1. 2016

   Objective 1: Acting as the DHS CS&C Liaison for Cyber Security to SLTT governments. Objective 2: Sustaining Network Analysis Services to all 50 States and 6 Territories. Objective 3: Analyzing threat and attack information to maintain a real time cybersecurity posture of the SLTT sector. Objective 4: Developing appropriate mitigation strategies to assist SLTTs. Objective 5: Information Sharing, Incident management and response. Objective 6: Implementation of the Nationwide Cyber Security Review. Objective 7: Implementation of the MS-ISAC SCIF and facilitation of classified information sharing with DHS and State and local Fusion Centers. Objective 8: Support DHS’s weather map through metrics and data reporting. • Completing monitoring expansion to all 56 States and Territories • Increased membership by 31.5% • Number of MS-ISAC CERT engagements 169 in 2014, 164 in 2015 and 171 in 2016 An Engagement is assisting an SLTT with a cyber incident. This typically may include one, or all of the following: log analysis, malware analysis and full forensics review of the suspect system (s) and remediation recommendations.
   • Increased local participation in the NCSR by 103% • Increased automated indicator sharing by 157% (from 33 to 85 entities) This is the number of entities that are connected to the automated indicator sharing platform (Soltra Edge) which includes DHS. • Promoting DHS Programs such as NCATS, Cyber Security Exercises, Cyber Security Advisors, distribute DHS materials, etc. to the MS-ISAC members and conference attendees across the country. • Increased products covered by VMP by 142% (from 7 products to 17) • Increased threat actor tracking by 81% (from 326 to 591 actors) The threat actor tracking enables us to identify TTPs which are available to all MS-ISAC analysts. The analysts use this information in analyzing and providing assessment of threats and responding attacks impacting SLTTs. Threat actor tracking in also used to develop signatures that are deployed to Albert devices. The information is also used in reports provided to members. • Analyzing the use of cloud services for data analysis. The size and scale of our Netflow data repository has exceeded our ability to provide timely enterprise analysis of the data. A query of all of our Netflow data can take up to a week with our current platform. We are analyzing different options to see if a cost effect solution can be found. We have meetings/discussions scheduled with US-CERT, Carnegie Melon, DARPA, cloud providers and data analysis tool providers to assess what the options are. • Expanded membership partnerships by holding 3 Open Houses (7 to 10 members on-site for a 2 day exchange program • Support State ISAO initiatives We have products and tools that would be valuable for the state ISAOs that are forming to support critical infrastructure owners and operators in their respective states. One of the first questions by any prospective ISAO member is, “how can you help me?” We can assist with that. For example, if a state provided us with the IPs and domains of its CI partners, we could add them to our databases and notify the state ISAO regarding vulnerable domains, compromised credentials, connections to sink holes, etc., belonging to their ISAO members. They would also re-distribute all of the DHS and FBI products that we currently send to members. This will be a tremendous value add, which should encourage CI owners and operators to see the value of joining the state ISAO.

2. 2017

   • Sustain monitoring of all 56 States and Territories • Increasing membership by 20% • Increasing CERT engagements by 10% • Increasing participation in the NCSR by 20% • Increasing automated indicator sharing by 20% • Promoting DHS Programs • Increasing products covered by VMP • Expanding Membership partnerships to include staff exchange program • Support State ISAO initiatives

3. 2018

   Membership in 50 states, 6,000 Localities, 6 Territories and 88 Tribes *11,000 users * Webinars, working groups and meetings bring together a nationwide network of cyber expertise to share critical cyber information and best practices * Leverage security operations center cyber intrusion detection platform capabilities, open source monitoring and a trusted nationwide community network of cyber expertise to provide a robust offering of cyber awareness

4. 2019

   Increase in membership by 40% * Increased SLTT participation in the Nationwide Cybersecurity Review by 50% *Build trusted nationwide cyber SLTT analyst to analyst collaboration via a threat intelligence platform to support threat context and prioritization *Analysts in all 50 states trained on a threat intelligence collaboration platform *Seek to reduce mean time to respond to cyber threats through use of machine capabilities to support resilience.

5. 2020

   During this period, the MS-ISAC increased in membership by 20%. There was an increase in managed cybersecurity service offerings to the Elections Subsector, including Endpoint Detection and Response (EDR) capability. The MS-ISAC launched the new Malicious Domain Blocking and Reporting (MDBR) managed service offering to mitigate threats to the SLTT community, and saw 546 SLTT organizations subscribe. During this period, the MS-ISAC added 360 members to the Indicator Sharing Program, a 73% increase. Adoption of the Nationwide Cybersecurity Review (NCSR), the cybersecurity maturity assessment, increased by over 300%.

6. 2021

   Actual Accomplishments 2021 - Thus far, the MS-ISAC and EI-ISAC expanded MDBR adoption by nearly 4000 enrolled entities as of the end of Oct, 2021, and expanded EDR endpoint coverage to 10,172 and extended the vendor contract to provide licenses to EI-ISAC members. This represents a large expansion in managed service adoption. The MS-ISAC adopted a new Threat Intelligence Platform and worked to engage SLTTs in indicator sharing and direct access to the platform. Since implementing STIX/TAXII and supporting with automated workflows and Analyst1, the MS-ISAC is able to “score” and thus prioritize the sharing of IOCs most relevant to SLTTs. The MS-ISAC ingests 211 total intelligence feeds, with 147 new added YTD, a 230% increase. 1,847 threat groups are currently tracked, and over 60,000 campaigns with potential impact to SLTTs were tracked since October 2020. Additionally, over 100 presentations have been delivered at various SLTT focused events across the U.S.

7. 2022

   Fiscal Year 2022 (funding awarded September 30, 2022; Program Year September 30, 2022 - September 29, 2023) Program Accomplishments: Thus far, the MS-ISAC and EI-ISAC have expanded MDBR adoption by 19% to 5118 enrolled entities as of the end of March, 2023, and expanded EDR endpoint coverage to cover 16,207 so far, a 32 % increase in less than a year’s time. This represents a large expansion in managed service adoption. The MS-ISAC expanded the Threat Intelligence Platform to 57 organizations. This year there was record-breaking participation by SLTT members in the Nationwide Cyber Security Review (NCSR), with 3,681 completed assessments, an increase of 414 from 2022. The total membership for the MS/EI-ISAC as of March 2023 is 18,763 which is a 14% higher than March 2022. The Coordinated Vulnerability Disclosure Program/Vulnerability Disclosure Program (CVD/VDP), which is a formalized process to receive, validate, remediate, and communicate vulnerability information on specific technology systems from security researchers, will continue to expand and be an efficient way for an election organization to improve its security posture. Web Application Firewall service, which provides SLTT members protection against HTTP-based inbound attacks and Distributed Denial of Service Protection DDOS protection, will continue to mature. Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) will continue to improve the efficiency and effectiveness of the Security Operations Center (SOC) by enhancing the automation and orchestration of tasks and processes, requiring that products and services be automation-enabled through use of Application Programming Interfaces (APIs). Enhanced Malicious Domain Blocking and Reporting (MDBR+) will provide an additional layer of cybersecurity protection through policy-based blocking of DNS activity, access to real-time DNS activity, enhanced reporting and portable device protection with the use of client software and virtual machines to SLTT members. Development of the Critical Infrastructure Baseline Security program will continue.

8. 2023

   CISA awarded a SLTT SOC

   ISAC Program cooperative agreement in FY 2019 with a 4-year period of performance that ended on September 29, 2023. During the final 1-year budget period in FY 2023, the recipient continued to operate a SOC ISAC to provide cybersecurity services to SLTT government members, with total SLTT government membership increasing to 18,763 (a 14% increase since March 2022). These services resulted in an expansion in managed service adoption by SLTT government members, to include the deployment of Albert sensors and EDR. These services have also resulted in SLTT government members taking other actions to improve their cybersecurity resilience, such as a record breaking 3,681 members completing the Nationwide Cyber Security Review (NCSR) (an increase of 414 from 2022). The recipient has also taken other actions to improve the level of services available to SLTT government members.

   CISA award a single SLTT SOC

   ISAC Program cooperative agreement in FY 2023 with a 2-year period of performance from September 30, 2023, to September 29, 2025. As the period of performance did not begin until the very end of the FY 2023, the recipient did not have any significant accomplishments in FY 2023.

9. 2024

   The projected accomplishments of the recipient of the FY 2023 cooperative agreement award during the first budget period from September 30, 2023, to September 29, 2024, include expanding the number of SLTT governments using the cybersecurity services provided by the SOC ISAC in FY 2023, streamlining the data and reporting effort for the NCSR, and updating the Albert sensor functionality. The projected accomplishments also include the recipient continuing to engage with the ISAC members by providing distanced outreach and stakeholder engagement through virtual service reviews and remote speaking engagements. CISA projects that it will issue continuation funding for the FY 2023 cooperative agreement award for a second 1-year budget period from September 30, 2024, to September 29, 2025.

10. 2025

    The projected accomplishments of the recipient of the FY 2023 cooperative agreement award during the second and final 1-year budget period from September 30, 2024, to September 29, 2025 (assuming CISA issues continuation funding) include providing and maintaining Cybersecurity advisory, engagement, training and education services, Malicious Domain Blocking and Reporting (MDBR), Incident response assistance, 24x7x365 Security Operations Center Monitoring and, Endpoint Detection and Response (EDR). Considering Congressionally mandated funding reductions, this will be performed by identifying highest impact and greatest demand services in coordination with the Project Officer. CISA anticipates that it will compete and award a new cooperative agreement award in FY 2025 with a period of performance from September 30, 2025, to September 29, 2027.

Single Audit Applies (2 CFR Part 200 Subpart F):

For additional information on single audit requirements for this program, review the current Compliance Supplement.

There are no implementing regulations in the Code of Federal Regulations for the SLTT SOC | ISAC Program. The Notice of Funding Opportunity will establish the procedures for applying for and administering a federal award and the policies and procedures for determining eligibility of applicants, eligibility of work, and eligibility and allowability of costs for a federal award. In addition to complying with the Notice of Funding Opportunity, all recipients must comply with the Department of Homeland Security Standard Terms and Conditions in effect at the time of the federal award (which can be found at www.dhs.gov/publications/fy15-dhs-standard-terms-and-conditions), all other terms and conditions set forth in the federal award, and all other applicable laws and regulations.

1. III.