What information does CIS share with the federal government?

Generally, the Cybersecurity and Infrastructure Security Agency (CISA) has visibility into certain data that is derived from sensors/services that are funded via the Cooperative Agreement subject to confidentiality obligations. For example, CISA may request and receive the full set of Albert Network Monitoring and Management data only for those Albert deployments funded via the Cooperative Agreement, which represents approximately 20% of the deployed Albert sensor fleet.

Albert: Roughly 80% of deployed Albert sensors are paid for by U.S. state and local governments. For these SLTT-funded sensors, Albert alert data and Albert NetFlow metadata is shared with Federal partners only with the explicit approval of the individual hosting state or local organization.

The deployment of the remaining Albert sensors is funded by Congressional appropriation through the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISAC) to support cyber defense across the U.S. below the federal level. For these CISA-funded sensors, information shared with federal partners is limited to Albert alert data and Albert NetFlow metadata.

NCSR: For the Nationwide Cybersecurity Review (NCSR), CISA currently sees only anonymized data, such as threat data and self-reported maturity scores by sector. To date, this data is anonymized, so there is no organization-specific information included.

Cyber Incident Response: For cyber incident response cases, CIS shares information with CISA, including affected entity name, type of case, and case notes, unless the organization explicitly instructs the MS-ISAC not to do so. An organization may mark their case as TLP Red, in which case only non-attributional information will be shared with CISA.