FIRST releases Policy for Standards Development

The Forum of Incident Response and Security Teams has published a formal policy to guide cyber security standardization within its standards groups.

15th August 2017 – The Forum of Incident Response and Security Teams (FIRST) today announced the publication of a policy to guide standards development efforts taking place within FIRST special interest groups (SIGs).

For over a decade, FIRST has contributed to standards development in cyber security, both with feedback to external standards bodies, and through its own standards development. Starting in 2005, FIRST took custodianship of the Common Vulnerability Scoring System (CVSS), a robust and powerful scoring system for IT vulnerabilities that allows organizations to prioritize them across their networks.

More recently, FIRST initiated Special Interest Groups (SIGs) of community members who contribute to the development of three major information sharing standards:

  • The Traffic Light Protocol (TLP), a set of designations used to ensure that sensitive information is shared with the appropriate audience;
  • The Information Exchange Policy (IEP), a framework for defining information exchange policy, and a set of common definitions for the most common policy aspects. It addresses information exchange challenges and promotes information exchange more broadly;
  • Passive DNS exchange, prescribing a common output format for Passive DNS servers.

The new policy will help provide guidance to FIRST SIG chairs and participants, as well as to the wider public, on the process to be followed for FIRST to formally publish a new standard. It covers topics such as how standards are agreed upon, how common terminology is maintained across standards, and how to deal with non-consensus proposals. It also implements a uniform approach to Intellectual Property Rights management, ensuring FIRST standards remain free for implementation and unencumbered by patent restrictions.

FIRST Board member Maarten Van Horenbeeck, stated: “Historically, FIRST standards have been developed and released according to processes set out by the individual working groups. These efforts have been very successful. There was also general agreement that policies would be more widely accepted if a consultative process, bot with members, and the wider information security community, is agreed upon. This policy implements input from members and non-members over the last six months, and will help increase the trust outsiders can have in the process that was followed to publish the new standard. We’re excited about this release and thankful to our working group chairs, who provided input and lent the best of their own processes for this document to be developed”.

Thomas Schreck, Chair of FIRST, said: “Over the last year, FIRST working groups have published no less than two new standards which are seeing wide community acceptance. In addition, we’ve started collaborating more closely with other standards bodies. Standardization in cyber security is key to becoming more successful at defeating even the most complex attacks, and we believe this policy is a strong step in that direction for our community”.

The policy is available on the FIRST web site at


Harry Saunders
Four Communications
Tel: +44 (0)20 3697 4329


Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from more than 360 corporations, government bodies, universities and other institutions across 78 countries in the Americas, Asia, Europe, Africa, and Oceania. It promotes cooperation among computer security incident response teams. For more information, visit: