Federal funding cuts to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) have created an undercurrent of concern among the U.S. State, Local, Tribal, and Territorial (SLTT) community questioning whether the effectiveness of the MS-ISAC’s cyber threat intelligence (CTI) collection, analysis, production, and dissemination may be negatively impacted. After a thorough review of threat intelligence sources and capabilities, as summarized below, our assessment is that the impact of the MS-ISAC’s transition to a fee-based membership model on our CTI is minimal overall and in some aspects actually positive.
Our Ongoing Commitment to CTI Quality
Our commitment to CTI quality has never wavered. We continuously refine our processes by exploring new collection methods and sources, enriching incoming data, correlating it with existing intelligence, filtering out information that doesn’t meet our standards, and removing stale or inaccurate data. This ongoing effort ensures that our members receive timely, actionable, and relevant intelligence.
Diversification of the MS-ISAC’s CTI Already in Progress
While U.S. federal partnerships remain an important part of the threat intelligence ecosystem, the MS-ISAC had been working since late 2020 to diversify its intelligence collection and analytic capabilities to ensure continuity, resilience, and value to the U.S. SLTT community. This includes data from a growing base of Center for Internet Security® (CIS®)/MS-ISAC telemetry (e.g., Albert Network Monitoring and Management, CIS Managed Detection and Response™ (CIS MDR™), etc.), member organizations, commercial partners, ISAC partners, as well as open and dark web sources. In addition, the MS-ISAC has extended our CTI sharing to federal partners beyond the Cybersecurity and Infrastructure Security Agency (CISA). Both CISA and our other federal partners have indicated that they plan to continue to share threat data with the MS-ISAC.
Here are some noteworthy highlights of our CTI diversification process.
CTI Integrated into Custom Albert Signature Development
Since mid-2021, the number of federally funded Albert sensors has remained static at about 200 devices, while member-procured Albert devices have grown by 68%. Today, the full Albert fleet is comprised of more than 1,100 sensors deployed on U.S. SLTT government networks. In 2025, due to deliberate integration of CTI into custom signature development, Albert incident detections grew 18%. These signatures are both built on and are a source for MS-ISAC intelligence.
Unique Endpoint Security Insights from CIS MDR
Over the same period, CIS MDR experienced explosive growth of 2,625%, adding nearly 300,000 endpoint sensors onto U.S. SLTT networks. Due to their location on individual endpoints, including servers and even network devices, the CIS MDR data set is a much richer data set than Albert for intelligence support. CIS MDR detections often include unique details that directly support CTI analysis and incident response.
Consolidation of Real-Time CTI Feeds
In late 2020, the MS-ISAC’s CTI organization redesigned threat collection and analysis, moving everything into a single Threat Intelligence Platform (TIP). The new TIP gave the MS-ISAC full control over threat information, driving consolidated sourcing and facilitating the introduction of automated data correlation, enrichment, and dissemination. After redesigning and deploying new real-time indicator feeds, CTI subscribers rapidly grew from a few hundred to over 7,500.
Reduction in False Positives via Cleanup of CTI Data Set
Throughout 2024, CTI lead analysts conducted a survey of data sources and began removing or restricting sources that did not meet our criteria of timely, actionable, and relevant to the U.S. SLTT community. This led to the removal of several sources, including some federal sources, that only contained old, stale, and deprecated artifacts or information gathered from other sources. Despite these federal sources accounting for over 35% of data ingested by CTI, on average, less than 2% of the data was unique and shareable. This cleanup effort created more efficient, higher value data and significantly reduced the number of false positives in the CTI data set.
MS-ISAC’s Central Role in National Threat Intelligence
For many years, the MS-ISAC has been the leading technical contributor to federal intelligence products, working jointly with CISA, FBI, and others. In fact, the overwhelming majority of threat intelligence distributed by CISA to U.S. SLTT organizations historically originated from U.S. SLTT threat data sourced by the MS-ISAC, underscoring our central role in the national cybersecurity ecosystem. In the past, this federal collaboration was prioritized over CTI internal efforts. Since early 2025, requests to support joint production dropped off almost entirely. Despite internal staff reduction due to funding cuts, this has allowed CTI to focus efforts on internally sourced technical intelligence products, including Operational Cyber Analytic Reports (OCARs), which have become the most popular CTI product among members due to their rich context. Check out this blog post based on one of our OCARs released in Q4 2025.
A Bright Future as the Ongoing Leader of U.S. SLTT CTI
The MS-ISAC’s intelligence collection has improved due to several factors. Staff reductions due to limited funding initially had negative impacts to analysis, production, and dissemination. However, the simultaneous introduction of automation and orchestration combined with fewer direct support requests from the federal government to enhance their products has offset any negative impacts.
In summary, careful planning to diversify data collection, increase telemetry, and introduce new technology and processes has negated the impact of the loss of federal funding. As a mission-driven organization with a focus on proactive defense, the MS-ISAC will continue to remain the leader in curated U.S. SLTT CTI for the foreseeable future independent of fluctuations in federal support.
Want to explore our upcoming CTI efforts?
