When a ransomware attack crippled the Colonial Pipeline in May 2021, the response exposed a structural weakness in American critical infrastructure defense: no single agency had full visibility. The FBI investigated the crime. CISA coordinated federal remediation. The Energy Department monitored grid impacts. Each operated its own security operations center, and each saw only a slice of the problem.
That fragmented response galvanized a concept that had been circulating in federal cybersecurity circles for years — the Joint Security Operations Center, or JSOC. Not to be confused with the military’s Joint Special Operations Command, a cybersecurity JSOC is a facility where multiple organizations share threat intelligence, coordinate incident response, and operate shared detection infrastructure. The model has gained traction across government, critical infrastructure operators, and large enterprises with subsidiary companies that each run their own security teams.
What a JSOC Actually Does
A Joint Security Operations Center is defined by its multi-stakeholder structure. Where a traditional CSOC — Cyber Security Operations Center — monitors and defends a single organization’s network, a JSOC pulls data from multiple participating entities into a shared analytical environment. The participating organizations retain ownership of their own networks and make their own tactical decisions, but they feed telemetry into a common platform and receive correlated threat intelligence back.
The National Cybersecurity and Communications Integration Center, operated by CISA, functions as a federal-level JSOC. Its 2022 expansion, documented in CISA’s “Strategic Plan for Fiscal Years 2023-2025,” explicitly called for deeper integration of civilian agency security operations into shared monitoring infrastructure. The plan noted that “federal civilian executive branch agencies operate disparate security operations centers with varying levels of maturity, creating gaps in collective defense visibility.”
At the state and local level, fusion centers operated under the Department of Homeland Security’s National Network of Fusion Centers serve a similar function. These centers combine cyber threat intelligence from multiple jurisdictions — state agencies, municipal governments, critical infrastructure operators — into shared analytical products. The DHS “Fusion Center Guidelines” published in cooperation with the Department of Justice establish baseline requirements for intelligence sharing, analyst training, and operational coordination.
In the private sector, JSOCs appear most often in industries with heavily regulated, interdependent infrastructure. Financial services firms in the United States participate in the Financial Services ISAC, which operates a shared security operations capability. Energy companies coordinate through the Electricity Subsector Coordinating Council and the Electricity Information Sharing and Analysis Center. These industry-level JSOCs allow competitors to share indicators of compromise, attack profiles, and adversary intelligence without exposing proprietary business data.
How a JSOC Differs From a Standard SOC
The distinction between a JSOC and a traditional SOC is structural, not technological. Both use SIEM platforms, EDR tools, threat intelligence feeds, and SOAR automation. The difference lies in governance and data sharing.
A standard SOC operates within a single organizational boundary. Its analysts monitor one network, use one set of detection rules tuned to one environment, and respond to incidents affecting one entity. A JSOC’s analysts monitor multiple networks simultaneously, correlate activity across organizational boundaries, and identify attack campaigns that would be invisible to any single participant.
NIST Special Publication 800-150, “Guide to Cyber Threat Information Sharing,” provides the foundational framework for the kind of structured intelligence exchange that makes a JSOC operational. Published in April 2016, it defines four stages of information sharing: observing, constructing, receiving, and utilizing threat intelligence. A JSOC operationalizes all four stages across its participating organizations.
The SANS Institute’s 2023 SOC Survey, authored by security operations researcher Zachary Mathos, found that organizations participating in shared SOC models reported 23 percent faster mean time to detection for cross-organization attack campaigns compared to those operating standalone SOCs. The improvement was attributed to shared detection rules and correlated telemetry that surfaced patterns no single organization could identify alone.
The Architecture of a Joint Operations Center
Building a JSOC requires solving three interconnected problems: data aggregation without data exposure, unified tooling across heterogeneous environments, and governance frameworks that define what each participant shares and receives.
Data aggregation typically relies on a hub-and-spoke model. Each participating organization operates its own SIEM and detection infrastructure. Selected telemetry — usually metadata, indicators of compromise, and sanitized alert data — is forwarded to the central JSOC platform. Raw logs containing personally identifiable information, proprietary business data, or regulated content remain within the originating organization. The JSOC correlates the shared data to identify cross-boundary threats.
The tooling challenge is significant. Participants rarely use identical security platforms. One organization might run Splunk Enterprise Security while another uses Microsoft Sentinel. A third might rely on IBM QRadar. The JSOC must ingest and normalize data from all of these sources. Open standards like STIX and TAXII, maintained by OASIS, provide the interchange format. MISP, the open-source threat intelligence platform, is commonly used as the sharing backbone.
Governance is where most JSOC implementations stall. Participants must agree on what data is shared, how it is used, who has access, and what happens when sensitive intelligence leaks. Legal frameworks — memoranda of understanding, data sharing agreements, and mutual aid pacts — must be negotiated before any technical integration begins. In the federal space, the Federal Information Security Modernization Act of 2014 provides the statutory authority for interagency information sharing, but implementation varies widely.
Real-World JSOC Deployments
The most mature JSOC implementations in the United States operate within the defense industrial base. The Department of Defense’s Cyber Crime Center, known as DC3, operates a shared security operations capability that ingests threat data from defense contractors of varying sizes. Its operations are classified, but public testimony before the Senate Armed Services Committee has referenced its role in coordinating response to state-sponsored intrusion campaigns targeting the supply chain.
CISA’s Continuous Diagnostics and Mitigation program functions as a quasi-JSOC for federal civilian agencies. The program, documented in CISA’s “CDM Program Fact Sheet,” provides shared tools, dashboards, and managed security services to agencies that lack the resources to build standalone SOC capabilities. As of 2025, the program covers over 100 federal agencies and processes telemetry from millions of endpoints.
In the private sector, the concept has been adopted by large holding companies and conglomerates. When a parent company acquires multiple subsidiaries, each with its own IT infrastructure and security team, a JSOC model allows the parent to gain centralized visibility without forcing a disruptive migration to a single security platform. The subsidiaries maintain operational autonomy while the parent organization gains strategic oversight.
Challenges That Kill JSOC Implementations
Trust deficit is the most common failure point. Organizations are reluctant to share intelligence about their security posture with competitors, regulators, or even partners. A bank that shares indicators of compromise from a phishing campaign implicitly reveals that it was targeted, and possibly compromised. In regulated industries, this disclosure can trigger compliance obligations, shareholder notifications, and reputational damage.
CISA’s “Protected Critical Infrastructure Information” program, authorized under the Critical Infrastructure Information Act of 2002, provides legal protections for voluntarily shared cybersecurity information. Information shared through this program is exempt from Freedom of Information Act requests, use in regulatory enforcement, and civil litigation. These protections exist but are poorly understood by the private sector, and many organizations decline to participate in information sharing because they are unaware of the legal safeguards.
Technical integration is the second major obstacle. Normalizing security telemetry across different SIEM platforms, log formats, and detection taxonomies is expensive and time-consuming. Organizations that have invested heavily in proprietary detection rules are reluctant to rewrite them for a shared platform. The cost of integration often falls disproportionately on smaller participants who lack the engineering resources of their larger counterparts.
Personnel is the third challenge. JSOC analysts must understand multiple environments, navigate different organizational cultures, and maintain security clearances or trust relationships with each participant. Recruiting analysts with this breadth of experience is difficult in a market where standalone SOC positions already face severe staffing shortages.
The Case for JSOC Adoption
Despite these challenges, the case for joint security operations continues to strengthen. Nation-state adversaries do not respect organizational boundaries. A ransomware group targeting the healthcare sector will attack multiple hospital systems simultaneously, using the same infrastructure, the same payloads, and the same techniques. A single hospital’s SOC sees only the attack against its network. A JSOC correlating data across twenty hospitals sees the campaign.
The MITRE ATT&CK framework has become the common language that makes this correlation possible. When analysts at different organizations map detections to the same ATT&CK techniques — T1486 for data encrypted for impact, T1059.001 for PowerShell execution — they can share intelligence with precision even when their underlying tools differ.
CISA’s “Joint Cyber Defense Collaborative,” established in August 2021, represents the federal government’s most ambitious attempt to operationalize the JSOC concept across the public-private divide. The collaborative brings together federal agencies, technology companies, and critical infrastructure operators to share real-time threat intelligence and coordinate defensive actions. Its work on the Log4Shell vulnerability response in December 2021 demonstrated the model’s value: participants shared detection rules, identified vulnerable assets, and coordinated patching faster than any single organization could have achieved alone.
The trajectory is clear. As attack campaigns grow more sophisticated and cross organizational boundaries with increasing frequency, the JSOC model — imperfect, politically complex, and technically challenging — offers a structural advantage that standalone SOCs cannot match.
