Cybersecurity

SARIF TC members are developing an interoperability standard for detecting software defects and vulnerabilities. The goal is to define a common output format for static analysis tools that will make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all their tools.

SARIF represents a leap forward in the usability of static analysis tools. Many organizations in the safety and security communities use several competing tools on their code. SARIF will allow them to combine and compare the results more easily to gain a sharper picture of the issues in their code that need to be addressed. Engineering teams will be able to easily access a broad range of potential defects and vulnerabilities in compliance with privacy and accessibility standards. SARIF will support the development of products whose code spans languages and operating systems.

For more information, see the SARIF TC Charter.

CACAO TC members are developing a standard to implement the course of action playbook model for cybersecurity operations.

In order to defend against cyber threats, organizations must manually identify, create, and document the prevention, mitigation, and remediation steps that, together, form a course of action playbook. However, today, there is is no standardized way to document and share these playbooks across organizational boundaries and technology solutions.

CACAO addresses this problem by defining a sequence of cyber defense actions that can be executed for each type of playbook. It will specifically enable organizations to:

1. create course of action playbooks in a structured machine-readable format,
2. digitally sign course of action playbooks,
3. securely share course of action playbooks across organizational boundaries and technological solutions, and
4. document processing instructions for course of action playbooks in a machine readable format.

For more information, see the CACAO TC Charter.

The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner. The Technical Committee will leverage pre-existing standards to the greatest extent practical, identifying gaps pertaining to the command and control of technologies that provide or support cyber defenses. The TC will base its initial efforts on artifacts generated by the OpenC2 Forum, a community of cyber-security stakeholders that was facilitated by the National Security Agency; the Forum has published a language description document (RC4), actuator profiles, and open source prototype implementations.

For more information on the OpenC2 TC, see the TC Charter.

OpenC2 TC standing rules can be found under Additional Information.

The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

• Security requirements capture methodology;
• Management of information and ICT security; in particular information security management systems, security processes, and security controls and services;
• Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
• Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
• Security aspects of identity management, biometrics and privacy;
• Conformance assessment, accreditation and auditing requirements in the area of information security management systems;
• Security evaluation criteria and methodology.

SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas

The OASIS Cyber Threat Intelligence (CTI) TC was chartered to define a set of information representations and protocols to address the need to model, analyze, and share cyber threat intelligence. In the initial phase of TC work, three specifications will be transitioned from the US Department of Homeland Security (DHS) for development and standardization under the OASIS open standards process: STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression).

The OASIS CTI Technical Committee will:

• define composable information sharing services for peer-to-peer, hub-and-spoke, and source subscriber threat intelligence sharing models
• develop standardized representations for campaigns, threat actors, incidents, tactics techniques and procedures (TTPs), indicators, exploit targets, observables, and courses of action
• develop formal models that allow organizations to develop their own standards-based sharing architectures to meet specific needs

For more information on the CTI TC, see the TC Charter.