CINXE.COM

<!doctype html><html lang="en" class="web tlp-clear" data-studio-config="eyJ4aHJDcmVkZW50aWFscyI6ZmFsc2UsInhockhlYWRlcnMiOnt9fQo="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Information Exchange Policy (IEP) - Version 1.0</title> <meta property="og:title" content="Information Exchange Policy (IEP) - Version 1.0" /> <meta property="og:type" content="website" /> <meta property="og:image" content="https://www.first.org/_/img/first-big-icon.png" /> <meta property="og:url" content="https://www.first.org/iep/iep_v1_0" /> <meta property="og:site_name" content="FIRST — Forum of Incident Response and Security Teams" /> <meta property="fb:profile_id" content="296983660669109" /> <meta property="twitter:card" content="summary" /> <meta property="twitter:site" content="@FIRSTdotOrg" /><meta name="viewport" content="initial-scale=1,maximum-scale=1.0,user-scalable=no" /><link rel="icon" type="image/png" href="/1st.png" /><link rel="apple-touch-icon" sizes="128x128" href="/favicon.png" /><link rel="stylesheet" type="text/css" href="/_/web.css?20241031194005" /></head><body><header><div id="header" data-studio="CU52CV1W8g"><div id="c3" data-studio="Yu8FjCC11g"><div id="topbar"> <div class="sites right"> <ul> <li><a href="https://support.first.org" class="kb-datalist"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a></li> <li><a href="https://portal.first.org" class="button"><span class="no-tiny">Member </span>Portal</a></li> </ul> </div> <div class="first-logo"> <p><a href="/"><img src="/_/img/first-org-simple-negative.svg" alt="FIRST.Org" title="FIRST" /></a></p> </div> <div class="nav"> <ul class="navbar"><li><a href="/about">About FIRST</a><ul><li><a href="/about/mission">Mission Statement</a></li><li><a href="/about/history">History</a></li><li><a href="/about/sdg">Sustainable Development Goals</a></li><li><a href="/about/organization">Organization</a><ul><li><a href="/about/organization/directors">Board of Directors</a></li><li><a>Operations Team</a><ul><li><a href="/about/organization/ccb">Community & Capacity Building</a></li><li><a href="/about/organization/events">Event Office</a></li><li><a href="/about/organization/executive-director">Executive Director</a></li><li><a href="/about/organization/infrastructure">Infrastructure</a></li><li><a href="/about/organization/secretariat">Secretariat</a></li></ul></li><li><a href="/about/organization/committees">Committees</a><ul><li><a href="/about/organization/committees/compensation-committee">Compensation Committee</a></li><li><a href="/about/organization/committees/conference-program-committee">Conference Program Committee</a></li><li><a href="/about/organization/committees/membership-committee">Membership Committee</a></li><li><a href="/about/organization/committees/rules-committee">Rules Committee</a></li><li><a href="/about/organization/committees/standards">Standards Committee</a></li></ul></li><li><a href="/events/agm">Annual General Meeting</a></li><li><a href="/about/organization/reports">Annual Reports and Tax Filings</a></li></ul></li><li><a href="/about/policies">FIRST Policies</a><ul><li><a href="/about/policies/anti-corruption">Anti-Corruption Policy</a></li><li><a href="/about/policies/antitrust">Antitrust Policy</a></li><li><a href="/about/policies/bylaws">Bylaws</a></li><li><a href="/about/policies/board-duties">Board duties</a></li><li><a href="/about/bugs">Bug Bounty Program</a></li><li><a href="/about/policies/code-of-conduct">Code of Conduct</a></li><li><a href="/about/policies/conflict-policy">Conflict of Interest Policy</a></li><li><a href="/about/policies/doc-rec-retention-policy">Document Record Retention and Destruction Policy</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li><li><a href="/about/policies/gen-event-reg-refund-policy">General Event Registration Refund Policy</a></li><li><a href="/about/policies/event-site-selection">Guidelines for Site Selection for all FIRST events</a></li><li><a href="/identity">Identity & Logo Usage</a></li><li><a href="/about/policies/mailing-list">Mailing List Policy</a></li><li><a href="/about/policies/media">Media Policy</a></li><li><a href="/about/policies/privacy">Privacy Policy</a></li><li><a href="/about/policies/registration-terms-conditions">Registration Terms & Conditions</a></li><li><a href="/about/policies/terms">Services Terms of Use</a></li><li><a href="/about/policies/standards">Standards Policy</a></li><li><a href="/about/policies/diversity">Statement on Diversity & Inclusion</a></li><li><a href="/about/policies/translation-policy">Translation Policy</a></li><li><a href="/about/policies/travel-policy">Travel Policy</a></li><li><a href="/about/policies/uniform-ipr">Uniform IPR Policy</a></li><li><a href="/about/policies/whistleblower-policy">Whistleblower Protection Policy</a></li></ul></li><li><a href="/about/partners">Partnerships</a><ul><li><a href="/global/partners">Partners</a></li><li><a href="/global/friends">Friends of FIRST</a></li><li><a href="/global/supporters/">FIRST Supporters</a></li><li><a href="/about/sponsors">Sponsors</a></li></ul></li><li><a href="/newsroom">Newsroom</a><ul><li><a href="/newsroom/news">What's New</a></li><li><a href="/newsroom/releases">Press Releases</a></li><li><a href="/newsroom/news/media">In the News</a></li><li><a href="/podcasts">Podcasts</a><ul><li><a href="/newsroom/news/first-impressions/">FIRST Impressions Podcast</a></li><li><a href="/newsroom/news/podcasts/">FIRSTCON Podcast</a></li></ul></li><li><a href="/newsroom/newsletters">Newsletters</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li></ul></li><li><a href="/about/procurement">Procurement</a></li><li><a href="/about/jobs/">Jobs</a></li><li><a href="/contact">Contact</a></li></ul></li><li><a href="/members">Membership</a><ul><li><a href="/membership/">Becoming a Member</a><ul><li><a href="/membership/process">Membership Process for Teams</a></li><li><a href="/membership/process-liaisons">Membership Process for Liaisons</a></li><li><a href="/membership/#Fees">Membership Fees</a></li></ul></li><li><a href="/members/teams">FIRST Teams</a></li><li><a href="/members/liaisons">FIRST Liaisons</a></li><li><a href="/members/map">Members around the world</a></li></ul></li><li><a href="/global">Initiatives</a><ul><li><a href="/global/sigs">Special Interest Groups (SIGs)</a><ul><li><a href="/global/sigs/framework">SIGs Framework</a></li><li><a href="/global/sigs/academicsec" class="borderb">Academic Security SIG</a></li><li><a href="/global/sigs/ai-security">AI Security SIG</a></li><li><a href="/global/sigs/automation">Automation SIG</a></li><li><a href="/global/sigs/bigdata">Big Data SIG</a></li><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a><ul><li><a href="/cvss/calculator/4.0">Calculator</a></li><li><a href="/cvss/v4.0/specification-document">Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">User Guide</a></li><li><a href="/cvss/v4.0/examples">Examples</a></li><li><a href="/cvss/v4.0/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v4-0">CVSS v4.0 Documentation & Resources</a><ul><li><a href="/cvss/calculator/4.0">CVSS v4.0 Calculator</a></li><li><a href="/cvss/v4.0/specification-document">CVSS v4.0 Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">CVSS v4.0 User Guide</a></li><li><a href="/cvss/v4.0/examples">CVSS v4.0 Examples</a></li><li><a href="/cvss/v4.0/faq">CVSS v4.0 FAQ</a></li></ul></li><li><a href="/cvss/v3-1">CVSS v3.1 Archive</a><ul><li><a href="/cvss/calculator/3.1">CVSS v3.1 Calculator</a></li><li><a href="/cvss/v3.1/specification-document">CVSS v3.1 Specification Document</a></li><li><a href="/cvss/v3.1/user-guide">CVSS v3.1 User Guide</a></li><li><a href="/cvss/v3.1/examples">CVSS v3.1 Examples</a></li><li><a href="/cvss/v3.1/use-design">CVSS v3.1 Calculator Use & Design</a></li></ul></li><li><a href="/cvss/v3-0">CVSS v3.0 Archive</a><ul><li><a href="/cvss/calculator/3.0">CVSS v3.0 Calculator</a></li><li><a href="/cvss/v3.0/specification-document">CVSS v3.0 Specification Document</a></li><li><a href="/cvss/v3.0/user-guide">CVSS v3.0 User Guide</a></li><li><a href="/cvss/v3.0/examples">CVSS v3.0 Examples</a></li><li><a href="/cvss/v3.0/use-design">CVSS v3.0 Calculator Use & Design</a></li></ul></li><li><a href="/cvss/v2">CVSS v2 Archive</a><ul><li><a href="/cvss/v2/guide">CVSS v2 Complete Documentation</a></li><li><a href="/cvss/v2/history">CVSS v2 History</a></li><li><a href="/cvss/v2/team">CVSS-SIG team</a></li><li><a href="/cvss/v2/meetings">SIG Meetings</a></li><li><a href="/cvss/v2/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v2/adopters">CVSS Adopters</a></li><li><a href="/cvss/v2/links">CVSS Links</a></li></ul></li><li><a href="/cvss/v1">CVSS v1 Archive</a><ul><li><a href="/cvss/v1/intro">Introduction to CVSS</a></li><li><a href="/cvss/v1/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v1/guide">Complete CVSS v1 Guide</a></li></ul></li><li><a href="/cvss/data-representations">JSON & XML Data Representations</a></li><li><a href="/cvss/training">CVSS On-Line Training Course</a></li><li><a href="/cvss/identity">Identity & logo usage</a></li></ul></li><li><a href="/global/sigs/csirt">CSIRT Framework Development SIG</a></li><li><a href="/global/sigs/cyberinsurance">Cyber Insurance SIG</a><ul><li><a href="/global/sigs/cyberinsurance/events">Cyber Insurance SIG Webinars</a></li></ul></li><li><a href="/global/sigs/cti">Cyber Threat Intelligence SIG</a><ul><li><a href="/global/sigs/cti/curriculum/">Curriculum</a><ul><li><a href="/global/sigs/cti/curriculum/introduction">Introduction</a></li><li><a href="/global/sigs/cti/curriculum/cti-introduction">Introduction to CTI as a General topic</a></li><li><a href="/global/sigs/cti/curriculum/methods-methodology">Methods and Methodology</a></li><li><a href="/global/sigs/cti/curriculum/pir">Priority Intelligence Requirement (PIR)</a></li><li><a href="/global/sigs/cti/curriculum/source-evaluation">Source Evaluation and Information Reliability</a></li><li><a href="/global/sigs/cti/curriculum/machine-human">Machine and Human Analysis Techniques (and Intelligence Cycle)</a></li><li><a href="/global/sigs/cti/curriculum/threat-modelling">Threat Modelling</a></li><li><a href="/global/sigs/cti/curriculum/training">Training</a></li><li><a href="/global/sigs/cti/curriculum/standards">Standards</a></li><li><a href="/global/sigs/cti/curriculum/glossary">Glossary</a></li><li><a href="/global/sigs/cti/curriculum/cti-reporting/">Communicating Uncertainties in CTI Reporting</a></li></ul></li><li><a href="/global/sigs/cti/events/">Webinars and Online Training</a></li><li><a href="/global/sigs/cti/cti-program">Building a CTI program and team</a><ul><li><a href="/global/sigs/cti/cti-program/program-stages">Program maturity stages</a><ul><li><a href="/global/sigs/cti/cti-program/stage1">CTI Maturity model - Stage 1</a></li><li><a href="/global/sigs/cti/cti-program/stage2">CTI Maturity model - Stage 2</a></li><li><a href="/global/sigs/cti/cti-program/stage3">CTI Maturity model - Stage 3</a></li></ul></li><li><a href="/global/sigs/cti/cti-program/starter-kit">Program Starter Kit</a></li><li><a href="/global/sigs/cti/cti-program/resources">Resources and supporting materials</a></li></ul></li></ul></li><li><a href="/global/sigs/digital-safety">Digital Safety SIG</a></li><li><a href="/global/sigs/dns">DNS Abuse SIG</a><ul><li><a href="/global/sigs/dns/policies">Code of Conduct & Other Policies</a></li><li><a href="/global/sigs/dns/dns-abuse-examples">Examples of DNS Abuse</a></li></ul></li><li><a href="/global/sigs/ethics">Ethics SIG</a><ul><li><a href="/global/sigs/ethics/ethics-first">Ethics for Incident Response Teams</a></li></ul></li><li><a href="/epss/">Exploit Prediction Scoring System (EPSS)</a><ul><li><a href="/epss/model">The EPSS Model</a></li><li><a href="/epss/data_stats">Data and Statistics</a></li><li><a href="/epss/user-guide">User Guide</a></li><li><a href="/epss/research">EPSS Research and Presentations</a></li><li><a href="/epss/faq">Frequently Asked Questions</a></li><li><a href="/epss/who_is_using">Who is using EPSS?</a></li><li><a href="/epss/epss_tools">Open-source EPSS Tools</a></li><li><a href="/epss/api">API</a></li><li><a href="/epss/papers">Related Exploit Research</a></li><li><a>Blog</a><ul><li><a href="/epss/articles/prob_percentile_bins">Understanding EPSS Probabilities and Percentiles</a></li><li><a href="/epss/articles/log4shell">Log4Shell Use Case</a></li><li><a href="/epss/articles/estimating_old_cvss">Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities</a></li></ul></li><li><a href="/epss/partners">Data Partners</a></li></ul></li><li><a href="/global/sigs/msr/">FIRST Multi-Stakeholder Ransomware SIG</a></li><li><a href="/global/sigs/hfs/">Human Factors in Security SIG</a></li><li><a href="/global/sigs/ics">Industrial Control Systems SIG (ICS-SIG)</a></li><li><a href="/global/sigs/iep">Information Exchange Policy SIG (IEP-SIG)</a></li><li><a href="/global/sigs/information-sharing">Information Sharing SIG</a><ul><li><a href="/global/sigs/information-sharing/misp">Malware Information Sharing Platform</a></li></ul></li><li><a href="/global/sigs/le">Law Enforcement SIG</a></li><li><a href="/global/sigs/malware">Malware Analysis SIG</a><ul><li><a href="/global/sigs/malware/ma-framework">Malware Analysis Framework</a></li><li><a href="/global/sigs/malware/ma-framework/malwaretools">Malware Analysis Tools</a></li></ul></li><li><a href="/global/sigs/metrics">Metrics SIG</a><ul><li><a href="/global/sigs/metrics/events">Metrics SIG Webinars</a></li></ul></li><li><a href="/global/sigs/netsec/">NETSEC SIG</a></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/global/sigs/policy">Policy SIG</a></li><li><a href="/global/sigs/psirt">PSIRT SIG</a></li><li><a href="/global/sigs/red-team">Red Team SIG</a></li><li><a href="/global/sigs/cpg">Retail and Consumer Packaged Goods (CPG) SIG</a></li><li><a href="/global/sigs/ctf">Security Lounge SIG</a></li><li><a href="/global/sigs/tic/">Threat Intel Coalition SIG</a><ul><li><a href="/global/sigs/tic/membership-rules">Membership Requirements and Veto Rules</a></li></ul></li><li><a href="/global/sigs/tlp">Traffic Light Protocol (TLP-SIG)</a></li><li><a href="/global/sigs/transport">Transportation and Mobility SIG</a></li><li><a href="/global/sigs/vulnerability-coordination">Vulnerability Coordination</a><ul><li><a href="/global/sigs/vulnerability-coordination/multiparty">Multi-Party Vulnerability Coordination and Disclosure</a></li><li><a href="/global/sigs/vulnerability-coordination/multiparty/guidelines">Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure</a></li></ul></li><li><a href="/global/sigs/vrdx">Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)</a><ul><li><a href="/global/sigs/vrdx/vdb-catalog">Vulnerability Database Catalog</a></li></ul></li><li><a href="/global/sigs/wof">Women of FIRST</a></li></ul></li><li><a href="/global/governance">Internet Governance</a></li><li><a href="/global/irt-database">IR Database</a></li><li><a href="/global/fellowship">Fellowship Program</a><ul><li><a href="https://portal.first.org/fellowship">Application Form</a></li></ul></li><li><a href="/global/mentorship">Mentorship Program</a></li><li><a href="/hof">IR Hall of Fame</a><ul><li><a href="/hof/inductees">Hall of Fame Inductees</a></li></ul></li><li><a href="/global/victim-notification">Victim Notification</a></li><li><a href="/volunteers/">Volunteers at FIRST</a><ul><li><a href="/volunteers/list">FIRST Volunteers</a></li><li><a href="/volunteers/participation">Volunteer Contribution Record</a></li></ul></li><li><a href="#new">Previous Activities</a><ul><li><a href="/global/practices">Best Practices Contest</a></li></ul></li></ul></li><li><a href="/standards">Standards & Publications</a><ul><li><a href="/standards">Standards</a><ul><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a></li><li><a href="/tlp">Traffic Light Protocol (TLP)</a><ul><li><a href="/tlp/use-cases">TLP Use Cases</a></li></ul></li><li><a href="/standards/frameworks/">Service Frameworks</a><ul><li><a href="/standards/frameworks/csirts">CSIRT Services Framework</a></li><li><a href="/standards/frameworks/psirts">PSIRT Services Framework</a></li></ul></li><li><a href="/iep">Information Exchange Policy (IEP)</a><ul><li><a href="/iep/iep_framework_2_0">IEP 2.0 Framework</a></li><li><a href="/iep/iep-json-2_0">IEP 2.0 JSON Specification</a></li><li><a href="/iep/iep-polices">Standard IEP Policies</a><ul><li><a href="https://www.first.org/iep/2.0/first-tlp-iep.iepj">IEP TLP Policy File</a></li><li><a href="https://www.first.org/iep/2.0/first-unknown-iep.iepj">IEP Unknown Policy File</a></li></ul></li><li><a href="/iep/iep_v1_0">IEP 1.0 Archive</a></li></ul></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/epss">Exploit Prediction Scoring System (EPSS)</a></li></ul></li><li><a href="/resources/papers">Publications</a></li></ul></li><li><a href="/events">Events</a></li><li><a href="/education">Education</a><ul><li><a href="/education/first-training">FIRST Training</a><ul><li><a href="/education/trainings">Training Courses</a></li><li><a href="/education/trainers">FIRST Trainers</a></li></ul></li></ul></li><li><a href="/blog">Blog</a></li></ul> </div> </div> <div id="home-buttons"> <p><a href="/join" data-title="Join"><img alt="Join" src="/_/img/icon-join.svg"><span class="tt-join">Join<span>Details about FIRST membership and joining as a full member or liaison.</span></span></a> <a href="/learn" data-title="Learn"><img alt="Learn" src="/_/img/icon-learn.svg"><span class="tt-learn">Learn<span>Training and workshop opportunities, and details about the FIRST learning platform.</span></span></a> <a href="/participate" data-title="Participate"><img alt="Participate" src="/_/img/icon-participate.svg"><span class="tt-participate">Participate<span>Read about upcoming events, SIGs, and know what is going on.</span></span></a></p> </div></div></div></header><div id="body" data-studio="CU52CV1W8g"><div id="c1" data-studio="Yu8FjCC11g" class="data-preview toc-h2 toc-h3 p"><h1 id="Information-Exchange-Policy-IEP---Version-1-0">Information Exchange Policy (IEP) - Version 1.0</h1> <h2 id="Introduction">Introduction</h2> <h3 id="1-About-this-policy">1. About this policy</h3> <ol> <li>This policy sets out the FIRST Information Exchange Policy (IEP) framework that Computer Security Incident Response Teams (CSIRT), security communities, organizations, and vendors may consider implementing to support their information sharing and information exchange initiatives.</li> <li>This framework is intended to support both the existing approaches to defining information exchange policies used by CSIRTs, and information exchange policies that organizations will need as their information exchanges mature and evolve.</li> <li>Example implementations are listed in <a href="#appendix-a">Appendix A: Machine readable IEP framework examples</a>.</li> </ol> <h3 id="2-Background">2. Background</h3> <ol> <li>Automating the exchange of security and threat information in a timely manner is crucial to the future and effectiveness of the security response community.</li> <li>The timely distribution of sensitive information will only thrive in an environment where both producers and consumers have a clear understanding of how shared information can and cannot be used, with very few variations of interpretation.</li> <li>The general lack of adequate policy that supports information exchange is increasingly becoming an impediment to timely sharing. This will only be exacerbated as more organizations start actively participating in information exchange communities and the volume of security and threat information being shared continues to grow.</li> <li>The Traffic Light Protocol<sup><small><a href="#note-01">1</a></small></sup> (TLP) is the most commonly used method to mark and protect 1 information that is shared. The original intent behind TLP was to speed up the timetoaction on shared information by predeclaring the permitted redistribution of that information, reducing the need for everyone to ask the producer if it could be “shared with XYZ in my organization” and for that purpose TLP still works.</li> <li>The challenge for producers of information is that they need to be able to convey more than just the permitted redistribution of the information. There can be a lack of clarity when defining and interpreting the permitted actions and uses of information shared between organizations. This is compounded by the sensitive nature and commercially competitive aspects of security and threat information.</li> <li>FIRST, interested in enabling the global development and maturation of CSIRTs, recognized that the general lack of adequate policy supporting information exchange is increasingly becoming an impediment to information sharing amongst CSIRT teams.</li> <li>Given the geographical and functional span of the membership of FIRST, it was determined that the community that it assembles would be an appropriate source for definitive capture and representation of CSIRTs IEP requirements.</li> <li>Automating information exchange is not just a matter of technology; but also one of policy, language, and structured understanding.</li> </ol> <h2 id="Policy-framework">Policy framework</h2> <h3 id="3-Framework-Overview">3. Framework Overview</h3> <ol> <li>The IEP framework is structured by Policy Types that act as high level categories under which the individual Policy Statements of similar type or intent are grouped and defined.</li> <li>The Policy Types are intended to provide the smallest set of categories needed to encapsulate the majority of individual policy statements.</li> <li>The Policy Types provide extensibility for exceptions and future requirements, as information exchange matures and evolves.</li> </ol> <h3 id="4-Framework-Policy-Types">4. Framework Policy Types</h3> <ol> <li>Four policy types are supported: <strong>Handling, Action, Sharing, and Licensing (HASL)</strong>. <ol> <li><strong>HANDLING</strong> policy statements define any obligations or controls on information received, to ensure the confidentiality of information that is shared</li> <li><strong>ACTION</strong> policy statements define the permitted actions or uses of the information received that can be carried out by a recipient</li> <li><strong>SHARING</strong> policy statements define any permitted redistribution of information that is received</li> <li><strong>LICENSING</strong> policy statements define any applicable agreements, licenses, or terms of use that governs the information being shared</li> </ol></li> </ol> <h3 id="5-Framework-Definitions-and-Roles">5. Framework Definitions and Roles</h3> <ol> <li>Provider means the organization or individual who acts to provide, produce, publish, share or exchange information with third parties.</li> <li>A provider stipulates the obligations and requirements for information they share through Policy Statements.</li> <li>Recipient means the organization or individual who receives or consumes information from third party Providers.</li> <li>Organizations can act as both a Provider or Recipient.</li> <li>Although this document recognizes that relationships and sharing agreements exist between Providers and Recipients, it does not seek to define these interrelationships.</li> </ol> <h3 id="6-Framework-Policy-Statements">6. Framework Policy Statements</h3> <ol> <li>A Provider defines individual Policy Statements that articulate the specific requirements or obligations for Recipients on information the Provider shares.</li> <li>Each policy statement includes the following properties, by definition: <ol> <li><strong>POLICY STATEMENT</strong> states the common name for each policy statement.</li> <li><strong>POLICY TYPE</strong> states the Policy Type the Policy Statement is associated with.</li> <li><strong>POLICY DESCRIPTION</strong> provides context and defines the intended purpose of the policy statement.</li> <li><strong>POLICY ENUMERATIONS</strong> Define the set of permitted enumerations for the policy statement and may include definitions for enumerations that are not described elsewhere in this policy.</li> <li><strong>REQUIRED STATEMENT</strong> States if the Policy Statement is mandatory. Required statements must indicate the default enumeration. Default enumerations must be set to provide the most restrictive option for the Policy Statement.</li> </ol></li> <li>Policy statement enumerations that indicate requirement levels use the key words “MUST”, “MUST NOT”, and “MAY” in this document are to be interpreted as described in RFC2119<sup><small><a href="#note-02">2</a></small></sup> <ol> <li><strong>MUST</strong> This word means that the policy statement is an absolute requirement.</li> <li><strong>MUST NOT</strong> This phrase means that the policy statement is an absolute prohibition.</li> <li><strong>MAY</strong> This word means that the policy statement is truly optional.</li> </ol></li> </ol> <h3 id="7-Handling-Policy-Statements">7. Handling Policy Statements</h3> <ol> <li> <p>Handling policy statements define any obligations or controls on information received, to ensure the confidentiality of information that is shared.</p> <table> <thead> <tr> <th>1. Policy Statement</th> <th>ENCRYPT IN TRANSIT</th> </tr> </thead> <tbody> <tr> <td>Policy Type</td> <td>HANDLING</td> </tr> <tr> <td>Policy Description</td> <td>States whether the received information has to be encrypted when it is retransmitted by the recipient.</td> </tr> <tr> <td>Policy Enumerations</td> <td><strong>MUST</strong><br />Recipients MUST encrypt the information received when it is retransmitted or redistributed.<br /><strong>MAY</strong><br /> Recipients MAY encrypt the information received when it is retransmitted or redistributed.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th>2. ENCRYPT AT REST</th> <th></th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>ENCRYPT AT REST</td> </tr> <tr> <td>Policy Type</td> <td>HANDLING</td> </tr> <tr> <td>Policy Description</td> <td>States whether the received information has to be encrypted by the Recipient when it is stored at rest.</td> </tr> <tr> <td>Policy Enumerations</td> <td><strong>MUST</strong><br />Recipients MUST encrypt the information received when it is stored at rest.<br /><strong>MAY</strong><br />Recipients MAY encrypt the information received when it is stored at rest.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> </li> </ol> <h3 id="8-Action-Policy-Statements">8. Action Policy Statements</h3> <ol> <li> <p>Action policy statements define the permitted actions or uses of the information received that can be carried out by a recipient.</p> <table> <thead> <tr> <th colspan="2">1. PERMITTED ACTIONS</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>PERMITTED ACTIONS</td> </tr> <tr> <td>Policy Type</td> <td>ACTION</td> </tr> <tr> <td>Policy Description</td> <td>States the permitted actions that Recipients can take upon information received.</td> </tr> <tr> <td>Policy Enumerations</td> <td><strong>NONE</strong><br />Recipients MUST NOT act upon the information received.<br /><strong>CONTACT FOR INSTRUCTION</strong><br />Recipients MUST contact the Providers before acting upon the information received. An example is where information redacted by the Provider could be derived by the Recipient and identify the affected parties.<br /><strong>INTERNALLY VISIBLE ACTIONS</strong><br />Recipients MAY conduct actions on the information received that are only visible on the Recipient's internal networks and systems, and MUST NOT conduct actions that are visible outside of the Recipients networks and systems, or visible to third parties.<br /><strong>EXTERNALLY VISIBLE INDIRECT ACTIONS</strong><br />Recipients MAY conduct indirect, or passive, actions on the information received that are externally visible and MUST NOT conduct direct, or active, actions.<br /><strong>EXTERNALLY VISIBLE DIRECT ACTIONS</strong><br />Recipients MAY conduct direct, or active, actions on the information received that are externally visible.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">2. AFFECTED PARTY NOTIFICATIONS</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>AFFECTED PARTY NOTIFICATIONS</td> </tr> <tr> <td>Policy Type</td> <td>ACTION</td> </tr> <tr> <td>Policy Description</td> <td>Recipients are permitted notify affected third parties of a potential compromise or threat. Examples include permitting National CSIRTs to send notifications to affected constituents, or a service provider contacting affected customers.</td> </tr> <tr> <td>Policy Enumerations</td> <td><strong>MAY</strong><br />Recipients MAY notify affected parties of a potential compromise or threat.<br /><strong>MUST NOT</strong><br />Recipients MUST NOT notify affected parties of potential compromise or threat.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> </li> </ol> <h3 id="9-Sharing-Policy-Statements">9. Sharing Policy Statements</h3> <ol> <li> <p>Sharing policy statements define any permitted redistribution of information that is received and any actions that need to be taken first.</p> <table> <thead> <tr> <th colspan="2">1. TRAFFIC LIGHT PROTOCOL</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>TRAFFIC LIGHT PROTOCOL</td> </tr> <tr> <td>Policy Type</td> <td>SHARING</td> </tr> <tr> <td>Policy Description</td> <td>Recipients are permitted to redistribute the information received within the redistribution scope as defined by the enumerations. The enumerations “RED”, “AMBER”, “GREEN”, “WHITE” in this document are to be interpreted as described in the FIRST Traffic Light Protocol Policy<sup><small markdown=1><a href="#note-03">3</a></small></sup></td> </tr> <tr> <td>Policy Enumerations</td> <td><strong>RED</strong><br/>Personal for identified recipients only.<br/><strong>AMBER</strong><br/>Limited sharing on the basis of needtoknow.<br/><strong>GREEN</strong><br/>Community wide sharing.<br/><strong>WHITE</strong><br/>Unlimited sharing.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">2. PROVIDER ATTRIBUTION</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>PROVIDER ATTRIBUTION</td> </tr> <tr> <td>Policy Type</td> <td>SHARING</td> </tr> <tr> <td>Policy Description</td> <td>Recipients could be required to attribute or anonymize the Provider when redistributing the information received.</td> </tr> <tr> <td>Policy Enumerations</td> <td><strong>MAY</strong><br/>Recipients MAY attribute the Provider when redistributing the information received.<br/><strong>MUST</strong><br/>Recipients MUST attribute the Provider when redistributing the information received.<br/><strong>MUST NOT</strong><br/>Recipients MUST NOT attribute the Provider when redistributing the information received.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">3. OBFUSCATE AFFECTED PARTIES</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>OBFUSCATE AFFECTED PARTIES</td> </tr> <tr> <td>Policy Type</td> <td>SHARING</td> </tr> <tr> <td>Policy Description</td> <td>Recipients could be required to obfuscate or anonymize information that could be used to identify the affected parties before redistributing the information received.<br />Examples include removing affected parties IP addresses, or removing the affected parties names but leaving the affected parties industry vertical prior to sending a notification.</td> </tr> <tr> <td>Policy Enumerations</td> <td><strong>MAY</strong><br />Recipients MAY obfuscate information about the specific affected parties.<br /><strong>MUST</strong><br />Recipients MUST obfuscate information about the specific affected parties.<br /><strong>MUST NOT</strong><br />Recipients MUST NOT obfuscate information about the specific affected parties.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> </li> </ol> <h3 id="10-Licensing-Policy-Statements">10. Licensing Policy Statements</h3> <ol> <li> <p>Licensing policy statements define any applicable agreements, licenses, or terms of use that governs the information being shared. For example, a reference to an existing partner sharing agreement or commercial license.</p> <table> <thead> <tr> <th colspan="2">1. EXTERNAL REFERENCE</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>EXTERNAL REFERENCE</td> </tr> <tr> <td>Policy Type</td> <td>LICENSING</td> </tr> <tr> <td>Policy Description</td> <td>This statement can be used to convey a description or reference to any applicable licenses, agreements, or conditions between the producer and receiver. e.g. specific terms of use , contractual language, agreement name, or a URL.</td> </tr> <tr> <td>Policy Enumerations</td> <td>There are no EXTERNAL REFERENCE enumerations and this is a free form text field.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">2. UNMODIFIED RESALE</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>UNMODIFIED RESALE</td> </tr> <tr> <td>Policy Type</td> <td>LICENSING</td> </tr> <tr> <td>Policy Description</td> <td>States whether the recipient MAY or MUST NOT resell the information received unmodified or in a semantically equivalent format. e.g. transposing the information from a .csv file format to a .json file format would be considered semantically equivalent.</td> </tr> <tr> <td>Policy Enumerations</td> <td><strong>MAY</strong><br />Recipients MAY resell the information received.<br /><strong>MUST NOT</strong><br />Recipients MUST NOT resell the information received unmodified or in a semantically equivalent format.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> </li> </ol> <h3 id="11-Metadata-Policy-Statements">11. Metadata Policy Statements</h3> <ol> <li> <p>Metadata policy statements define the metadata elements for an IEP that are needed to support implementation of the IEP framework and the machine readability of IEPs. Metadata policy statements have values but do not have enumerations.</p> <table> <thead> <tr> <th colspan="2">1. POLICY ID</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>POLICY ID</td> </tr> <tr> <td>Policy Type</td> <td>METADATA</td> </tr> <tr> <td>Policy Description</td> <td>Provides a unique ID to identify a specific IEP implementation.</td> </tr> <tr> <td>Required Statement</td> <td>YES</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">2. POLICY VERSION</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>POLICY VERSION</td> </tr> <tr> <td>Policy Type</td> <td>METADATA</td> </tr> <tr> <td>Policy Description</td> <td>States the version of the IEP framework that has been used. e.g. 1.0</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">3. POLICY NAME</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>POLICY NAME</td> </tr> <tr> <td>Policy Type</td> <td>METADATA</td> </tr> <tr> <td>Policy Description</td> <td>This statement can be used to provide a name for an IEP implementation. e.g. FIRST Mailing List IEP</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">4. POLICY START DATE</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>POLICY START DATE</td> </tr> <tr> <td>Policy Type</td> <td>METADATA</td> </tr> <tr> <td>Policy Description</td> <td>States the UTC date that the IEP is effective from.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">5. POLICY END DATE</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>POLICY END DATE</td> </tr> <tr> <td>Policy Type</td> <td>METADATA</td> </tr> <tr> <td>Policy Description</td> <td>States the UTC<sup><small><a href="#note-04">4</a></small></sup> date that the IEP is effective until.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> <table> <thead> <tr> <th colspan="2">6. POLICY REFERENCE</th> </tr> </thead> <tbody> <tr> <td>Policy Statement</td> <td>POLICY REFERENCE</td> </tr> <tr> <td>Policy Type</td> <td>METADATA</td> </tr> <tr> <td>Policy Description</td> <td>This statement can be used to provide a URL reference to the specific IEP implementation.</td> </tr> <tr> <td>Required Statement</td> <td>NO</td> </tr> </tbody> </table> </li> </ol> <p><a id="appendix-a"></a></p> <h2 id="Appendix-A-Machine-readable-IEP-framework-examples">Appendix A: Machine readable IEP framework examples</h2> <p>The following is an example JSON representation of an IEP implementation</p> <pre><code>"FIRST-mailing-list-iep": { "id": "01bc435348294d558d520ab7e0790df9", "name": "FIRST.org Mailing List IEP", "version": 1, "reference": "https://www.first.org/mailinglistiep", "start-date": "2016-06-09 10:09:00", "end-date": "2016-12-31 10:09:00", "encrypt-in-transit": "MAY", "encrypt-at-rest": "MAY", "permitted-actions": "EXTERNALLY VISIBLE DIRECT ACTIONS", "affected-party-notifications": "MAY", "tlp": "AMBER", "attribution": "MUST NOT", "obfuscate-affected-parties": "MUST", "unmodified-resale": "MUST NOT", "external-reference": "https://www.first.org/about/policies/bylaws" }</code></pre> <hr /> <p>Notes:</p> <ol> <li><a id="note-01"></a><a href="https://en.wikipedia.org/wiki/Traffic_Light_Protocol">https://en.wikipedia.org/wiki/Traffic_Light_Protocol</a></li> <li><a id="note-02"></a><a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a></li> <li><a id="note-03"></a><a href="http://www.first.org/global/sigs/tlp">FIRST Traffic Light Protocol Policy (www.first.org/global/sigs/tlp)</a></li> <li><a id="note-04"></a><a href="https://en.wikipedia.org/wiki/ISO_8601">https://en.wikipedia.org/wiki/ISO_8601</a></li> </ol></div></div><div id="navbar" data-studio="CU52CV1W8g"><div id="c4" data-studio="Yu8FjCC11g"><ul class="navbar"><li><a href="/standards">Standards & Publications</a><ul><li><a href="/standards">Standards</a><ul><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a></li><li><a href="/tlp">Traffic Light Protocol (TLP)</a><ul><li><a href="/tlp/use-cases">TLP Use Cases</a></li></ul></li><li><a href="/standards/frameworks/">Service Frameworks</a><ul><li><a href="/standards/frameworks/csirts">CSIRT Services Framework</a></li><li><a href="/standards/frameworks/psirts">PSIRT Services Framework</a></li></ul></li><li><a href="/iep">Information Exchange Policy (IEP)</a><ul><li><a href="/iep/iep_framework_2_0">IEP 2.0 Framework</a></li><li><a href="/iep/iep-json-2_0">IEP 2.0 JSON Specification</a></li><li><a href="/iep/iep-polices">Standard IEP Policies</a><ul><li><a href="https://www.first.org/iep/2.0/first-tlp-iep.iepj">IEP TLP Policy File</a></li><li><a href="https://www.first.org/iep/2.0/first-unknown-iep.iepj">IEP Unknown Policy File</a></li></ul></li><li><a href="/iep/iep_v1_0">IEP 1.0 Archive</a></li></ul></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/epss">Exploit Prediction Scoring System (EPSS)</a></li></ul></li><li><a href="/resources/papers">Publications</a></li></ul></li></ul></div></div><div id="sidebar" data-studio="CU52CV1W8g"></div><footer><div id="footer" data-studio="CU52CV1W8g"><div id="c2" data-studio="Yu8FjCC11g"><div class="content"> <div class="support"> <div class="kbsearch bottom"> <p><a href="https://support.first.org"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a> <input class="kb-search" type="search" placeholder="Do you need help?"></p> </div> </div> <div id="socialnetworks"><a href="/about/sdg" title="FIRST Supported Sustainable Development Goals (SDG)" class="icon-sdg"></a><a rel="me" href="https://infosec.exchange/@firstdotorg" target="_blank" title="@FIRSTdotOrg@infosec.exchange" class="icon-mastodon"></a><a href="https://twitter.com/FIRSTdotOrg" target="_blank" title="Twitter @FIRSTdotOrg" class="icon-tw"></a><a href="https://www.linkedin.com/company/firstdotorg" target="_blank" title="FIRST.Org at LinkedIn" class="icon-linkedin"></a><a href="https://www.facebook.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Facebook" class="icon-fb"></a><a href="https://github.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Github" class="icon-github"></a><a href="https://www.youtube.com/c/FIRSTdotorg" target="_blank" title="FIRST.Org at Youtube" class="icon-youtube"></a><a href="/podcasts" title="FIRST.Org Podcasts" class="icon-podcast"></a></div> <p><a href="/copyright">Copyright</a> © 2015—2024 by Forum of Incident Response and Security Teams, Inc. All Rights Reserved.</p> </div> <p><span class="tlp"></span></p></div></div></footer><script nonce="vU4qX975zA4guP_ABp62NQ" async="async" src="/_/web.js?20241125212614"></script><script nonce="vU4qX975zA4guP_ABp62NQ" async="async" src="/_/s.js?20241125-212616"></script></body></html>