The Center for Internet Security (CIS) is a federally funded nonprofit that has contracted through the use of Memorandums of Agreement (MOAs) with, as we currently understand it, all fifty states. The MOA authorizes the use of Albert sensors to monitor intrusion attempts on state networks, apparently prompted by Russian attempts to interfere in the 2016 presidential election. According to Michael Gregg, North Dakota’s chief information security officer the Albert sensors “typically warn of threats by sending an email containing an IP address, leaving analysts to conduct further research”
The Joint GCC SCC Statement on Senate Intelligence Committee’s First Russian Interference Report dated July 2019 states,
The 2018 midterm elections saw unprecedented levels of coordination between all levels of government and the private sector election companies, and the 2020 election will improve on that effort. Currently, all 50 states are members of the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), along with more than 1,800 local jurisdictions, and fourteen private sector companies making it the fastest growing ISAC in history. Additionally, all 50 states, two territories, and 96 localities have intrusion detection systems, known as Albert sensors, on their networks, and the Cybersecurity and Infrastructure Security Agency (CISA) is providing remote vulnerability scanning and risk assessments upon request to government and private sector entities. In June, 47 states, three territories, more than a thousand local officials, their private sector partners and the federal government participated in the second annual ‘Tabletop the Vote’ exercise to improve preparedness, information sharing, response, and recovery.
In Virginia, the MOA went into place in 2016 and is between the Virginia Information Technology Agency (VITA) and the Center for Internet Technology (CIS). It uses a couple of acronyms, the MS-ISAC, and SLTT, which are U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. VITA confirmed the 2016 MOA is still in effect as of March, 2023. References to CIS can also be found on VITA’s website at the following links,
- If you go to VITA website and search for the Center for Internet Security the results are https://www.vita.virginia.gov/search-vita/#stq=center%20for%20Internet%20Security&stp=1
The following are excerpts from the MOA between VITA and CIS,
Consideration
Federally Funded Cyber Security Services – Pursuant to the agreement with the federal government, CIS is providing Cyber Security Services and associated security devices at no charge to Entity.
pg 2, MEMORANDUM OF AGREEMENT BETWEEN THE CENTER FOR INTERNET SECURITY/MULTI-STATE
INFORMATION SHARING AND ANALYSIS CENTER AND COMMONWEALTH OF VIRGINIA
VIRGINIA INFORMATION TECHNOLOGIES AGENCY FOR CYBER SECURITY SERVICES (Federally Funded Services)
In its role as the MS-ISAC, CIS has been recognized by the United States Department of Homeland Security (DHS) as a key Cyber Security resource for all fifty states, local governments, United States territories, and tribal nations (SLTT); and
WHEREAS, CIS operates a twenty-four hours a day, seven days per week (24/7) Security Operations Center(SOC); and
WHEREAS, CIS has entered into an agreement with the federal government to provide base level Cyber Security Services to SLTT; and
WHEREAS, the Entity is one of the recipients of the Cyber Security Services.
Pg 1, MEMORANDUM OF AGREEMENT BETWEEN THE CENTER FOR INTERNET SECURITY/MULTI-STATE
INFORMATION SHARING AND ANALYSIS CENTER AND COMMONWEALTH OF VIRGINIA
VIRGINIA INFORMATION TECHNOLOGIES AGENCY FOR CYBER SECURITY SERVICES (Federally Funded Services)
Pgs 1, 2, MEMORANDUM OF AGREEMENT BETWEEN THE CENTER FOR INTERNET SECURITY/MULTI-STATE
- Security Operation Center (SOC) – 24 X 7 X 365 watch and warning center that provides network monitoring, dissemination of cyber threat warnings and vulnerability identification and mitigation recommendations.
- Cyber Security Services (CSS) – Combined Netflow and intrusion detection system monitoring and analysis of related data, and delivery and management of associated devices, hardware and software necessary for delivery of CSS. Also referred to as Albert monitoring services. For purposes of clarification, the performance of the Cyber Security Services does not require or involve the decryption of any encrypted traffic.
INFORMATION SHARING AND ANALYSIS CENTER AND COMMONWEALTH OF VIRGINIA
VIRGINIA INFORMATION TECHNOLOGIES AGENCY FOR CYBER SECURITY SERVICES (Federally Funded Services)
C. CIS will provide the following as part of the service:
- Analysis of logs from monitored security devices for attacks and malicious traffic;
- Analysis of security events;
- Correlation of security data/logs/events with information from other sources;
- Notification of security events per the Escalation Procedures provided by Entity.
- Ensuring that all upgrades, patches, configuration changes and signature upgrades are applied to managed devices. CIS will provide the appropriate license and support agreements for the upgrade for devices provided by CIS. The Entity is responsible for maintaining the appropriate license and support agreements for devices own by the Entity.
D. Access to Stored Flow Data. CIS shall provide access to normalized logs, security events and netflow data through batch queries.
Pg 9, MEMORANDUM OF AGREEMENT BETWEEN THE CENTER FOR INTERNET SECURITY/MULTI-STATE
INFORMATION SHARING AND ANALYSIS CENTER AND COMMONWEALTH OF VIRGINIA
VIRGINIA INFORMATION TECHNOLOGIES AGENCY FOR CYBER SECURITY SERVICES (Federally Funded Services)
Confidentiality Obligation
CIS acknowledges that information regarding the infrastructure and security of Entity information systems, assessments and plans that relate specifically and uniquely to the vulnerability of Entity information systems, the results of tests of the security of Entity information systems insofar as those results may reveal specific vulnerabilities or otherwise marked as confidential by Entity (“Confidential Information”) may be provided by Entity to CIS in connection with the services provided under this Agreement. The Entity acknowledges that it may receive from CIS trade secrets and confidential and proprietary information (“Confidential Information”). Both Parties agree to hold each other’s Confidential Information in confidence to the same extent and the same manner as each party protects its own confidential information, but in no event will less than reasonable care be provided and a party’s information will not be released in any identifiable form without the express written permission of such party or as required pursuant to lawfully authorized subpoena or similar compulsive directive or is required to be disclosed by law, provided that the Entity shall be required to make reasonable efforts, consistent with applicable law, to limit the scope and nature of such required disclosure. CIS shall, however, be permitted to disclose relevant aspects of such Confidential Information to its officers, employees, agents and CIS’s cyber security partners, including federal partners, provided that such partners have agreed to protect the Confidential Information to the same extent as required under this Agreement. The Parties agree to use all reasonable steps to ensure that Confidential Information received under this Agreement is not disclosed in violation of this Section. These confidentiality obligations shall survive any future non-availability of federal funds to continue the program that supports this Agreement or the termination of this Agreement.
Pg 3, MEMORANDUM OF AGREEMENT BETWEEN THE CENTER FOR INTERNET SECURITY/MULTI-STATE
INFORMATION SHARING AND ANALYSIS CENTER AND COMMONWEALTH OF VIRGINIA
VIRGINIA INFORMATION TECHNOLOGIES AGENCY FOR CYBER SECURITY SERVICES (Federally Funded Services)
Certification.
Entity shall complete the attached Entity Certification documenting compliance with the following:
That the Entity provides notice to its employees, contractors and other authorized internal network users (collectively, “Computer Users”) that contain in sum and substance the following provisions:
Computer Users have no reasonable expectation of privacy regarding communications or data transiting, stored on or traveling to or from Entity’s information system; and
Any communications or data transiting, stored on or traveling to or from the Entity’s information system may be monitored, disclosed or used for any lawful government purpose; and
That all Entity Computer Users execute some form of documentation or electronic acceptance acknowledging his/her understanding and consent to the above notice. Examples of notice documentation include, but are not limited to:
- log-on banners for computer access with an “I Agree” click through;
Pg 8, MEMORANDUM OF AGREEMENT BETWEEN THE CENTER FOR INTERNET SECURITY/MULTI-STATE
- consent form signed by the Computer User acknowledging Entity’s computer use policy; or computer use agreement executed by the Computer User.
INFORMATION SHARING AND ANALYSIS CENTER AND COMMONWEALTH OF VIRGINIA
VIRGINIA INFORMATION TECHNOLOGIES AGENCY FOR CYBER SECURITY SERVICES (Federally Funded Services)
Of further interest is that Prince William County also has an MOA with CIS, effective September 2020, and it pertains to the Northern Virginia Emergency Response Systems (NVERS) and ‘election entities.”
The MOA between VITA and CIS can be downloaded here.