US Cyber Threat Intelligence Sources and Feeds

The United States operates a structured ecosystem of cyber threat intelligence (CTI) sources and feeds that span federal agencies, sector-specific information sharing organizations, and standards-defined data exchange frameworks. These sources serve security operations centers, federal contractors, critical infrastructure operators, and policy researchers who require timely, structured threat data. Understanding how these sources are classified, how they integrate into security programs, and what regulatory obligations govern their use is essential for any organization operating within the US national security posture.

Definition and scope

Cyber threat intelligence refers to processed, analyzed information about adversary tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware signatures, and infrastructure associated with hostile cyber activity. The NIST Cybersecurity Framework identifies threat intelligence as a core component of the "Identify" function, specifically within the Risk Assessment (ID.RA) subcategory.

CTI sources in the US operate across four primary classification tiers:

1. Strategic intelligence — High-level analysis of adversary motivations, geopolitical context, and long-term threat trends. Produced by bodies such as the Office of the Director of National Intelligence (ODNI) and the Cybersecurity and Infrastructure Security Agency (CISA).
2. Operational intelligence — Campaign-level data about active threat actor operations, including infrastructure and targeting patterns. CISA's Automated Indicator Sharing (AIS) program distributes operational-level machine-readable data at federal scale.
3. Tactical intelligence — Specific IOCs: IP addresses, domain names, file hashes, and YARA rules. Distributed through feeds such as the FBI's InfraGard portal and sector-specific Information Sharing and Analysis Centers (ISACs).
4. Technical intelligence — Vulnerability-level detail tied to CVE identifiers maintained by MITRE under contract with the National Vulnerability Database (NVD) at NIST (NVD).

The scope of US CTI infrastructure formally extends to 16 critical infrastructure sectors as defined under Presidential Policy Directive 21 (PPD-21), each with a designated Sector Risk Management Agency (SRMA) responsible for sector-specific threat intelligence coordination. For a broader view of how these agencies interact, see Federal Cybersecurity Agencies.

How it works

CTI data flows through a layered distribution architecture anchored by federal agencies, industry consortia, and open standards protocols.

Federal distribution layer
CISA operates the primary federal CTI distribution infrastructure. Its Automated Indicator Sharing (AIS) initiative transmits machine-readable IOCs using the STIX/TAXII protocol pair — Structured Threat Information eXpression (STIX) for data format and Trusted Automated eXchange of Intelligence Information (TAXII) for transport. As of CISA's published program documentation, AIS participants include over 300 private sector entities and federal agencies exchanging indicators in near real-time (CISA AIS).

ISAC distribution layer
Information Sharing and Analysis Centers (ISACs) operate sector-specific threat intelligence exchanges. The Financial Services ISAC (FS-ISAC), Health Information Sharing and Analysis Center (H-ISAC), and Electricity Information Sharing and Analysis Center (E-ISAC) each maintain proprietary feeds calibrated to sector-relevant threat profiles. ISAC membership and access criteria vary; most require organizational vetting and sector affiliation. The sector-specific compliance requirements that shape ISAC participation are detailed under Sector-Specific Cybersecurity Requirements.

Open-source and government publication layer
CISA's Known Exploited Vulnerabilities (KEV) catalog (KEV Catalog) documents vulnerabilities actively exploited in the wild, with 1,100+ entries as of the catalog's maintained count. The FBI's Internet Crime Complaint Center (IC3) publishes annual threat reports aggregating complaint-based data. MITRE ATT&CK (ATT&CK Framework) provides the industry-standard taxonomy for mapping adversary TTPs across 14 tactic categories.

The US Cybersecurity Regulatory Framework governs how federal agencies and regulated industries are required to consume and report threat intelligence, particularly under obligations established by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Common scenarios

Federal contractor environments
Organizations operating under CMMC (Cybersecurity Maturity Model Certification) or FISMA compliance regimes are required to integrate threat intelligence into continuous monitoring programs. NIST SP 800-137 establishes the framework for Information Security Continuous Monitoring (ISCM), explicitly referencing threat feed integration as a monitoring input. Government contractor-specific obligations are covered under Government Contractor Cybersecurity Requirements.

Critical infrastructure operators
Energy sector operators subject to NERC CIP standards must maintain awareness of ICS-specific threat intelligence. ICS-CERT (now integrated into CISA's industrial control systems division) publishes advisories tailored to operational technology (OT) environments. See Industrial Control Systems Security for the regulatory structure governing OT threat intelligence consumption.

Healthcare and financial sectors
HIPAA-covered entities and financial institutions regulated under GLBA/FFIEC guidance are expected to incorporate threat intelligence into risk assessments. H-ISAC and FS-ISAC serve as the primary sector channels. Healthcare-specific requirements are addressed under Healthcare Cybersecurity Requirements.

Incident response activation
During active incidents, organizations draw on CISA's 24/7 reporting line, the FBI's CyberDivision, and sector ISAC emergency channels simultaneously. The Incident Response Standards page maps the procedural framework governing how threat intelligence feeds into response decisions.

Decision boundaries

Selecting the appropriate CTI source depends on organizational scope, sector affiliation, and operational maturity:

• Government-only access — Classified threat intelligence from NSA/CISA is restricted to cleared entities under formal agreements. Unclassified CISA AIS feeds are available to all registered participants without clearance requirements.
• ISAC vs. open government feeds — ISACs provide sector-contextualized data with higher signal-to-noise ratios for their member industries. CISA's open KEV catalog and AIS provide broader coverage with less sector-specific filtering.
• STIX/TAXII-compatible platforms vs. manual feeds — Automated ingestion via STIX 2.1/TAXII 2.1 is appropriate for organizations with SIEM platforms capable of parsing structured data. PDF-based CISA advisories and IC3 reports serve organizations without automated ingestion infrastructure.
• Tactical vs. strategic use cases — IOC-level feeds (IP blocks, hashes) are operationally actionable but expire quickly. ATT&CK-mapped TTP intelligence has longer shelf life and informs security architecture decisions independent of specific campaigns.

Organizations with limited internal capacity can access pre-aggregated CTI guidance through Small Business Cybersecurity Resources, which references CISA's free-tier advisory distribution channels.

References

• CISA Automated Indicator Sharing (AIS)
• CISA Known Exploited Vulnerabilities Catalog
• NIST National Vulnerability Database (NVD)
• MITRE ATT&CK Framework
• NIST SP 800-137 – Information Security Continuous Monitoring
• NIST Cybersecurity Framework (CSF)
• Presidential Policy Directive 21 (PPD-21)
• FBI Internet Crime Complaint Center (IC3)
• FS-ISAC – Financial Services Information Sharing and Analysis Center
• H-ISAC – Health Information Sharing and Analysis Center
• E-ISAC – Electricity Information Sharing and Analysis Center