The following terms of service (“ToS”) set forth the terms for membership (“Membership”) in the Political Campaign Information Sharing and Analysis Organization (“PC-ISAO” or “Party”). As a participating member of the PC-ISAO (“Member” or “you” or “Party”), you agree that you will share information through the PC-ISAO in accordance with the terms set forth below. Membership is contingent upon approval by PC-ISAO and payment of applicable fees. These terms are effective from the approval date of the Member by the PC-ISAO. If your organization does not qualify as an PC-ISAO Member or cannot agree to the terms as set forth herein, please contact US CyberDome Education Center for further discussion.
1. Definitions
Community: U.S. federal, state, local, tribal, and territorial political campaigns and supporting entities such as party committees, as well as relevant think tanks and non-governmental organizations.
Cybersecurity Purpose: Pursuant to the Cybersecurity Information Sharing Act of 2015 (CISA 2015), information that is, or used to develop, “cyber threat indicators” and/or “defensive measures,” where best effort has been made to remove all personal information, or information that identifies a specific person (see Cybersecurity Information Sharing Act of 2015 Procedures and Guidance for more information).
Data: the information shared for a Cybersecurity Purpose by either PC-ISAO or any Member in accordance with these Membership ToS.
Member: A qualifying organization under the PC-ISAO that has agreed to these ToS. For purpose of these ToS, Member shall also include all employees and formally affiliated volunteers of the Member.
PC-ISAO: The Political Campaign Information Sharing & Analysis Organization, an ISAO registered with the ISAO Standards Organization and operated by the US CyberDome Education Center.
Proprietary Information: confidential, proprietary, and trade secret property.
2. PC-ISAO Purpose. The PC-ISAO has been established to facilitate the sharing of cyber Data among PC-ISAO Members in order to facilitate communication regarding cyber readiness and response efforts. These efforts include, but are not limited to, disseminating early warnings of cyber threats, providing trends and other analysis for security planning, and distributing current best security practices and suggestions.
3. PC-ISAO Membership. Membership in the PC-ISAO is limited to those U.S. political campaigns, their employees, and their formally affiliated volunteers, who are responsible for political campaigns within their respective level of government including but not limited to federal, state, local, tribal, and territorial levels of government. Member agrees to be contacted, and to have their organization contacted, by the PC-ISAO for the purpose of verifying (1) the existence of the campaign; (2) accuracy of address and physical location; (3) the applying individual is a valid employee or formally affiliated volunteer of the applicant campaign with authority to bind the Member.
4. Operation of the PC-ISAO. The PC-ISAO will be operated and supported by the US CyberDome Education Center, a not for profit corporation focused on enhancing the cyber security readiness and response of political campaigns and associated organizations. PC-ISAO may also retain contractors from time to time to provide services to the PC-ISAO and its Members, in which case those contractors are bound to confidentiality through non-disclosure agreement and operating as part of the US CyberDome Education Center management and oversight of the PC-ISAO.
5. Data Protection. PC-ISAO and Member both acknowledge that the protection of shared Data is essential to the security of both Member and the mission of the PC-ISAO. The intent of the Data protection terms are to: (a) enable Member to make disclosures of Data to PC-ISAO while still maintaining rights in, and control over, the Data; and (b) set common information sharing protocol that will determine the extent to which Data can be shared with others.
6. Data Sharing Protocol. All Data submitted, processed, stored, archived, or disposed of in connection with the PC-ISAO will be classified and handled using the Forum of Incident Response and Security Teams (FIRST) Traffic Light Protocol (TLP), as described in the Cybersecurity and Infrastructure Security Agency (CISA) Traffic Light Protocol 2.0 Users Guide. In the event that Data is shared by the Member or PC-ISAO and such Data does not include a TLP designation, it shall be considered as having been designated TLP:AMBER unless and until subsequently, the entity sharing the Data changes the designation. Data may be shared by the PC-ISAO with TLP:AMBER or lower restrictions with the following handling requirements:
- TLP:AMBER – may be shared by the PC-ISAO with Members of the PC-ISAO. Members may share information with their service providers on a need-to-know basis. No further sharing is permitted.
- TLP:GREEN – may be shared by the PC-ISAO Members of the PC-ISAO, the Community, and others as appropriate. Members may share with others in the Community as appropriate.
- TLP:CLEAR – may be shared outside the Community and discussed in public forum.
Data must be disclosed, transported, stored, transmitted, and disposed of in a safe and secure manner using controls appropriate to TLP level, including, but are not limited to, encryption, shredding, securely erasing, and degaussing of media.
Notwithstanding the foregoing, unless a Member designates in writing that the Data in question cannot be shared or that such sharing is subject to stated restrictions, all Data provided by Members to the PC-ISAO may be shared with US CyberDome Education Center employees and contractors, PC-ISAO Members, and the Community, provided the Data is anonymized and not attributable to Member.
7. Data License. Through the act of sharing Data, the contributing Member grants US CyberDome Education Center a perpetual, world-wide, royalty free license to contributed Data. Nothing in these ToS grants PC-ISAO Members an express or implied license or an option on a license, or any other rights to, or interests in, the Data. The provisions of this Section shall survive the expiration of the Membership.
8. Other Data Designation. PC-ISAO and Member acknowledge that certain Data may also be designated with a notice of patent, copyright, trade secret or other proprietary right and PC-ISAO and Member each agree not to remove, alter or obscure any such designation without the prior written authorization of the Party sharing the Data.
9. Data Retraction. If a Member retracts any Data it sent to the PC-ISAO, then, upon notification by the Member, the PC-ISAO will delete such Data and all copies thereof, and as applicable, notify other PC-ISAO Members and its Affiliates to delete the Data. Upon receiving such notification, PC-ISAO Members will delete such information and all copies thereof. If an PC-ISAO Member is unable to delete the Data based on applicable law, then that Member will continue to maintain the confidentiality of the Data consistent with the TLP designation assigned to the Data.
10. Demand for Data. If any third party makes a demand for any Data, the PC-ISAO or any other Member receiving such a demand, to the extent allowed by law, shall immediately forward such request to the Member who shared the Data and consult and cooperate with that Member and will make reasonable efforts, consistent with applicable law and the applicable TLP designation, to protect the confidentiality of the Data. The Member sharing the Data will, as needed, have the opportunity to seek judicial or other appropriate avenues of redress to prevent any release.
11. Reports with Attribution. As part of its information sharing efforts, the PC-ISAO may prepare content for written reports, papers, or other writings that include Data where the cybersecurity value of that Data is dependent upon personal information, or information that identifies a specific person. Whenever possible, the PC-ISAO will anonymize such Data in reporting. In circumstances where the Data cannot be anonymized without significantly reducing the informational value of the report, the Member who shared the Data shall be provided a period of time to review the content of such reports, papers, or other writings and has the right to review make recommendations and comments to the content. The PC-ISAO and Members agree to work together in good faith to reach mutually agreed upon content for the report. If the Parties are unable to reach agreement on the content, the Member has the right to preclude use of their Data.
12. Proprietary Information. Unless otherwise designated, the code and content in the PC-ISAO Members portal is the Proprietary Information of US CyberDome Education Center. Members shall not disclose, provide, or otherwise make available the Proprietary Information of US CyberDome Education Center to any person other than Member’s authorized employees or agents who are under a confidentiality agreement, and Member shall not use the Proprietary Information other than exclusively for Member’s internal operational purposes. Member shall take steps to protect the Proprietary Information no less securely than if it were Member’s own intellectual property and proprietary information, and conform with TLP as applicable. The provisions of this Section shall survive the expiration of the Membership.
13. Member Restrictions. Member shall not, and shall require its authorized users not to, directly or indirectly:
- use (including make any copies of) the PC-ISAO Member portal, Proprietary Information, or copyrighted documentation beyond the scope of the Membership;
- share passwords, usernames or other login credential information provided by the PC-ISAO solely to benefit Member;
- modify, translate, adapt, or otherwise create derivative works or improvements, whether or not patentable, of the PC-ISAO Member portal, Proprietary Information, or copyrighted documentation or any part thereof;
- combine the PC-ISAO Member portal or any part thereof in, any other programs;
- reverse engineer, disassemble, decompile, decode, or otherwise attempt to derive or gain access to the source code of the PC-ISAO Member portal, or any part thereof;
- remove, delete, alter, or obscure any trademarks or any copyright, trademark, patent, or other intellectual property or proprietary rights notices provided on or with the PC-ISAO Member portal, Proprietary Information, or copyrighted documentation, including any copy thereof;
- rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer, or otherwise make available the PC-ISAO Member portal, to any third party for any reason; or
- use the PC-ISAO Member portal, Proprietary Information, or copyrighted documentation in violation of any law, regulation, or rule.
14. Member Obligations. Member’s obligations under these terms shall continue so long as they remain a Member of the PC-ISAO, except that the obligations of confidentiality of Data as provided herein shall survive the expiration of the Membership.
15. Incident Reporting. Any suspected or actual compromise of the PC-ISAO Members portal, disclosure of Data beyond the designated TLP restrictions, or violation of these ToS shall be immediately reported to info@uscdec.org.
16. Term and Termination of Membership. Membership shall automatically renew annually unless terminated by either Party. Member may terminate its PC-ISAO Membership at any time upon written notice to the PC-ISAO. PC-ISAO may terminate a Membership at any time upon written notice to the Member. Neither PC-ISAO nor its employees, agents, contractors, subcontractors, information providers, or other PC-ISAO Members shall be liable to Member for any costs, expenses or damages whatsoever for terminating a Member, and Member shall not be entitled to any refunds for amounts paid to PC-ISAO.
17. Indemnification. Each Party shall indemnify, defend and hold harmless the other Party and its respective directors, officers, employees and agents, from and against any claims, losses, damages or expenses (including reasonable attorney fees, expenses and disbursements) by third parties pertaining to the actual or alleged infringement of any intellectual property right, including, without limitation, patents, copyrights, trademarks, service marks, or misappropriation of trade secrets or any similar property rights, arising from the indemnified Party accessing, using or distributing information provided by the indemnifying Party, while in accordance with the ToS for PC-ISAO Membership.
18. Limitation of Liability. In no event shall either Party be liable to the other Party or to any third party for incidental, special, punitive, or consequential damages (including without limitation lost profits) arising from PC-ISAO Membership, even if such Party or Member has been advised of the possibility of such damages. PC-ISAO’s maximum liability to a Member under this Membership shall be zero U.S. Dollars. Notwithstanding the foregoing, no limitation of either Party’s liability shall apply with respect to any claims based on such Party’s fraud, willful misconduct or gross negligence, indemnification obligations, or breaches of confidentiality.
19. Limited Release. PC-ISAO may use Member organization name and visuals (e.g., seal, logo) to confirm in discussions, presentations, and print, both public and private, future, current, or past delivery of ISAO services to Member organization. The PC-ISAO may not indicate anything other than Member’s organization’s participation in the ISAO.
20. Severability. Should any court of competent jurisdiction consider any provision of these ToS to be invalid, illegal, or unenforceable, such provisions shall be considered severed from these ToS. All other provisions, rights, and obligations shall continue without regard to the severed provision(s).
21. Entire Understanding. These ToS contain the entire understanding between PC-ISAO and Member with respect to the Proprietary Information described herein and supersedes all prior understandings whether written or oral. This provision does not apply to non-ISAO written or oral understandings between US CyberDome Education Center and the Member organization.