TERMS AND CONDITIONS FOR MULTI-STATE INFORMATION SHARING & ANALYSIS CENTER (MS-ISAC) MEMBERSHIP
The following terms and conditions set forth the terms for membership in the MS-ISAC. As a participating member of the MS-ISAC (“Member” or “you”), you agree that you will share information through the MS-ISAC in accordance with the terms set forth below. If your organization does not qualify as an MS-ISAC member or cannot agree to the terms as set forth herein, please contact CIS for further discussion.
Data: the information shared by either MS-ISAC or any Member in accordance with these membership terms and conditions.
MS-ISAC: The Multi-State Information Sharing & Analysis Center, a program within the Center for Internet Security, Inc., operated to support information sharing among U.S. state, local, tribal and territorial governmental entities.
Member: A qualifying organization under the MS-ISAC that has agreed to these terms and conditions. For purpose of these terms and conditions, Member shall also include all employees of the Member.
- MS-ISAC Purpose. The MS-ISAC has been established to facilitate the sharing of cyber and/or critical infrastructure Data among MS-ISAC Members, and others as appropriate, in order to facilitate communication regarding cyber and/or critical infrastructure readiness and response efforts. These efforts include, but are not limited to, disseminating early warnings of physical and cyber system threats, sharing security incident information between state, tribal, territorial, and local entities, providing trends and other analysis for security planning, and distributing current proven security practices and suggestions.
- MS-ISAC Membership. Membership in the MS-ISAC is limited to those U.S. state, local, tribal and territorial governmental entities, and their employees.
- Operation of the MS-ISAC. The MS-ISAC will be operated and supported by the Center for Internet Security, Inc., a not for profit corporation focused on enhancing the cyber security readiness and response of public and private sector entities, with a particular focus on state, local, tribal and territorial governments and critical infrastructure. MS-ISAC may also retain contractors from time to time to provide services to the MS-ISAC and its Members.
- Data Protection. MS-ISAC and Member both acknowledge that the protection of shared Data is essential to the security of both Member and the mission of the MS-ISAC. The intent of the Data protection terms are to: (a) enable Member to make disclosures of Data to MS-ISAC while still maintaining rights in, and control over, the Data; and (b) set common information sharing protocol that will determine the extent to which Data can be shared with others. Nothing in these terms and conditions grants MS-ISAC or Member an express or implied license or an option on a license, or any other rights to, or interests in, the Data.
- Data Sharing Protocol. All Data provided by any MS-ISAC Member or the MS-ISAC shall include an information sharing designation in accordance with the US CERT Traffic Light Protocol (TLP), as set forth at https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage. In the event that Data is shared by the Member or MS-ISAC and such Data does not include a TLP designation, it shall be considered as having been designated TLP Red unless and until subsequently, the entity sharing the Data otherwise specifically changes the designation.
Notwithstanding the foregoing, unless a Member designates in writing that the Data in question cannot be shared or that such sharing is subject to stated restrictions, all Data provided by Members may be shared with MS-ISAC’s federal partners (including, without limitation, the U.S. Department of Homeland Security), and may be shared with other MS-ISAC members provided that the Data is anonymized and not attributable to Member.
- Other Data Designation. MS-ISAC and Member acknowledge that certain Data may also be designated with a notice of patent, copyright, trade secret or other proprietary right and MS-ISAC and Member each agree not to remove, alter or obscure any such designation without the prior written authorization of party sharing the Data.
- Data Retraction. If a Member retracts any Data it sent to the MS-ISAC, then, upon notification by the Member, the MS-ISAC will delete such Data and all copies thereof, and as applicable, notify other MS-ISAC Members and its federal partners to delete the Data. Upon receiving such notification, MS-ISAC Members will delete such information and all copies thereof. If an MS-ISAC Member is unable to delete the Data based on applicable law, then that Member will continue to maintain the confidentiality of the Data consistent with the TLP designation assigned to the Data.
- Demand for Data. If any third party makes a demand for any Data, the MS-ISAC or any other Member receiving such a demand shall immediately forward such request to the Member who shared the Data and consult and cooperate with that Member and will make reasonable efforts, consistent with applicable law and the applicable TLP designation, to protect the confidentiality of the Data. The Member sharing the Data will, as needed, have the opportunity to seek judicial or other appropriate avenues of redress to prevent any release.
- Reports Containing Data. As part of its elections information sharing efforts, the MS-ISAC may prepare written reports that include or are based on TLP Red Data shared by Member. For such reports, the TLP Red Data will be anonymized and Member shall be provided a period of time to review such reports, papers, or other writings and has the right to review to correct factual inaccuracies and make recommendations and comments to the content of the report. The MS-ISAC and Members agree to work together in good faith to reach mutually agreed upon language for the report. If the parties are unable to reach agreement on an issue, the Member has the right to edit out its Data.
- Term and Termination of Membership. Member’s obligations under these terms shall continue so long as remains a member of the MS-ISAC, except that the obligations of confidentiality of Data as provided herein shall survive the expiration of Member’s membership. Member may terminate its MS-ISAC membership at any time upon written notice to the MS-ISAC.
- Severability. Should any court of competent jurisdiction consider any provision of these terms and conditions to be invalid, illegal, or unenforceable, such provisions shall be considered severed from these terms and conditions. All other provisions, rights, and obligations shall continue without regard to the severed provision(s).
- Entire Understanding. These terms and conditions contain the entire understanding between MS-ISAC and Member with respect to the proprietary information described herein and supersedes all prior understandings whether written or oral.