OASIS

The OASIS MQTT TC is producing a standard for the Message Queuing Telemetry Transport Protocol compatible with MQTT V3.1, together with requirements for enhancements, documented usage examples, best practices, and guidance for use of MQTT topics with commonly available registry and discovery mechanisms. The standard supports bi-directional messaging to uniformly handle both signals and commands, deterministic message delivery, basic QoS levels, always/sometimes-connected scenarios, loose coupling, and scalability to support large numbers of devices. Candidates for enhancements include message priority and expiry, message payload typing, request/reply, and subscription expiry.

As an M2M/Internet of Things (IoT) connectivity protocol, MQTT is designed to support messaging transport from remote locations/devices involving small code footprints (e.g., 8-bit, 256KB ram controllers), low power, low bandwidth, high-cost connections, high latency, variable availability, and negotiated delivery guarantees. For example, MQTT is being used in sensors communicating to a broker via satellite links, SCADA, over occasional dial-up connections with healthcare providers (medical devices), and in a range of home automation and small device scenarios. MQTT is also ideal for mobile applications because of its small size, minimized data packets, and efficient distribution of information to one or many receivers (subscribers).

For more information on the MQTT TC, see the TC Charter.

The OASIS Cyber Threat Intelligence (CTI) TC was chartered to define a set of information representations and protocols to address the need to model, analyze, and share cyber threat intelligence. In the initial phase of TC work, three specifications will be transitioned from the US Department of Homeland Security (DHS) for development and standardization under the OASIS open standards process: STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression).

The OASIS CTI Technical Committee will:

• define composable information sharing services for peer-to-peer, hub-and-spoke, and source subscriber threat intelligence sharing models
• develop standardized representations for campaigns, threat actors, incidents, tactics techniques and procedures (TTPs), indicators, exploit targets, observables, and courses of action
• develop formal models that allow organizations to develop their own standards-based sharing architectures to meet specific needs

For more information on the CTI TC, see the TC Charter.

The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner. The Technical Committee will leverage pre-existing standards to the greatest extent practical, identifying gaps pertaining to the command and control of technologies that provide or support cyber defenses. The TC will base its initial efforts on artifacts generated by the OpenC2 Forum, a community of cyber-security stakeholders that was facilitated by the National Security Agency; the Forum has published a language description document (RC4), actuator profiles, and open source prototype implementations.

For more information on the OpenC2 TC, see the TC Charter.

OpenC2 TC standing rules can be found under Additional Information.

CACAO TC members are developing a standard to implement the course of action playbook model for cybersecurity operations.

In order to defend against cyber threats, organizations must manually identify, create, and document the prevention, mitigation, and remediation steps that, together, form a course of action playbook. However, today, there is is no standardized way to document and share these playbooks across organizational boundaries and technology solutions.

CACAO addresses this problem by defining a sequence of cyber defense actions that can be executed for each type of playbook. It will specifically enable organizations to:

1. create course of action playbooks in a structured machine-readable format,
2. digitally sign course of action playbooks,
3. securely share course of action playbooks across organizational boundaries and technological solutions, and
4. document processing instructions for course of action playbooks in a machine readable format.

For more information, see the CACAO TC Charter.

SARIF TC members are developing an interoperability standard for detecting software defects and vulnerabilities. The goal is to define a common output format for static analysis tools that will make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all their tools.

SARIF represents a leap forward in the usability of static analysis tools. Many organizations in the safety and security communities use several competing tools on their code. SARIF will allow them to combine and compare the results more easily to gain a sharper picture of the issues in their code that need to be addressed. Engineering teams will be able to easily access a broad range of potential defects and vulnerabilities in compliance with privacy and accessibility standards. SARIF will support the development of products whose code spans languages and operating systems.

For more information, see the SARIF TC Charter.

The Akoma Ntoso standard distinguishes between concepts regarding the description and identification of legal documents, their content, and the context in which they areused.  Names are used to associate the document representations to concepts so that documents can be “read/understood” by a machine, thus allowing sophisticated services that are impossible to attain with documents containing only typographical information, such as documents created in word-processing applications.To make documents machine-readable, every part with a relevant meaning and role must have a “name” (or “tag”) that machines can read. The content is marked up as precisely as possible according to the legal analysis of the text. This requires precisely identifying the boundaries of the different text segments, providing an element name that best describes the text in each situation, and also providing a correct identifier to each labelled fragment.

The Akoma Ntoso standard defines a number of referenceable concepts that are used in many situations in the lifecycle of legal documents. The purpose of this section is to provide: a standard referencing mechanism to these concepts through the use of IRI references associated to classes and instances of an ad hoc ontology (the Akoma Notoso Naming Convention). The referencing mechanism is meant to be generic and evolving with the evolution of the underlying ontology; a set of requirements for other naming conventions to be usable within Akoma Ntoso XML resources in a proper way.

The COEL Specification provides a clear and robust framework for implementing a distributed system capable of capturing data relating to an individual as discrete events. It facilitates a privacy-by-design approach for personalised digital services, IoT applications where devices are collecting information about identifiable individuals and the coding of behavioural attributes in identity solutions.The COEL Specification contains an extensive and detailed taxonomy of human behaviour. The taxonomy allows data from different systems to be encoded in a common format, preserving the meaning of the data across different applications.This ability to integrate universally at the data level, rather than just the technology level, is known as semantic harmonisation and provides full data portability. The communication protocols needed to support system interoperability across a wide range of implementations are also included.

This standard specifies conformance clauses in accordance with the OASIS TC Process ([TC-PROC] section 2.2.6 for the KMIP Specification [KMIP-SPEC] for a KMIPserver or KMIP client through profiles that define the use of KMIP objects, attributes, operations, message elements and authentication methods within specific contexts of KMIP server and client interaction.These profiles define a set of normative constraints for employing KMIP within a particular environment or context of use. They may, optionally, require the use of specific KMIP functionality or in other respects define the processing rules to be followed by profile actors.