The Forum of Incident Response and Security Teams (FIRST) has published TLP 2.0, a new version of its Traffic Light Protocol (TLP) standard, five years after the release of the initial version.
The TLP standard is used in the computer security incident response team (CSIRT) community to facilitate the greater sharing of sensitive information.
It also indicates any sharing limitations recipients have to consider when communicating potentially sensitive info with others.
"TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared," FIRST says.
"TLP labels and their definitions are not intended to have any effect on freedom of information or 'sunshine' laws in any jurisdiction."
With the updated standard, FIRST maintains the rule that the source of information should communicate the TLP label in writing or verbally, depending on the TLP designation.
Information sources are also required to ensure that recipients of TLP-labeled info understand and abide by the TLP sharing guidance.
FIRST has updated the globally renowned Traffic Light Protocol - a vital system used by the cybersecurity industry worldwide to share sensitive information. TLP Version 2.0 can be found on the website. https://t.co/XMloBEQYme #cybersecurity #incidentresponse #securityteams
— FIRST.org (@FIRSTdotOrg) August 5, 2022
Changes in the new TLP 2.0 standard
Compared to TLP 1.0, TLP 2.0 replaces the TLP:WHITE label with TLP:CLEAR and adds an additional TLP: AMBER+STRICT label for an extra limited disclosure level within organizations.
The new standard also clarifies the previous label description to improve human readability and make it easier to understand disclosure limitations.
FIRST also "removed synonyms and colloquialisms to improve accessibility for non-native English speakers and ease of translation, focused on consistent language and terminology, adding definitions for community, organization, and clients, and added a colors table to include RGB, CMYK, and hexadecimal color codes."
According to FIRST, the color-coded TLP labels should be applied based on the audience that should have access to the shared sensitive information:
- TLP:RED = For the eyes and ears of individual recipients only, no further disclosure.
- TLP:AMBER = Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.
- TLP:AMBER+STRICT restricts sharing to the organization only.
- TLP:GREEN = Limited disclosure, recipients can spread this within their community.
- TLP:CLEAR = Recipients can spread this to the world, there is no limit on disclosure.
When applying these TLP labels, those sharing the information should consider the foreseeable risk of its misuse, if it should be used to increase awareness in the broader community, and its impact on organization privacy, reputation, or operations.
"We are increasingly spreading more confidential and sensitive information inside our community, inside companies, inside business sectors, inside countries, and worldwide," FIRST TLP-SIG co-chair Don Stikvoort said.
"We need systems that are easy to use, simple to understand, and straightforward enough that translation does not impact the meaning to ensure that we share sensitive information with the appropriate audience. The updated and modernized TLP version 2.0 does just that."
Update: Added more info on TLP 2.0 highlights.
Comments
D0NM3GA - 1 year ago
I'm a little confused even after further researching on the FIRST TLP page. So, is this a model for labeling information privacy? Is this the civilian equivalent for Security Clearance?
Jamie_G - 1 year ago
D0NM3GA, this is used when sharing and exchanging information, such as via email or even presentations. This allows the author to signal to the recipients who they can further share it to, if at all.