category and one will be chosen in the local government category.
The Best of the Web Contest kicks off in the beginning of October, which is National Cyber Security
Awareness Month. The winners are announced at the end of the month.
Poster Contest
The MS -ISAC conducts an annual National K -12 Computer Safety Poster Contest to encourage
young people to use the Internet safely. The contest encourages young people to create cybersecurity
messages other kids will appreciate and apply to their own lives.
The contest is open to all public, private or home - schooled students in kindergarten through twelfth
grade. Winning entries of the National Poster Contest are what make up the next year's MS -ISAC
Calendar, which is distributed to every MS -ISAC member as part of the cybersecurity toolkit.
The MS -ISAC Poster Contest is launched at the beginning of Cyber Security Awareness Month, and
submissions are due the following January.
FedVTE
The Federal Virtual Training Environment (FedVTE) is the Department of Homeland Security's
online, on- demand training center. FedVTE provides government IT professionals with hands -on
labs and training courses.
For questions regarding education and awareness materials or participation in any of
the items listed above, please contact infoPmsisac.org.
Page 16 of 20
Fee Based Services for SLTT Entities
Network Monitoring and Analysis Service (Albert) is a near real -time, 24x7 network
monitoring and analysis service that identifies and alerts on traditional and advanced threats within
an enterprise network. Pricing is based on Average Internet Utilization Size. A one -time initiation fee
of $900 applies.
• Up to 100 Mbps - $62o /Month
• >100 Mbps - 1 Gbps - $940 /Month
• >1 Gbps - $1,46o /Month
Managed Security Services (MSS) is comprised of monitoring and /or management of security
devices:
• Security Event Analysis & Notifications 24x7
• Monitoring and Management services are available for the following security devices.
• Firewall monitoring
• Host -based Intrusion Detection System monitoring
• IDS /IPS monitoring and management
• Proxy monitoring
Vulnerability Assessment Services can identify, prioritize and report critical vulnerabilities
within the MS -ISAC network and web application assessments.
• Network Assessment
• Web Application Assessment, including manual analysis of reported vulnerabilities
• Prioritization of vulnerability remediation
• Customized reporting & vulnerability remediation support included
• Payment Card Industry (PCI) compliance scanning available
• Scheduled (Monthly, Quarterly, Yearly) services
Web Application Assessment
Annual Cost per Web App Scanned
One Time
Assessment
Quarterly
Assessments
Monthly
Assessments
Monthly
Assessments
1st Web App per Entity
$1,025
$1,322
$1,918
Additional Web App per Entity
$569
$867
$1,463
Network Assessment
Annual Cost per Live IP Scanned
Service Level Based on the Number
of Live IPs Scanned per period per
Reporting Entity
One Time
Assessment
Quarterly
Assessments
Monthly
Assessments
10
$88
$120
$189
16 -25
$67
$92
$151
26 -50
$55
$75
$128
51 -100
$44
$59
$105
101 -200
$26
$38
$77
201 -500
$22
$32
$65
501 -2,000
$19
$27
$53
Page 17 of 20
MS -ISAC Consulting Services (Statement of Work Required):
• Social Engineering (Phishing Exercises)
• External Network Penetration Testing
• Web Application Penetration Testing
• Comprehensive Security Review
Membership Discounts
Trusted Purchasing Alliance (TPA) The TPAserves SLTT governments and
nonprofit entities in achieving a greater cybersecurity posture through trusted expert guidance
and cost - effective procurement. The TPA builds public and private partnerships and works
to enhance collaboration that improves the nation's cybersecurity posture. The TPA makes
cybersecurity purchasing effective, easy and economical.
Security Benchmarks Membership
CIS is a leader in the development and distribution of consensus - based, internationally recognized
best practices for assessing and improving cybersecurity for private industry, government and
academia. CIS secure configuration benchmarks and automated assessment tools are used by
hundreds of organizations worldwide and are accepted for compliance with many industry standards,
including FISMA, PCI, and HIPAA.
CIS Security Benchmarks members can leverage more than ioo CIS configuration benchmarks
covering over 14 technology groups. These members can also use CIS -CAT to assess an unlimited
number of assets for a single, upfront, fixed cost.
How can CIS Benchmarks Membership and the member only resources benefit my
organization?
CIS offers affordable, industry- recognized solutions to help your organization save time and money
by providing resources that:
• Rapidly identify security vulnerabilities
• Measure security performance against industry best practices
• Satisfy compliance obligations http: / /benchmarks.cisecurity.org /compliance
• Improve internal security policies and procedures by leveraging best - practice guidance
• Assess system compliance with security requirements by using the CIS Configuration
Assessment Tool (CIS -CAT)
• Quickly implement benchmark guidance by using CIS remediation resources
• Measure and report compliance over time per device, technology, or overall
What are the benefits of Security Benchmarks membership?
• The right to distribute the Security Benchmarks resources within your organization
• Access to CIS -CAT ( See Page 19)
• Access to the member only resources on the CIS Community Website, including:
• Benchmarks in XML /XCCDF /OVAL format which facilitates automated configuration
assessment
• Automated remediation content (i.e., Group Policy Objects)
• Tutorials and webcasts
• Word /Excel versions of Benchmarks
• Member only discussion areas
Page 18 of 20
• Timely electronic notification of new and updated resources
• Enhanced support from staff and developers
• Visibility of your organization's commitment to Internet security through its inclusion on the CIS
member list http : / /benchrnarks.cisecurity.org /members
• Use of the CIS Security Benchmarks Membership Mark on your organization's website and
documents
For a complete list of benefits, see http : / /benchnrarks.cisecurity.org /membership
Free trial of CIS -CAT
A 14 -day trial of CIS -CAT is available to companies considering membership. To start your trial today,
visit https: //benchrnarks .cisecurity.org /freetrial
Security Benchmarks Membership allows the government entity the right to use and distribute
the Security Benchmarks resources throughout their organizations to secure internal systems
only. Membership fees are based on the total number of people employed at an organization. A
detailed agency list is required at time of membership quote and /or enrollment. The annual fee and
multi -year discount option schedule for SLTT governments is below. Contact us at info(a)msisac.org
for more information.
Security Benchmarks Membership
Organization
1-Year
2 -Year
3 -Year
Membership Cost
Membership Cost
Membership Cost
Employee Range
(no/ Savings)
(30% Savings)
(30% Savings)
250,000 or more
$9,926
$ 19,852
$ 29,778
100,000 to 240.009
$9,191
$ 18,382
$ 27,573
50,000 to 00,909
$8,456
$ 16,912
$ 25,368
25,000 to 49.999
$7,721
$ 15,442
$ 23,163
10,000 to 24,099
$7,350
$ 14,700
$22,050
5.000 to 9,900
$6,986
$13,972
$2o,958
1,000 to 4.999
$6,615
$13,23o
$19,845
Soo to 999
$4,781
$9,562
$14,343
250 to 409
$3,311
$6,622
$9,933
100 to 249
$2,394
$4,788
$7,182
50 to 90
$1,470
$2,940
$4,410
Up to 49
$924
$1,848
$2,772
Page 19 of 20