FB-ISAO Adopts Traffic Light Protocol 2.0

The community of faith is becoming more integrated into security operations. As such, security practitioners are communicating and collaborating by sharing threat intelligence and threat information. This sharing includes things like analytical reports, incident reports, and suspicious activity reports (SARs). Additionally, general reporting is shared in our collaborative workspace. As an organization, the Faith-Based Information Sharing and Analysis Organization (FB-ISAO) not only shares threat intelligence and information with its members, but across organizational boundaries as appropriate. This practice of information sharing is managed efficiently and coordinated well when all participants share one common information sharing protocol.

Since our inception in 2018, FB-ISAO adopted the Traffic Light Protocol 1.0, most commonly referred to simply as “TLP.” TLP was conceptualized by the Forum of Incident Response and Security Teams (FIRST) to facilitate greater sharing of sensitive information. In August 2022, FIRST standardized the most current version, TLP 2.0.

What is Traffic Light Protocol (TLP)?

The Traffic Light Protocol is an easy-to-understand and useful standard to govern information disclosure practices. TLP 2.0 provides more granular guidance over threat intelligence sharing and is intended to be more user-friendly than the previous version. Learn more about TLP.

Why use an information sharing protocol?

• Greater control over information sharing. Through the use of the TLP 2.0 standard, organizations can practice threat information sharing while establishing coherent and consistent boundaries to avoid misuse of any sensitive information.
• Building trust. The inclusion of the TLP 2.0 standard helps improve the flow of threat information within the community and with the broader information sharing community. Everyone is on the same page on what and how to share information with security teams, decision makers, partner organizations, or sharing communities like ISACs/ISAOs. This practice builds trust.
• Improved risk communication. The designation of shared information using the TLP 2.0 standard also helps all stakeholders within an organization reduce the chances of human error.

What are the changes from TLP 1.0 to TLP 2.0?

In summary, the TLP:WHITE designation has been renamed TLP:CLEAR in the latest standard. A new TLP:AMBER+STRICT designation has been added to highlight information that is restricted to the recipient’s organization only.

How to use TLP in email

TLP-designated email correspondence should indicate the TLP color of the information in the Subject line and in the body of the email, prior to the designated information itself. The TLP color must be in capital letters: TLP:RED, TLP:AMBER+STRICT, TLP:AMBER, TLP:GREEN, or TLP:WHITE.

How to use TLP in documents

TLP-designated documents should indicate the TLP color of the information in the header and footer of each page. To avoid confusion with existing control marking schemes, it is advisable to right-justify TLP designations. The TLP color should appear in capital letters and in 12-point type or greater. Note: TLP 2.0 has changed the color coding of TLP:RED to accommodate individuals with low vision.

For the FB-ISAO Community, the greatest difference will be evident in the change from TLP:WHITE to TLP:CLEAR. FB-ISAO will adopt TLP 2.0 in January 2023.

Reduce the threat.

Protect the free practice of faith.