The IT Law Wiki


An Information Sharing and Analysis Organization (ISAO) is

[a]ny formal or informal entity or collaboration created or employed by public or private sector organizations for purposes of:


"The ISAOs are intended to be: Inclusive (groups from any and all sectors, both non-profit and for-profit, expert or novice, should be able to participate in an ISAO); Actionable (groups will receive useful and practical cybersecurity risk, threat indicator, and incident information via automated, real-time mechanisms if they choose to participate in an ISAO); Transparent (groups interested in an ISAO model will have adequate understanding of how that model operates and if it meets their needs); and Trusted (participants in an ISAO can request that their information be treated as Protected Critical Infrastructure Information. Such information is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002 (6 U.S.C. §§131 et seq.))."[2]

The ISAOs are intended "to accommodate organizations that do not fit within an established sector of the critical infrastructure or that have unique needs. ISAOs are intended to provide such organizations with the same benefits of obtaining cyber threat information and other supporting services that are provided by an ISAC."[3]