Multi-State Information Sharing and Analysis Center


This program addresses the DHS mission to Safeguard and Secure Cyberspace, as defined in the Quadrennial Homeland Security Review, through efforts to support the state, local, tribal and territorial (SLTT) governments and election infrastructure to keep pace in sharing cyber threat information and responding to cyber risk in as close to real-time as possible. This program leverages the strength of market technology forces to spur innovative strategies within a Security and Operations Center (SOC) to enable a cyber-relevant Infrastructure Sharing and Analysis Center (ISAC) operating model that is consistent with section 227 of the Homeland Security Act, Executive Order 13636, Executive Order 13691, and Presidential Decision Directive-63 (PDD-63). Specifically, section 227(d)(E) requires the composition of the national cybersecurity and communications center (NCCIC) to include ?an entity that collaborates with State and local governments on cybersecurity risks and incidents.? This program convenes state-of-the-art SOC technology and their cyber analytic expertise with SLTT cyber coordinators, cyber and fusion center coordinators, and critical SLTT sectors (to include elections, communications, energy etc.) to evolve cyber capabilities from mission control to community collaboration models that face current threats in the digital battlefront. Services will allow SLTT stakeholders to consume and exchange awareness of threats via technologies that serve to derive a more accurate and timely picture of prioritized cyber defense actions. All the while, ensuring coordination is sustained with federal partners to defend forward and prevent or thwart malicious cyberspace actors and activities. Thus, through these efforts, making improvements in technical cyber expertise, providing for a more efficient response and recovery time of systems during attack and developing resilience capabilities for our nation?s SLTT government sector. Objectives Provide a 24x7 SOC| ISAC that fosters a platform for generating and disseminating cyber threat information and coordinating cybersecurity expertise upon which SLTT governments can rely when making decisions that enable adequate preventative and response measures to cyber threat. By integrating the SLTT cyber ecosystem, and empowering insight and cyber situational awareness from across the SLTT trusted circle, the community will mutually benefit from the innovative measures that protect and improve defenses. Priorities: Successful execution will focus customer relationships on enhanced models for threat intelligence exchange. New technologies in data analytic correlation, collaborative threat intelligence and orchestration have created opportunities for faster and actionable threat intelligence exchange. The priority in focus is on providing rapid rollout capacity to serve as a connective platform for cooperative threat intelligence sharing that relies upon robust analytic-informed decisions to actively operationalize threat intelligence and provide enhanced cyber defense.

General information about this opportunity
Last Known Status
Program Number
Federal Agency/Office
National Protection and Programs Directorate, Department of Homeland Security
Type(s) of Assistance Offered
B - Project Grants; Z - Salaries and Expenses
Program Accomplishments
Fiscal Year 2016 Objective 1: Acting as the DHS CS&C Liaison for Cyber Security to SLTT governments. Objective 2: Sustaining Network Analysis Services to all 50 States and 6 Territories. Objective 3: Analyzing threat and attack information to maintain a real time cybersecurity posture of the SLTT sector. Objective 4: Developing appropriate mitigation strategies to assist SLTTs. Objective 5: Information Sharing, Incident management and response. Objective 6: Implementation of the Nationwide Cyber Security Review. Objective 7: Implementation of the MS-ISAC SCIF and facilitation of classified information sharing with DHS and State and local Fusion Centers. Objective 8: Support DHS’s weather map through metrics and data reporting. • Completing monitoring expansion to all 56 States and Territories • Increased membership by 31.5% • Number of MS-ISAC CERT engagements 169 in 2014, 164 in 2015 and 171 in 2016 An Engagement is assisting an SLTT with a cyber incident. This typically may include one, or all of the following: log analysis, malware analysis and full forensics review of the suspect system (s) and remediation recommendations. • Increased local participation in the NCSR by 103% • Increased automated indicator sharing by 157% (from 33 to 85 entities) This is the number of entities that are connected to the automated indicator sharing platform (Soltra Edge) which includes DHS. • Promoting DHS Programs such as NCATS, Cyber Security Exercises, Cyber Security Advisors, distribute DHS materials, etc. to the MS-ISAC members and conference attendees across the country. • Increased products covered by VMP by 142% (from 7 products to 17) • Increased threat actor tracking by 81% (from 326 to 591 actors) The threat actor tracking enables us to identify TTPs which are available to all MS-ISAC analysts. The analysts use this information in analyzing and providing assessment of threats and responding attacks impacting SLTTs. Threat actor tracking in also used to develop signatures that are deployed to Albert devices. The information is also used in reports provided to members. • Analyzing the use of cloud services for data analysis. The size and scale of our Netflow data repository has exceeded our ability to provide timely enterprise analysis of the data. A query of all of our Netflow data can take up to a week with our current platform. We are analyzing different options to see if a cost effect solution can be found. We have meetings/discussions scheduled with US-CERT, Carnegie Melon, DARPA, cloud providers and data analysis tool providers to assess what the options are. • Expanded membership partnerships by holding 3 Open Houses (7 to 10 members on-site for a 2 day exchange program • Support State ISAO initiatives We have products and tools that would be valuable for the state ISAOs that are forming to support critical infrastructure owners and operators in their respective states. One of the first questions by any prospective ISAO member is, “how can you help me?” We can assist with that. For example, if a state provided us with the IPs and domains of its CI partners, we could add them to our databases and notify the state ISAO regarding vulnerable domains, compromised credentials, connections to sink holes, etc., belonging to their ISAO members. They would also re-distribute all of the DHS and FBI products that we currently send to members. This will be a tremendous value add, which should encourage CI owners and operators to see the value of joining the state ISAO.
Fiscal Year 2017 • Sustain monitoring of all 56 States and Territories • Increasing membership by 20% • Increasing CERT engagements by 10% • Increasing participation in the NCSR by 20% • Increasing automated indicator sharing by 20% • Promoting DHS Programs • Increasing products covered by VMP • Expanding Membership partnerships to include staff exchange program • Support State ISAO initiatives
Fiscal Year 2018 Membership in 50 states, 6,000 Localities, 6 Territories and 88 Tribes *11,000 users * Webinars, working groups and meetings bring together a nationwide network of cyber expertise to share critical cyber information and best practices * Leverage security operations center cyber intrusion detection platform capabilities, open source monitoring and a trusted nationwide community network of cyber expertise to provide a robust offering of cyber awareness
Fiscal Year 2019 Increase in membership by 40% * Increased SLTT participation in the Nationwide Cybersecurity Review by 50% *Build trusted nationwide cyber SLTT analyst to analyst collaboration via a threat intelligence platform to support threat context and prioritization *Analysts in all 50 states trained on a threat intelligence collaboration platform *Seek to reduce mean time to respond to cyber threats through use of machine capabilities to support resilience.
Fiscal Year 2020 Increase in membership by 30% * SLTT Cyber Analyst to Analyst threat intelligence collaboration platform participation across the majority of entity membership * Increase of 30% of SLTT entities submitting automated cyber threat indicators.
Homeland Security Act of 2002, Title II, 6 U.S.C. 121(d) Public Law 115-31 Consolidated Appropriations Act, 2017, Division F --Department of Homeland Security Appropriations Act 2017; Title III Protection, Preparedness, Response and Recovery, National Protection and Programs Directorate, Operations and Support., Title III, Public Law 115-31
Homeland Security Act of 2002, Title II, 6 U.S.C. 121(d)
Who is eligible to apply/benefit from this assistance?
Applicant Eligibility
This funding opportunity is awarded through an open competitive process. Specific information on applicant eligibility is identified in the funding opportunity announcement.
Beneficiary Eligibility
State Governments, local government, territorial governments, tribal governments and territories
Refer to Section 140: Regulations, Guidelines, and Literature.
What is the process for applying and being award this assistance?
Pre-Application Procedure
Preapplication coordination is not applicable.
Application Procedure
2 CFR 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards applies to this program. Application deadline and other information are contained in the application.
Award Procedure
Applications or plans are reviewed by DHS program and administrative staff. Any issues or concerns noted in the application will be negotiated with the successful applicant prior to the award being issued.
Contact the headquarters or regional location, as appropriate for application deadlines
Approval/Disapproval Decision Time
Refer to Funding Opportunity Announcement.
Not applicable.
Subject to future appropriations.
How are proposals selected?
This funding opportunity is restricted to the for Security Multi-State Information Sharing and Analysis Center (MS-ISAC). Specific information on criteria for selecting proposals is identified in the funding opportunity announcement.
How may assistance be used?
Restricted to supporting the activities of the Multi-State Information Sharing and Analysis Center (MS-ISAC), involving engagement with State, Tribal and local governments. Additional information concerning uses and restrictions is contained in the Funding Opportunity Announcement document or can be obtained from the administering program office identified in this announcement. Financial and nonfinancial assistance may be provided for the following: salaries, materials and supplies, equipment, travel, publication costs, subcontractor and supporting costs required for technical and other activities necessary to achieve the objective. Restrictions on use of funds will be identified in the funding opportunity announcement and award provisions. See Funding Opportunity Announcement. Refer to program guidance.
What are the requirements after being awarded this opportunity?
Performance Reports: Grantees are required to submit a monthly report of planned, projected and disbursed funds.
Not applicable.
Grant records shall be retained for a period of 3 years from the day the recipient submits its final expenditure report. If any litigation, claim, negotiation, audit, or other action involving the records has been started before the expiration of the 3-year period, the records must be retained until completion of the action and resolution of all issues which arise from it, or until the end of the regular 3-year period, whichever is later. Grant records include financial and program/progress reports, support documents, statistical records, and other documents that support the activity and/or expenditure of the recipient or sub-recipient under the award.
Other Assistance Considerations
Formula and Matching Requirements
Statutory formula is not applicable to this assistance listing.

Matching requirements are not applicable to this assistance listing.

MOE requirements are not applicable to this assistance listing.
Length and Time Phasing of Assistance
Refer to Funding Opportunity Announcement. Awards are subject to the Cash Management Improvement Act for payment and/or reimbursement of expenditures. Refer to Funding Opportunity Announcement.
Who do I contact about this opportunity?
Regional or Local Office
None/Not specified.
Headquarters Office
Donna C. Beach
245 Murray Lane, SW, Mail Stop 0115
Attention: 720-A
Washington, DC 20528 US
Phone: (703) 705-6213
Website Address
Financial Information
Account Identification
(Salaries and Expenses) FY 18$10,447,510.00; FY 19 est $10,468,300.00; FY 20 est $10,468,300.00; FY 17$9,500,000.00; FY 16$9,500,000.00; -
Range and Average of Financial Assistance
Refer to Funding Opportunity Announcement.
Regulations, Guidelines and Literature
44 CFR Part 13, Uniform Administrative Requirements for Grants and Cooperative Agreements to State and Local Governments,A-87, Cost Principles for State, Local and Indian Tribal Governments (2 CFR Part 225), A-110, Uniform Administrative Requirements for Grants and Agreements with Institutions of Higher Education, Hospitals and Non-Profit Organizations (2 CFR Part 215), A-21, Cost Principles for Educational Institutions (2 CFR Part 220), A-122, Cost Principles for Non-Profit Organizations (iii. 2 CFR Part 230), and A-133 Audits of States, Local Governments, and Non-Profit Organizations, in addition to program regulations, guidelines, DHS policy and procedure.
Examples of Funded Projects
Not applicable.


Federal Grants Resources