TERMS AND CONDITIONS FOR INFORMATION EXCHANGE

As a participating member (“Member” or “you”) of the Multi-State Information Sharing and Analysis Center (MS-ISAC), you agree that you will share information through the MS-ISAC in accordance with the terms and conditions set forth below. If your organization does not qualify as an MS-ISAC member or cannot agree to the terms, please contact CIS for further discussion.

1.        Definitions

Data: the information shared by either MS-ISAC or any Member in accordance with these terms and conditions.

MS-ISAC:   a division within Center for Internet Security, Inc. (CIS), operated to support information sharing among U.S. state, local, tribal and territorial governmental entities.

Member: a qualifying organization under the MS-ISAC that has agreed to these terms and conditions.  For purpose of these terms and conditions, Member shall also include all employees of the Member. 

2.        MS-ISAC Purpose. The MS-ISAC has been established to facilitate the sharing of cyber and/or critical infrastructure Data among MS-ISAC Members, and others as appropriate, in order to facilitate communication regarding cyber and/or critical infrastructure readiness and response efforts. These efforts include, but are not limited to, disseminating early warnings of physical and cyber system threats, sharing security incident information between state, tribal, territorial, and local entities, providing trends and other analysis for security planning, and distributing current proven security practices and suggestions.

3.        MS-ISAC Membership.  Membership in the MS-ISAC is limited to those U.S. state, local, tribal and territorial governmental entities, and their employees.

4.        Operation of the MS-ISAC.  The MS-ISAC will be operated and supported by CIS, a not for profit corporation focused on enhancing the cyber security readiness and response of public and private sector entities, with a particular focus on state, local, tribal and territorial governments and critical infrastructure.  MS-ISAC may also retain contractors from time to time to provide services to the MS-ISAC and its Members.

5.        Data Protection. MS-ISAC and Member both acknowledge that the protection of shared Data is essential to the security of both Member and the mission of the MS-ISAC.  The intent of the Data protection terms are to: (a) enable Member to make disclosures of Data to MS-ISAC while still maintaining rights in, and control over, the Data; and (b) set common information sharing protocol that will determine the extent to which Data can be shared with others. Nothing in these terms and conditions grants MS-ISAC or Member an express or implied license or an option on a license, or any other rights to, or interests in, the Data.

6.     Data Sharing Protocol.  All Data provided by any MS-ISAC Member or the MS-ISAC shall include an information sharing designation in accordance with the US CERT Traffic Light Protocol (TLP), as set forth at https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage. In the event that Data is shared by the Member or MS-ISAC and such Data does not include a TLP designation, it shall be considered as having been designated TLP Red unless and until subsequently, the entity sharing the Data otherwise specifically changes the designation.

MS-ISAC shall be permitted to share Member Data with other organizations (e.g., MS-ISAC members, state-level organizations, or federal partners) provided that such Data shall be anonymized and not attributable to the Member.  MS-ISAC shall obtain written consent from Member prior to sharing Member Data that is attributable to Member.

7.        Other Data Designation. MS-ISAC and Member acknowledge that certain Data may also be designated with a notice of patent, copyright, trade secret or other proprietary right and MS-ISAC and Member each agree not to remove, alter or obscure any such designation without the prior written authorization of party sharing the Data.

8.        Data Retraction.  If a Member retracts any Data it sent to the MS-ISAC, then, upon notification by the Member, the MS-ISAC will delete such Data and all copies thereof, and as applicable, notify other MS-ISAC Members and its federal partners to delete the Data.  Upon receiving such notification, MS-ISAC Members will delete such information and all copies thereof. If an MS-ISAC Member is unable to delete the Data based on applicable law, then that Member will continue to maintain the confidentiality of the Data consistent with the TLP designation assigned to the Data. 

9.        Demand for Data. If any third party makes a demand for any Data, the MS-ISAC or any other Member receiving such a demand shall (i) immediately forward such request to the Member who shared the Data and consult and cooperate with that Member and (ii) make reasonable efforts, consistent with applicable law and the applicable TLP designation, to protect the confidentiality of the Data.  The Member sharing the Data will, as needed, have the opportunity to seek judicial or other appropriate avenues of redress to prevent any release. 

10.  Reports Containing Data. As part of its elections information sharing efforts, the MS-ISAC may prepare written reports that include or are based on TLP Red Data shared by Member.  For such reports, the TLP Red Data will be anonymized and Member shall be provided a period of time to review such reports, papers, or other writings and has the right to review to correct factual inaccuracies and make recommendations and comments to the content of the report. The MS-ISAC and Members agree to work together in good faith to reach mutually agreed upon language for the report.  If the parties are unable to reach agreement on an issue, the Member has the right to edit out its Data.

11.  Term and Termination of Membership. Member’s obligations under these terms shall continue so long as remains a member of the MS-ISAC, except that the obligations of confidentiality of Data as provided herein shall survive the expiration of Member’s membership. Member may terminate its MS-ISAC membership in accordance with the terms of the MS-ISAC Membership Agreement.

12.  Severability. If any court of competent jurisdiction considers any provision of these terms and conditions to be invalid, illegal, or unenforceable, such provisions shall be considered severed from these terms and conditions.  All other provisions, rights, and obligations shall continue without regard to the severed provision(s).

13.  Entire Understanding. These terms and conditions contain the entire understanding between MS-ISAC and Member with respect to the proprietary information described herein and supersedes all prior understandings whether written or oral.

Updated 12/12/2023, 6/6/2025