FIRST Standards Policy

Also available as PDF(374KB)

Based on requests by the membership, FIRST may initiate development of a standard. A standard is defined as a document that is intended to ensure interoperability of a technique or tool, and is planned to see adoption and implementation by various parties. FIRST may also develop other descriptive, rather than normative, documents such as best practices, which are not required to follow the standards process.

Both FIRST members and non-members may propose the inception of a standard. A Special Interest Group (SIG) will typically shepherd the standard.

The FIRST board will evaluate proposals for a new standard based on:

This document describes minimum governance requirements for FIRST SIGs that aim to develop standards. SIGs may define more restrictive rules, but in any case where a SIG rule conflicts with a FIRST governance requirements, that exception must be specifically approved by the FIRST Board to be valid.

1. Governance

2. Participation and membership obligations

3. Announcement of new standard development

FIRST will announce the intention to create a new standard publicly:

FIRST will also endeavor to identify and inform critical partners involved in the industry targeted by the standard through a direct e-mail message. As FIRST will never be aware of all possible constituents, any participant in the standard or FIRST member may request the FIRST secretariat to notify a particular constituency or can forward the notification themselves.

4. Public comment phase

Once the group has iterated through working drafts (WD), and is ready to release a public draft (PD):

5. Publication of the standard

Once the SIG has addressed external comments, they will update the standard if necessary and present it to the FIRST Board for final publication.

6. Development speed

Appendix A: Standards definition flow diagram

Standards definition flow diagram

Appendix B: Required information to propose chartering a standard

The following minimum information is due to the FIRST secretariat to propose the development of a standard. The typical process would be for a group to be proposed on the topic, and this SIG to contain the standard as a work item.

When an existing group plans to develop a new standard, only the items marked with a * items are due. A Planning Checklist will be made available:

Appendix C: Minimum information required for a vote

This list contains all information that is expected to be provided by the standard chairs when a vote on a milestone is to be made. Depending on the group’s proposed governance model, a milestone could be accepting a specific technical contribution, or the finalization of a document for publication.

Appendix D: Example definition of constituency

While not a requirement, SIGs may choose to define their constituency up front, and maintain a balanced constituency throughout the development of the standard. An example is the below constituency used by the CVSS Standards SIG. This is an example only, and standards groups may be more open, or more flexible:

  • Banking
  • Health Care
  • Government
  • Academic
  • Manufacturing and Retail
  • Technology / Hardware
  • Technology / Software
  • Technology / Networking
  • Telecommunications
  • CIRTs
  • Energy
  • Transportation

Each organization requesting voting rights is categorized as being in one of the following constituencies, based on its primary business or purpose. Requests are only accepted if the organization’s constituency will represent 25% or less of the total organizations with voting rights if the organization is added. When a constituency is full, new Participants wishing to become Voting Participants must wait until other constituencies grow, allowing for additional room, or an existing constituency member loses or relinquishes their voting rights.

Appendix E: Intellectual Property Rights agreement

In order for FIRST to be successful in developing content which can be used by our community in an unfettered way, we must protect the intellectual property rights on our deliverables. This means that our output must not contain information over which third parties may hold a license, and deliverables we develop should be owned by FIRST. The FIRST Uniform IPR policy ensures an organization does not have the ability to introduce patented content without notification by ensuring organizations are asked to declare any patented content they are introducing. The FIRST Intellectual Property Rights (IPR) agreement can be found at A single IPR must be signed per SIG that an organization participates in.

Appendix F: Providing comments

Comments must be as precise as possible. A comment must contain the following elements:

  1. To what document comments pertain to – this must include the name and the exact version of a document, e.g. “CVSS WD2”, “TLP v1.1, WD3”.
  2. Comment ID – the ID consists of submitter’s initials or a designator (a person or an organization) and the comment number.
  3. Reference – to what portion of the document the comment refers to. The reference must be unambiguous and given in a hierarchical manner. Examples of a good referee is “Section 2, bullet 1, second paragraph”. Using page number (e.g. “page 3, fourth paragraph, line 3”) is permitted but discouraged as page numbers will change as the text is added or removed.
  4. Comment type – the comment can be technical or editorial. Technical comments pertain to the matter while editorial to the writing style, syntax, grammar and anything else (e.g. moving paragraph).
  5. Current text – reference to the content on which the comment refers. For example “a software must use” or “second sentence”.
  6. Comment – proposed action. This must be as precise as possible. For example: “delete sentence”, “replace the text with ‘the new exact wording’”, “move paragraph to section 4, bullet 3”

All comments from a single person or an organization must be submitted in a single file. The file with comments can be submitted only once. Comments must have consecutive numbers.

The editor must resolve all comments that are submitted on time. The editor can use discretion to address late comments and/or accept new comments during the discussion. Possible resolutions are: “Accepted”, “Accepted in principle”, “Not accepted”. Their meanings are as follows:

Once a comment is resolved participants do have right to raise it again (e.g. re-submit a comment that was not accepted) but it is up to editor’s discretion to choose not to address it.

A file with all comments and their resolution must be distributed to the whole SIG as a reference as soon as the process is finished.