MFG-ISAC Terms & Conditions
Membership in Manufacturing Information Sharing and Analysis Center (“MFG-ISAC”) is contingent upon approval by MFG-ISAC, LLC. and payment of applicable fees. All members of MFG-ISAC (each a “Member” and collectively the “Members”) must abide by these terms and conditions (“T&C”) and the MFG-ISAC Operating Rules, which will be provided upon onboarding.
1. Background
The MFG-ISAC, a subsidiary of the Global Resilience Federation (“GRF”), offers a system for information exchange among entities within the manufacturing sector, as well as entities providing services to the sector, for the purposes of providing members with timely, accurate, and actionable warnings of operational and cyber threats or attacks on individual organizations as well as industry best practices and mitigation strategies.
2. Membership
(a) The Member will receive the information and other services to be provided by MFG-ISAC (the provision of such information and services by MFG-ISAC may hereinafter be referred to in these T&C as “the Services” and the Member and each other organization that satisfies the Eligibility Criteria and enters into a member agreement with MFG-ISAC to receive the Services may hereinafter be referred to in these T&C as “MFG-ISAC Members”).
(b) Member must satisfy the eligibility criteria that MFG-ISAC has provided to Member (the “Eligibility Criteria”). Such Eligibility Criteria may be amended and modified from time to time by MFG-ISAC in its reasonable discretion. Member must also be approved for membership by MFG-ISAC these T&C. Each Member hereby represents and warrants to MFG-ISAC that it satisfies the Eligibility Criteria. MFG-ISAC will notify Member promptly of any amendment or modification to the Eligibility Criteria.
(c) Member agrees to be contacted by MFG-ISAC for the purpose of verifying from time to time (1) the existence of Member; (2) the addresses and physical location(s) of Member; and (3) whether Member satisfies the Eligibility Criteria. Member agrees to provide MFG-ISAC with all certificates, documents and instruments reasonably requested by MFG-ISAC for purposes of verifying any of the information contemplated under this Section 2(c) from time to time.
(d) Member agrees to promptly notify MFG-ISAC if Member becomes aware at any time that (1) it no longer satisfies the Eligibility Criteria or (2) it will not satisfy the Eligibility Criteria for the next consecutive 30 days, but in no event more than five business days after Member first learns that it does not satisfy or will not satisfy for such consecutive 30 days’ the Eligibility Criteria, as the case may be.
(e) MFG-ISAC has provided Member with a copy of the Traffic Light Protocol (TLP) currently in effect. MFG-ISAC will provide email notifications to Member of each amendment or modification to the Eligibility Criteria or the TLP, with all amendments and modifications highlighted and/or annotated for applicability.
3. Term and Termination
These T&C are binding on a Member from the date of acceptance of the Member by MFG-ISAC and membership shall be automatically renewed unless terminated by Member or MFG-ISAC. Member may terminate its membership and related obligations under these T&C without cause at any time, though no pro rata amounts paid for the terminated portion of the term of the membership will be refunded. MFG-ISAC may terminate a Member’s membership if (i)Member fails to comply with the membership obligations outlined in the MFG-ISAC Operating Rules, including if Member has materially breached these T&C and such breach has not been cured; (ii) Member no longer satisfies the Eligibility Criteria; or (iii) the operation of MFG-ISAC is terminated. Neither MFG-ISAC nor GRF and their employees, agents, contractors, subcontractors, information providers, or other MFG-ISAC Members, shall be liable to Member for any costs, expenses or damages whatsoever for terminating Member’s membership based on (i) through (iii) above if such termination has been undertaken in good faith by MFG-ISAC, but in the case of a termination by MFG-ISAC under clause (iii) above MFG-ISAC will refund to Member the portion of the amounts paid to MFG-ISAC pro-rated for the terminated portion of the remaining annual term of the Member’s membership.
4. Use of Information
(a) Each Member understands and agrees that MFG-ISAC or GRF, pursuant to subpoena or other appropriate legal order, has authority to provide any information from the Member to any requesting law enforcement or government authority, including any information provided by the Member, but only to the extent so required to be disclosed under applicable law or regulation. To the extent allowed by law, MFG-ISAC or GRF will provide the Member with prompt advance notice of such order, subpoena, or other request for disclosure to allow the Member to seek an appropriate protective order or other relief to prohibit or limit such disclosure.
(b) Notwithstanding anything to the contrary herein, MFG-ISAC hereby grants to each Member, its Affiliates, and those agents of the Member or its Affiliates which are providing technology or security services that are directly related to the services and information provided by MFG-ISAC and which are responsible for acting upon the information provided by MFG-ISAC to secure or maintain the Member’s or its Affiliates’ technology infrastructure or facilities or mitigate a specific threat, its affiliates that satisfy the Eligibility Criteria and the other conditions set forth in these T&C and comply with the terms of these T&C, and staff and agents of Member who are permitted to receive Information as provided in Section 4(c), a non-exclusive, non-assignable, non-transferable, limited, worldwide, license to use MFG-ISAC information distributed to Member under these T&C solely for Member's own use and not for further transfer or dissemination, except in a manner consistent with these T&C, including, as and to the extent indicated in these T&C, the TLP. Notwithstanding anything to the contrary herein, Member hereby grants to MFG-ISAC, its affiliates, including GRF, and those staff and agents of MFG-ISAC who are permitted to receive information of Member under these T&C and the TLP, a non-exclusive, non-assignable, non- transferable, royalty-free, irrevocable, worldwide, perpetual license to use such information solely for MFG-ISAC‘s own use and not for further transfer or dissemination, except in a manner consistent with these T&C and the TLP.
(c) Access to information provided by MFG-ISAC, regardless of medium, or by any other MFG-ISAC Member through the List Server or a Collaboration Platform (all such information provided by MFG-ISAC and by any MFG-ISAC Member may be referred to in these T&C as “MFG-ISAC Information”) shall be limited by Member only to Member’s lawyers, staff, and agents who (i) are assigned security, fraud, or critical infrastructure protection responsibilities, (ii) provide technology or security services that are directly related to the services and information provided by the MFG-ISAC, or (iii) are responsible for acting upon the information provided by MFG-ISAC to secure or maintain the Member’s technology infrastructure or facilities or to mitigate a specific threat, in each case only on a need-to-know basis and strictly in accordance with these T&C, as in effect from time to time, which Member has been provided.
(d) Additionally, Member shall not disseminate or provide access to MFG-ISAC information to regulatory examiners; people responsible for formulating or informing public policy, marketing activities, business development; or any other people who do not have a direct need to have and use the information to protect the Member’s data, network, systems, people, or facilities, except where required under applicable law or regulation and in accordance with Section 4(a).
(e) Information provided by Member to MFG-ISAC will be disclosed by MFG-ISAC only to other members that have been approved as MFG-ISAC Members and will not be otherwise disclosed or used by MFG-ISAC except as expressly provided in these T&C.
(f) Notwithstanding any other provision of these T&C, MFG-ISAC and Member agree that TLP classification in the Operating Rules will govern the distribution of MFG-ISAC information.
5. Representations and Warranties
(a) Member represents, warrants and covenants that it is duly formed and existing and in good standing under the laws of the State or Country of its formation, is duly authorized to execute and deliver these T&C and to perform its obligations under these T&C, and will comply with all applicable laws, rules, and regulations, as well as the requirements of these T&C.
(b) MFG-ISAC represents, warrants and covenants that it is a duly formed corporation and existing in good standing under the laws of the State of Delaware, and is duly authorized to execute and deliver these T&C and to perform its obligations under these T&C.
(c) MFG-ISAC warrants that it has resources sufficient to perform its obligations under these T&C and to render the related services contemplated by these T&C in a timely and professional manner.
(d) MFG-ISAC represents and warrants that it has the right to disseminate, and Member has the right to use, the information provided by the MFG-ISAC as provided for in these T&C.
(e) MFG-ISAC represents and warrants that (i) the products and services provided by MFG-ISAC and in any other documentation provided by MFG-ISAC, (ii) the products and services shall at all times comply with all applicable laws and regulations, and (iii) MFG-ISAC shall not engage in any unfair, deceptive or abusive acts or practices.
(f) MFG-ISAC makes no specific warranty regarding the information or services to be provided by MFG-ISAC and Services are offered:
WITHOUT WARRANTY, EXPRESS OR IMPLIED, AS TO ITS ACCURACY, COMPLETENESS, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE, AND AS TO THE AVAILABILITY, ACCURACY, OR CONTENT OF INFORMATION, PRODUCTS, OR SERVICES.
(g) All information provided by MFG-ISAC is provided 'as is.' Except as provided herein, there is no warranty, express or implied, that any information accessible on or through MFG-ISAC will fulfill any of Member's particular purposes or needs. All information accessible on or through MFG-ISAC is provided with all faults, and the entire risk as to satisfactory quality, performance, accuracy and effort is with the user.
(h) MFG-ISAC represents and warrants that all MFG-ISAC Members are subject to eligibility criteria at least as stringent as the Eligibility Criteria applicable to Member.
6. Indemnification
(a) As between Member and MFG-ISAC/GRF, each party shall indemnify, defend and hold harmless the other party and its respective affiliates, directors, managers, officers, partners (if such party is a partnership), members (if such party is a limited liability company), employees and agents, from and against any claims, losses, damages or expenses (including reasonable attorney fees, expenses and disbursements) by third parties pertaining to the actual or alleged infringement of any intellectual property right, including, without limitation, patents, copyrights, trademarks, service marks, or misappropriation of trade secrets or any similar intellectual property rights, arising from the indemnified party accessing, using or distributing information provided by the indemnifying party, in accordance with the terms and conditions of these T&C.
(b) In the event of any claim or suit relating to any matter for which one party is providing indemnification under this Section 6, the indemnified party shall promptly provide notice of such claim or suit to the indemnifying party, although any failure or delay in providing such notice will not reduce the indemnifying party’s obligations under this Section 6 except, and only to the extent, that the indemnifying party is prejudiced by such failure or delay. The indemnifying party shall then have the sole right to control the defense of the claim or suit and the indemnified party shall reasonably cooperate in the defense of such claim or suit at the expense of the indemnifying party; provided, however, that the indemnified party may, in its own discretion and at its own expense, participate in the defense of any claim or suit including counsel of its own choosing but such participation shall not relieve the indemnifying party of its obligations to defend such claim or suit. In the event that the defense of such claim or suit by the indemnifying party presents an actual or potential conflict between the indemnifying party or its counsel, on the one hand, and the indemnified party, on the other hand, such claim or suit shall be defended instead by the indemnified party at the expense of the indemnifying party. In no event, however, may there be a settlement of any such claim or suit without the written consent of the indemnified party. The indemnified party has the sole and exclusive authority to enter into any settlement that would impose an injunction or any other equitable relief on the indemnified party or that provides for any relief or term of settlement other than the payment of money damages by the indemnifying party solely.
7. Limitation of Liability
IN NO EVENT SHALL MFG-ISAC OR GRF BE LIABLE TO A MEMBER OR TO ANY THIRD PARTY FOR INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST PROFITS) ARISING FROM ACTS UNDER THESE T&C EVEN IF SUCH PARTY OR MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE MAXIMUM LIABILITY OF MFG-ISAC OR GRF TO ANY MEMBER UNDER THESE T&C SHALL BE LIMITED TO AN AMOUNT EQUAL TO THE AGGREGATE AMOUNTS PAID BY MEMBER TO MFG-ISAC FOR MEMBERSHIP DURING THE 12 MONTH PERIOD PRECEDING THE FIRST INCURRENCE OF ANY SUCH LIABILITY. NOTWITHSTANDING THE FOREGOING, NO LIMITATION OF ANY PARTY'S LIABILITY SHALL APPLY WITH RESPECT TO ANY CLAIMS BASED ON SUCH PARTY'S FRAUD, WILLFUL MISCONDUCT OR GROSS NEGLIGENCE, INDEMNIFICATION OBLIGATIONS, OR BREACHES OF CONFIDENTIALITY.
8. Confidentiality
Both Member and MFG-ISAC shall hold in strict confidence, and will not use or disclose to any third party, other than on a confidential basis to its and its affiliate’s directors, officers, employees, consultants, agents and representatives with a need to know such information and who are subject to obligations of confidentiality at least as stringent as those set forth herein (but in no case less than those reasonably employed to protect a company’s confidential information) to effectuate the parties' mutual intent hereunder, but subject in all respects to the restrictions provided for in Section 4, any confidential or proprietary data or information obtained from the other party, or to which it has access, including with respect to the other party’s business or financial condition or otherwise, (collectively, the "Confidential Information"). Information generally known in the industry or otherwise publicly available at the time of disclosure other than as a result of disclosure in violation of a duty or obligation of confidentiality, information that a party can demonstrate was lawfully in its possession prior to the date of disclosure, information which has been disclosed by third parties not in violation of a duty or obligation of confidentiality, or information developed independently by the receiving party without reference to or use of the Confidential Information, shall not be deemed Confidential Information for purposes of this Section 8. Each party’s obligations pursuant to this Section 8 shall survive the termination of these T&C for any reason.
Member shall have appropriate physical measures, policies and procedures reasonably designed in accordance with industry standards to (i) ensure the security and confidentiality of the Confidential Information, (ii) protect against any anticipated threats or hazards to the security or integrity of such Confidential Information, (iii) protect against unauthorized access to or use of such Confidential Information that could result in harm or inconvenience to MFG-ISAC or other Members and (iv) where possible, ensure the complete, secure and permanent disposal of such Confidential Information, as may be requested by MFG-ISAC or as required by applicable law. Member shall notify MFG-ISAC promptly if it learns of any actual or reasonably suspected unauthorized or unlawful access to or disclosure of any Confidential Information (collectively, “Security Incidents”). Where a Security Incident has occurred with Member, it shall promptly take all steps necessary to mitigate the damages caused by the Security Incident.
All Members, and all staff, contractors and consultants of MFG-ISAC are bound by obligations of confidentiality and restrictions regarding use of information at least as stringent as those set forth herein.
Each Member acknowledges that improper disclosure of Confidential Information in violation of Section 4 or 8 may cause irreparable injury to MFG-ISAC or other Members, and that remedies at law for any such breach would be inadequate. In the event of a breach or threatened breach, MFG-ISAC and GRF has the right to seek injunctive relief (in addition to any and all other remedies available at law or equity) without the need to post a bond or other security, or demonstrate the confidential nature of its Confidential Information and Member will not contest such relief on the basis that MFG-ISAC and GRF have an adequate remedy at law or other relief.
Each Member is an intended third-party beneficiary of Section 4 and this Section 8 with respect to the Confidential Information of such Member, and MFG-ISAC is hereby authorized to enforce Section 4 and this Section 8 against Member with respect to such Confidential Information.
9. Press Releases and Marketing
MFG-ISAC may only issue a press release or publish other marketing materials that identify Member upon receiving Member's prior written consent, such consent to be granted in Member's sole discretion.
Member may only issue public releases related to MFG-ISAC upon receiving MFG-ISAC’s written consent after review of copy, such consent to be granted in MFG-ISAC’s sole discretion; provided, however, Member may issue a press release to announce its membership in the MFG-ISAC without the written consent of MFG-ISAC. For the avoidance of doubt, these T&C will not restrict Member from informing clients, prospective clients, regulators, and other parties in non-public communications of its relationship with MFG-ISAC.
10. Force Majeure
Neither Member nor MFG-ISAC/GRF shall be held financially or otherwise responsible for any delay or failure in performance under these T&C, which is caused by the unavailability of third-party communications facilities, fires, strikes, embargoes, government requirements, civil or military authorities, acts of God, acts by terrorists or terrorist organizations or by the public enemy or other similar causes beyond the reasonable control and without the fault or negligence of the party seeking protection under this section.
11. Assignment
Member may not assign these T&C, or its rights and obligations hereunder, without the prior written consent of MFG-ISAC. Any purported assignment made in violation of this Section 11 shall be null and void. Upon any valid assignment, these T&C shall be binding upon, and inure to the benefit of, the parties and their respective successors and permitted assigns.
12. Rights and Remedies
The remedies afforded in these T&C are not intended to be exclusive, and each remedy shall be cumulative and shall be in addition to all other remedies available to the parties at law or in equity. These T&C shall not be construed to confer any rights or remedies upon any person or entity, except MFG-ISAC/GRF and Member. No delay or omission by any party in exercising any rights or remedies under these T&C or applicable law shall impair such right or remedy or be construed as a waiver of any such right or remedy.
13. Notice
Any notice required or permitted to be given under these T&C shall be given in writing and shall be hand delivered, telecopied (provided that another method set forth in this Section 13 is also used), sent by e-mail, sent by certified or registered mail or sent by overnight courier service to the (a) Member’s designated representative at such address or e-mail address as it may have specified in writing to MFG-ISAC, and (b) to MFG-ISAC at the below address or at such location as MFG-ISAC shall have specified in writing to Member as its principal office.
MFG-ISAC, LLC
ATTN: MFG-ISAC Membership Support
10332 Main Street
Suite 344
Fairfax, VA 22030
Email: membership@mfgisac.org
14. Governing Law; Dispute Resolution; Interpretation
These T&C will be interpreted and construed in accordance with the laws of the state where Member is located, without regard to its principles of conflict of law or choice of laws.
Any unsettled controversy or claim between the parties arising out of or relating to these T&C or any breach thereof may be settled by final and binding arbitration in any state of competent jurisdiction pursuant to the rules then in effect of the CPR Rules of Non-Administered Arbitration; provided that the arbitrator shall have no authority to add to, amend, modify, or ignore any of the provisions of these T&C. ALL PROCEEDINGS, CORRESPONDENCE, DOCUMENTS, AND COMMUNICATIONS RELATING TO SUCH ARBITRATION SHALL BE AND REMAIN CONFIDENTIAL. THE PARTIES WAIVE A RIGHT TO TRIAL BY JURY. NOTWITHSTANDING THE FOREGOING TERMS OF THIS PARAGRAPH OR ANY OTHER PROVISION OF THESE T&C, EITHER PARTY MAY SEEK EQUITABLE RELIEF IN A COURT TO ENFORCE SECTIONS 4, 8 OR 9 OF THESE T&C.
These T&C does not create, and shall not be construed as creating, any rights enforceable by any person not a party to these T&C, other than the indemnification rights provided to indemnified parties under Section 6 and the rights provided to MFG-ISAC Members in the last paragraph of Section 8. The headings of the Sections contained in these T&C are inserted for convenience of reference only and are not intended to be a part of or to affect the meaning or interpretation of these T&C.
15. Survival
(a) The provisions of Sections 4, 5, 7, 8, 9, 12, 13, 14, and 15, and the second, third and sixth paragraphs of Section 17, shall survive the expiration or earlier termination of these T&C. In addition, (x) claims and liabilities for breaches of these T&C occurring prior to the termination of these T&C and (y) indemnification claims under Section 6 accruing prior to such termination will also survive expiration or termination of these T&C, as applicable.
16. Antitrust
MFG-ISAC and Member will comply with all national and state antitrust laws and regulations. All officers, directors, managers, partners (for any party organized as a partnership), staff, and members must not engage in any conduct that may constitute violation of the antitrust laws, including but not limited to price fixing, group boycotts, or allocations of market among organizations or institutions.
To assure compliance with this policy:
a) Members are prohibited from discussing any company-specific, competitively sensitive information, including terms, sales, conditions, pricing, or future plans, related to their firms or any vendors or service providers they engage;
b) The member community mailing lists and forums are not to serve as a conduit for discussions or negotiations between or among vendors, manufacturers, or security service providers with respect to any member or group of members;
c) Member will determine the effect of the exchanged information on its individual purchasing and related decisions;
d) Any breach of this Section 16 may result in termination of these T&C and forfeiture of remaining annual Subscription Fee (as defined below).
17. Other Provisions
If any provision in these T&C is found to be invalid, unlawful or unenforceable to any extent, MFG-ISAC and GRF shall endeavor in good faith to amend these T&C to preserve its intention. However, any invalid provision will be enforced to the maximum extent permitted by law and, to the extent not enforceable, will be severed from the remaining terms, conditions and provisions, which will remain in full force and effect.
No failure on the part of MFG-ISAC and GRF to exercise, or delay in exercising, any right or remedy hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any such right or remedy by such party preclude any other or further exercise thereof or the exercise of any other right or remedy. A waiver on one occasion shall not constitute a waiver on any further occasion.
These T&C may be executed in any number of separate counterparts with the same effect as if all parties hereto had signed the same document. All counterparts shall be construed together and shall constitute one instrument.
Nothing in these T&C shall be deemed to create a partnership or joint venture between the Member and MFG-ISAC/GRF or to create any inference that either party may be regarded as an agent of the other party for any purpose.
18. Manufacturing Information Sharing and Analysis Center (MFG-ISAC) Traffic Light Protocol
All information submitted, processed, stored, archived, or disposed of will be classified and handled in accordance with its classification and the terms of the Member Agreement to which the Member has entered into with MFG-ISAC.
a) Unless otherwise specified, all information will be treated as Confidential Information (AMBER) and will not be disclosed to parties without the permission of the originator.
b) No Confidential Information (RED) or (AMBER) will be disclosed to any director of the GRF board or any GRF personnel who are employees of any MFG-ISAC member.
c) Information will be classified using the Traffic Light Protocol, defined as:
TLP:RED - Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
TLP:AMBER+STRICT - Recipients may share TLP:AMBER+STRICT information only with members of their own organization on a need-to-know basis to protect their organization and prevent further harm.
TLP:AMBER - Recipients may share TLP:AMBER information with members of their own organization and its clients on a need-to-know basis to protect their organization and its clients and prevent further harm.
TLP:GREEN - Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. Unless otherwise specified, TLP:GREEN information may not be shared outside of the cybersecurity or cyber defense community.
TLP:CLEAR - Recipients may share TLP:CLEAR information without restriction. Information is subject to standard copyright rules.
NOTE: If you have any questions regarding the Terms and Conditions, please contact membership@mfgisac.org.