Criminal cyber attacks against health care organizations are up 125 percent compared to five years ago, replacing lost laptops as the top cause of breaches, and the average consolidated total cost of a data breach was $3.8 million, a 23 percent increase from 2013. 

To keep pace, all types of organizations need to share security risk and cyber threat information and respond as soon as possible. To support this need and strengthen cybersecurity, the Office of the National Coordinator for Health Information Technology (ONC) has released a Funding Opportunity Announcement (FOA) to build the capacity of anInformation Sharing and Analysis Organizations (ISAO) to:

  • Issue warnings about potential cyber threats,
  • Provide outreach and education that improves cyber security awareness,
  • Equip HPH sector stakeholders to take action in response to cyber threat information shared by the ISAO, and
  • Facilitate information sharing widely within the HPH sector, regardless of the size of the organization

Establishing robust threat information sharing infrastructure and capability within the HPH Sector is crucial to the privacy and security of health information, which in turn, builds trust in the digital health system envisioned in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. 

ISAO Information Session Slide [PDF - 240KB]


Q: The announcement was posted on July 20, 2016 and is due August 19, 2016which gives interested applicants only thirty (30) calendar days and just twenty-two (22) business days to prepare a response.  We recommend you delay the application due dates for both the ONC and ASPR grants by thirty (30) days.  I have sent a similar request to Dr. Lurie at ASPR.

A: Due to time restraints, we are unable to extend the application period.  The due date for application submission is August 19, 2016.

Q: I would like a clarification for the solicitation NAP-AX-16-006, ONC FUNDING FOR HEALTH CARE AND PUBLIC HEALTH (HPH) SECTOR 

The eligibility criteria specify that the opportunity is open to organizations that  “are already providing outreach and technical assistance 
to participating organizations on cybersecurity threats”.  It also encourages collaborative proposals. Would a proposal that had as a prime awardee an organization that is not an existing ISAO, but included a substantial partnership with an organization that was an ISAO be considered a qualified bidder?  That is, the proposal itself would qualify but the prime on its own would not.

A: This collaboration would be acceptable.

Q: Can you please send the links for both the recorded session and the slide deck for download? Any help is appreciated on this time sensitive issue.

A: Here is the recording

Here are the slides
Q: The Cyber Security Task Force has been asked to provide feedback on how to setup an ISAO. Our date for the delivery of our recommendations is several months after the award of the actual ISAO contract. How will our advice and recommendations be integrated?

A: Please refer to page 13 of the FOA.  The recipient must identify and comply with applicable provisions of CISA Section 405 that may apply to the ISAOs.  Section 405 encompasses the Cyber Security Task Force, so the recipient must take these recommendations into account starting in year 2. 

Q: Will you accept work done in the workshop space on Grants.gov?

A: Please contact Grants.gov helpdesk to confirm whether Workspace can be used to upload your grant documentation. 

Q: Do you require copies of certifications by the members of the team?

A:  Please refer to the FOA for further clarification, or email onc_ocpogrants@hhs.gov to provide more detailed information on your question. 

Q: Are matching funds required?

A: no

Content last reviewed on September 22, 2017
Was this page helpful?