The Forum of Incident Response and Security Teams (FIRST) has published TLP 2.0, a new version of its Traffic Light Protocol (TLP) standard, five years after the release of the initial version.
The TLP standard is used in the computer security incident response team (CSIRT) community to facilitate the greater sharing of sensitive information.
It also indicates any sharing limitations recipients have to consider when communicating potentially sensitive info with others.
“TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared,” FIRST says.
“TLP labels and their definitions are not intended to have any effect on freedom of information or ‘sunshine’ laws in any jurisdiction.”
In the new standard, FIRST maintains the rule that the source of information should communicate the TLP label in writing or verbally, depending on the TLP designation.
Information sources are also required to ensure that recipients of TLP-labeled info understand and abide by the TLP sharing guidance.
Changes in the new TLP 2.0 standard
Compared to TLP 1.0, TLP 2.0 replaces the TLP:WHITE label with TLP:CLEAR and adds an additional TLP: AMBER+STRICT label to add an extra limited disclosure level within organizations.
The new standard also clarifies the previous label description to improve human readability and make it easier to understand disclosure limitations.
According to FIRST, the color-coded TLP labels should be applied based on the audience that should have access to the shared sensitive information:
TLP:RED = For the eyes and ears of individual recipients only, no further disclosure.
TLP:AMBER = Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.
TLP:AMBER+STRICT restricts sharing to the organization only.
TLP:GREEN = Limited disclosure, recipients can spread this within their community.
TLP:CLEAR = Recipients can spread this to the world, there is no limit on disclosure.
When applying these TLP labels, those sharing the information should consider the foreseeable risk of its misuse, if it should be used to increase awareness in the broader community, and its impact on organization privacy, reputation, or operations.
“If a recipient needs to share information more widely than indicated by the TLP label it came with, they must obtain explicit permission from the source,” FIRST explained.
