Multi-State Information Sharing and Analysis Center of the United States/Info Systems/Member AgreementCENTER FOR INTERNET SECURITY
MULTI -STATE ISAC
Member Agreement
This Agreement ("Agreement") is made between the
City of Carmel, IN and the Multi -State Information
Sharing and Analysis Center of the United States (MS-
ISAC), a division of the Center for Internet Security.
The MS-ISAC will enable information sharing,
analysis, gathering and distribution in a secure manner
using facilities and methods designed to permit
individual Members to submit information about
security threats, vulnerabilities, incidents, and solutions
securely. Only MS-ISAC members have access to
review and retrieve this information. When submitting
information to the MS-ISAC, Primary Custodians will
identify information to the MS-ISAC in the following
categories:
Category A: information that is provided only to the
MS-ISAC and will not be shared with the MS-ISAC
members or others except as authorized by the Primary
Custodian. Category A information also consists of
any non -categorized information provided to the MS-
ISAC and/or pre -cleansed category B information.
Category B: information which is shared with the MS-
ISAC and in consultation with the Primary Custodian is
cleansed by the MS-ISAC of all identifying information
and then, consistent with applicable laws, will be
shared only with MS-ISAC members, or the
Department of Homeland Security consistent with
paragraph six (6).
Category C: information which is shared with the MS-
ISAC and does not need to be cleansed and may be
shared within the MS-ISAC and outside the MS-ISAC
as appropriate.
MS-ISAC members acknowledge that Primary
Custodian has certain cyber and/or critical
infrastructure information and material that is exempt
from disclosure to the public or other unauthorized
persons under federal or state laws including the
Homeland Security Act of 2002 (6 U.S.C. § 133). MS-
ISAC members may provide access to this information
and material in order to facilitate interstate
communication regarding cyber and/or critical
infrastructure readiness and response efforts. These
efforts include, but are not limited to, disseminating
early warnings of physical and cyber system threats,
sharing security incident information between U.S.
states, territories, the District of Columbia, tribal
nations and local governments, providing trends and
other analysis for security planning, and distributing
current proven security practices and suggestions. As a
participating member of the MS-ISAC, Primary
Custodian agrees that when sharing this information
with MS-ISAC members it will do so through the MS-
ISAC in accordance with the categories established in
this document. MS-ISAC members agree to the terms
and conditions contained in this Agreement.
NOW THEREFORE, in consideration of the above
promises recited herein, the parties agree to the
following:
Definitions:
1. Primary Custodian — the entity that developed or
owns the Data. Each collection of Data (database,
file, etc.) shall have a single Primary Custodian.
2. MS-ISAC members — the members (U.S. states,
territories, the District of Columbia, tribal nations
and local governments) who may be in possession
or use of Data acquired from the Primary
Custodian or from the MS-ISAC.
Purpose:
MS-ISAC members acknowledge that the
protection of Category A information is essential to
the security of Primary Custodian and the mission
of the MS-ISAC. The purpose of this Agreement is
to enable Primary Custodian to make disclosures of
Category A information to MS-ISAC while still
maintaining rights in, and control over, Category A
information. The purpose is also to preserve
confidentiality of the Category A information and
to prevent its unauthorized disclosure. It is
understood that this Agreement does not grant MS-
ISAC or members an express or implied license or
an option on a license, or any other rights to or
interests in the Category A information, or
otherwise. If Primary Custodian retracts any
information it sent to the MS-ISAC, then, upon
notification by the Primary Custodian, the MS-
ISAC will destroy such information and all copies
thereof, and notify MS-ISAC members to destroy
the information. If an MS-ISAC member is unable
to destroy the information based on applicable law,
then the member will continue to maintain the
confidentiality of the information consistent with
this agreement. Upon receiving such notification,
Multi -State [SAC I of 3 Member Agreement 1/1/2012
MS ISAC members will destroy such information
immediately forward such request to the Primary
and all copies thereof.
Custodian and consult and cooperate with the
MS-ISAC and Member Duties:
Primary Custodian and will make reasonable
efforts, consistent with applicable law to protect the
4. MS-ISAC and members who are authorized by the
confidentiality of the information. Primary
Primary Custodian to receive Category A
Custodian will, as needed, have the opportunity to
information shall, and shall cause their contractors,
seek judicial or other appropriate avenues of
subcontractors, agents or any other entities acting
redress to prevent any release.
on their behalf (hereinafter referred to as the
"Affiliates") to:
8. In non -emergency situations, as part of its multi -
(a) copy, reproduce or use Category A information
state communication sharing efforts, the MS-ISAC
for the purposes of the MS-ISAC mission
may
Y Prepare written reports. For such reports, the
and not for any other purpose unless
Primary Custodian shall be provided a period of
specifically authorized to do so in writing by
time to review such reports, papers, or other
Primary Custodian; and
writings and has the right to edit out its Category A
(b) not permit any person to use or disclose the
information, correct factual inaccuracies, make
Category A information for any propose other
recommendations and comments to the content of
than those expressly authorized by this
the report, and append comments to the final
Agreement; and
version of the report. The MS-ISAC members and
(c) implement physical, electronic and
Primary Custodian agree to work together in good
managerial safeguards to prevent
faith to reach mutually agreed upon language for
unauthorized access to or use of Category A
the report. If the parties are unable to reach
information.
agreement on an issue, Primary Custodian has the
Such restrictions will be at least as stringent as
right to edit out its Category A information.
those applied by the MS-ISAC and/or members to
General Terms:
their own most valuable and confidential
information.
9. Should any court of competent jurisdiction
consider any provision of this Agreement to be
MS-ISAC agrees to promptly notify Primary
invalid, illegal, or unenforceable, such provisions
Custodian of any unauthorized release of Category
shall be considered severed from this Agreement.
A information.
All other provisions, rights, and obligations shall
5. MS-ISAC and members will not remove, obscure
continue without regard to the severed provision(s).
or alter any notice of patent, copyright, trade secret
10. The term of the Agreement shall continue so long
or other proprietary right from any Category A
as Primary Custodian remains a member of the
information without the prior written authorization
MS-ISAC, and paragraph 3 the obligations of
of Primary Custodian.
confidentiality as provided herein shall survive the
Multi -State ISAC Duties:
expiration of this Agreement.
6. The MS-ISAC and members may share with the
11. This Agreement will be construed and enforced in
Department of Homeland Security (DHS) pursuant
all respects in accordance with United States (U.S.)
to 6 U.S.C. § 133, Category A, B, and C
federal law or other applicable laws as addressed
information, unless the Primary Custodian has
herein.
designated in writing that the information in
12. This Agreement contains the entire understanding
question cannot be shared with our federal partners.
between the parties with respect to the proprietary
All other information is voluntarily submitted and
information described herein and supersedes all
may be shared with the Federal Government with
prior understandings whether written or oral. Any
expectation of protection from disclosure as
modification, amendment, assignment or waiver of
provided by the provisions of the Critical
the terms of this Agreement shall require the
Infrastructure Information Act of 2002.
written approval of the authorized representative of
each party.
7. If any third party makes a demand for any Category
A or B information, the MS-ISAC or member shall
Multi -State ISAC 2 of 3 Member Agreement 1/1/2012
The foregoing has been agreed to and accepted by the authorized representatives of each party whose signatures
appear below:
AGREED BY:
Primary Custodian:
Center for Internet Security
Multi -State ISAC Division
-2110
Signature Date
MS-ISAC Chair
Print or Type Name/Title
Multi -State ISAC 3 of 3 Member Agreement 1/1/2012
Approved and Adopted this W day of`� �1; ! L6 1 , 20�.
CITY OF CARMEL, INDIANA
By and through its Board of Public Works and Safety
BY:
— h V+
James Brainard, Presiding Officer
Date:
F.1
Christine Pauley, VleP
/ ser
Date:iL