ONC FUNDING FOR CYBER THREAT INFORMATION SHARING IN THE HEALTH CARE AND PUBLIC HEALTH (HPH) SECTOR

Funding Agency:
Department of Health and Human Services

In recent years, several bills have been introduced in Congress aimed at improving cyber threat information sharing, notably the Cybersecurity Information Sharing Act (CISA), part of the Consolidated Appropriations Act of 2016 (Pub.L. 114–113 114th Congress). CISA outlines new requirements for the Department of Homeland Security, Sector-Specific Agencies (including the Department of Health and Human Services (HHS), and private industry with respect to cyber threat information sharing. Section 405(c) of the Act establishes Health Care Industry Cybersecurity Task Force. Section 405 (c) (1) (D) and 405 (c) (1) (E) outline the task force’s duties regarding recommendations for cybersecurity threat information dissemination, including establishing a plan for federal Government and Health Care and Public Health (HPH) sector stakeholders to share actionable cyber threat indicators and defensive measures. 

Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, defined HHS’s information sharing role with respect to cybersecurity threats. EO 13636 calls on HHS to participate with other Sector-Specific Agencies and the Department of Homeland Security to “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.” 

On February 13 2015, the President signed Executive Order (EO) 13691, Promoting Private Sector Cybersecurity Information Sharing. EO 13691 encourages the development of information sharing and analysis organizations (ISAOs) to serve as focal points for cybersecurity collaboration within the private sector and between the private sector and government. This broadens existing terminology related to information sharing and analysis centers (ISACs), by identifying ISACs as one type of organization among other types of ISAOs. The ISACs are similar to an ISAO in that both provide a central resource for gathering information on cyber threats to critical infrastructure and two-way sharing of cyber threat information between the private and public sector. This EO also calls for developing a common set of voluntary standards for ISAOs. It also calls for a broadening of information sharing activities to include not just cybersecurity threats but also cybersecurity risk and incident information. 

This Funding Opportunity Announcement (FOA) announces a cooperative agreement funding opportunity for an existing ISAO or ISAC for the Health Care and Public Health (HPH) sector. The purpose of this cooperative agreement is to build the capacity of information sharing and analysis organization (ISAO) to share cyber threat information (CTI)1 bi-directionally between HHS and the HPH sector about cyber threats and to provide outreach and education to the HPH sector to improve cyber security awareness within the sector and to equip sector stakeholders to take action in response to CTI shared by the ISAO.

A streamlined process for CTI sharing will allow HHS to send CTI to a single entity and give that entity the responsibility for timely disseminating the information for the benefit of the entire HPH sector on an equitable and timely basis. This Funding Opportunity Announcement (FOA) targets existing ISAOs or ISACs that currently have members they serve in various capacities. Under this FOA, the recipient shall continue to serve its current members. This Funding Opportunity Announcement (FOA) is intended to fill a gap by providing resources to broaden access to enable CTI sharing and dissemination of that information across the HPH sector. By providing these funds, technical assistance, and access to federal resources, it is expected that the recipient will be able to: 1) expand its current membership base; 2) focus more of its business and resources on CTI sharing; 3) create a lower entry cost for smaller HPH sector organizations who wish to join an ISAO; and 4) provide some level of free CTI sharing services to the entire HPH sector. 

It is anticipated that the chosen recipient will be an entity that is already providing outreach and technical assistance to participating organizations on cyber threats. The government encourages organizations to develop the mechanism to collaborate on a single application if doing so would strengthen the overall capacity of the eventual ISAO. 

Deadline: Aug. 19, 2016

Agency Website

Eligibility Requirements

Eligible Applicants:

  • Local, Public nonprofit institution/organizations, Private nonprofit institution/organization, private and for profit organizations that are already providing outreach and technical assistance to participating organizations on cybersecurity threats.
  • Organization that currently provides CTI sharing services to some parts of the HPH sector and seeks to expand the reach of those services.
  • Organization that provides CTI sharing services to a sector, other than HPH, and seeks to expand their services to the HPH sector.
  • Note that nothing prevents two or more organizations from joining forces to apply under a single application for this FOA, and in fact, because CTI sharing is a collaborative exercise that needs everyone’s participation, such collaboration is encouraged. 

Amount

$250,000

Amount Description

The recipient may anticipate a total budget of $250,000 from ONC for the first year. Continued funding will be contingent on the recipient continuing to meet all the milestones and the availability of funds. 

Funding Type

Grant

Category

Medical
Medical - Basic Science
Social Sciences

External Deadline

August 19, 2016