U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

Automated Indicator Sharing (AIS)

The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. Threat indicators are pieces of information like malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated).

AIS is a part of the Department’s effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator will be shared in real time with all of our partners, protecting them from that particular threat. That means adversaries can only use an attack once, which increases their costs and ultimately reduces the prevalence of cyber attacks. While AIS won’t eliminate sophisticated cyber threats, it will allow companies and federal agencies to concentrate more on them by clearing away less sophisticated attacks.

Ultimately, the goal is to commoditize cyber threat indicators through AIS so that tactical indicators are shared broadly among the public and private sector, enabling everyone to be better protected against cyber attacks.

We Need You!

The Federal Government is sharing indicators through AIS—but we always need more private sector companies to join to receive indicators and also to share indicators back with us!

How AIS Works

AIS participants connect to a DHS-managed system in the Department’s National Cybersecurity and Communications Integration Center (NCCIC) that allows bidirectional sharing of cyber threat indicators. A server housed at each participant’s location allows them to exchange indicators with the NCCIC. Participants will not only receive DHS-developed indicators, but can share indicators they have observed in their own network defense efforts, which DHS will then share back out to all AIS participants.

Participants who share indicators through AIS will not be identified as the source of those indicators to other participants unless they affirmatively consent to the disclosure of their identity. In other words, you are anonymous unless you want us to share your name.

Indicators are not validated by DHS as the emphasis is on velocity and volume: our partners tell us they will vet the indicators they receive through AIS, so the Department’s goal is to share as many indicators as possible as quickly as possible. However, when the government has useful information about an indicator, we will assign a reputation score.

AIS leverages the Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) specifications for machine-to-machine communication. DHS initiated the development of these standards in 2012 and licensed them to the OASIS standards body in 2015 for their future continued evolution. Any entity participating in AIS must be able to communicate using these machine-to-machine specifications. More information about STIX and TAXII is located at www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity.

As you give us feedback about AIS, we will update it to make it even more useful to you.

The Cybersecurity Information Sharing Act of 2015

AIS is available for free through the Department’s NCCIC, a 24/7 cyber situational awareness, incident response, and management center which was designated as the central hub for the sharing of cyber threat indicators between the private sector and the Federal Government by the Cybersecurity Information Sharing Act of 2015. This legislation also grants liability protection and other protections to companies that share indicators through AIS.

As mandated by the Cybersecurity Information Sharing Act of 2015, the Department certified the operability of AIS in March 2016 and released guidance to help non-federal entities share cyber threat indicators with the Federal Government. The Department also released policies and procedures relating to the receipt and use of cyber threat indicators by federal entities, guidelines relating to privacy and civil liberties in connection with the exchange of those indicators, and guidance to federal agencies on sharing information in the government’s possession. 

  • Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015 (PDF | 598 KB)
  • Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (PDF | 840 KB)
  • Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (PDF | 463 KB)
  • Privacy and Civil Liberties Final Guidelines: Cybersecurity Information Sharing Act of 2015 (PDF | 423 KB)

DHS also offers opportunities to share cyber threat indicators and defensive measures via web form and email. Access the web form here. Email cyber threat indicators and defensive measures to DHS at ncciccustomerservice@hq.dhs.gov. Please provide the following fields for emailed indicators:

  • Type: either indicator or defensive measure;
  • Valid time of incident or knowledge of topic;
  • Indicate tactics, techniques, and procedures (TTP), even if pointing to a very simple TTP with just a title; and
  • A confidence assertion regarding the level of confidence in the value of the indicator (e.g. high, medium, low). 

Privacy Protections

DHS has taken careful measures to ensure appropriate privacy and civil liberties protections are fully implemented in AIS and are regularly tested. The Department has published a Privacy Impact Assessment of AIS, which can be found in the left hand menu.

To ensure that personally identifiable information (PII) is protected, AIS has processes which:  

  • Perform automated analyses and technical mitigations to delete PII that is not directly related to a cyber threat;
  • Incorporate elements of human review on select fields of certain indicators to ensure that automated processes are functioning appropriately;
  • Minimize the amount of data included in a cyber threat indicator to information that is directly related to a cyber threat;
  • Retain only information needed to address cyber threats; and
  • Ensure any information collected is used only for network defense or limited law enforcement purposes.

How to Participate in AIS

AIS is available for free to all private sector entities; federal departments and agencies; state, local, tribal, and territorial governments; information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs); and foreign partners and companies.

Steps:

  1. Agree to a short Terms of Use, which can be found on the left hand menu.
  2. Set up a TAXII client: organizations that do not already have a TAXII capability can use the specification documentation to build their own, use the open-source DHS TAXII client available on GitHub or purchase a commercial capability.
  3. Technical connectivity activities: purchase a PKI certificate from a commercial provider, provide your IP address to DHS, and sign an Interconnection Security Agreement.
  4. Connect directly to the DHS-managed system. You can also share indicators with DHS through a participating ISAC or ISAO.

Please email ncciccustomerservice@hq.dhs.gov for additional information and to join AIS. 

Federal agencies interested in the timely exchange of cyber threat indicators should visit the Enhance Shared Situational Awareness (ESSA) Initiative webpage.

Back to Top