TLP Use Cases
| Considerations for TLP Recipients Sharing Information with Their Cybersecurity Service Providers |
I received TLP:AMBER+STRICT information at my organisation. We outsource some of our cybersecurity services.
Can I share this with the organisations providing me those services? |
No.
Do not share TLP:AMBER+STRICT with any outside organisations without permission from the originator. Permission may come from the originator in the form of:
- A standing agreement,
- A request, or
- Instructions that accompany the information. |
I received TLP:AMBER information at my organisation. We outsource some of our cybersecurity services.
Can I share this with the organisations providing me those services? |
No.
Do not share TLP:AMBER with outside organisations that provide you cybersecurity services without permission from the originator.
Permission may come from the originator in the form of:
- A standing agreement,
- A request, or
- Instructions that accompany the information. |
I received TLP:GREEN information restricted to a defined community at my organisation. We outsource some of our cybersecurity services.
Can I share this with the organisations providing me those services? |
It depends.
You may share TLP:GREEN with organisations that provide you cybersecurity services if they are part of the defined community.
You may not share TLP:GREEN with organisations that provide you cybersecurity services if they are not part of the defined community. |
I received TLP:GREEN information with no defined community at my organisation. We outsource some of our cybersecurity services.
Can I share this with the organisations providing me those services? |
Yes.
You may share TLP:GREEN with organisations that provide you cybersecurity services. |
| Topic 1: Considerations for the Originator |
Use Case 1A
I do not want to share my information with individuals or organizations from certain countries.
Can I do this with TLP:AMBER? |
Yes, by adding accompanying instructions.
FIRST also recommends adding a rationale so that the recipient may request sharing a subset of information based on the reason for the restriction.
Example
TLP:AMBER - This information may not be shared outside of the European Union due to GDPR-covered content. |
Use Case 1B
I want my information to be used by the recipient’s cybersecurity service providers, including incident response support.
Can I do this with TLP:AMBER |
Yes, by adding accompanying instructions.
According to definitions of TLP:AMBER, this information should not be shared with cybersecurity service providers. However, you may authorize further sharing with instructions. FIRST recommends that you only allow sharing TLP:AMBER information to cybersecurity service providers as TLP:AMBER+STRICT.
Sharing with the providers at TLP:AMBER runs the risk of the providers sharing with their other clients, who, in turn, may share with their other cybersecurity service providers, weakening the protection of TLP:AMBER each time.
Additionally, consider that the cybersecurity service provider or incident response support may be from another country.
Examples
TLP:AMBER - This information may be shared as TLP:AMBER+STRICT with any organization providing you incident response support.
TLP:AMBER - This information may be shared as TLP:AMBER+STRICT with any domestic organization providing you ongoing cybersecurity services or incident response support. |
Use Case 1C
I want to share my information with a defined community. Can I do this with TLP:GREEN? |
Yes, by defining the community.
You may share at TLP:GREEN but should identify the defined community. Ensure recipients are aware of the sharing restrictions.
Examples
TLP:GREEN - This information may only be shared with healthcare sector cyber defense practitioners.
TLP:GREEN - This information may only be shared within the European Union. |
Use Case 1D
I want to share information with a national CSIRT but I want the information to only go to constituents who know how to handle TLP properly. Can I do this with TLP:AMBER? |
Yes.
Determine what “constituent” means to the national CSIRT (this may be in the CSIRT’s RFC 2350 Charter). Add restrictions if needed.
Examples
TLP:AMBER - This information may only be shared with constituents with whom you have a formal agreement.
TLP:AMBER - This information may only be shared with constituents who have been briefed on TLP. |
FIRST TLP Posters
Download TLP Posters Format A4
(Three color schemes, the text content is all the same)
