FIRST Standards Committee update (aka “the wheel reinvention prevention committee”)

At the January 2024 FIRST board meeting in Washington D.C. we approved the charter for the FIRST standards committee. Many thanks to all you hardworking (and patient!) committee members who have helped us define the charter over the past few months. This was a challenging process, but we’re happy to have achieved consensus, and now we’re picking up momentum.

What’s this all about?
The FIRST standards committee brings together folks from around the world, all experienced with technical standards development, able to bridge between the FIRST community and exterior standards bodies. The FIRST standards committee serves as a resource for the FIRST SIGs to help increase the quality, visibility, and uptake of FIRST standards.

This committee also provides a single point of contact for external standards bodies to be able to perform a reality check, to avoid the outcome that we as practitioners become liable for conforming to non-working, ineffective, conflicting, and/or outdated standards. Or as a shorthand, "the wheel reinvention prevention committee".

If you've been in the FIRST community a while, you will no doubt recognize some of these names: Carlos Alvarez (ICANN), Vinay Bansal (Cisco Systems), Vilius Benetis (NRD CIRT), Olin "Trey" Darley (Accenture), Brian DeWyngaert (CISA), Alexandre Dulaunoy (CIRCL), Jean-Robert Hountomey (Liaison), Aaron Kaplan (Liaison), Jason Keirstead (Liaison), Koichiro "Sparky" Komiyama (JPCERT/CC), Warren Kumari (Google), Peter Lowe (Liaison), Art Manion (Liaison), Tom Millar (CISA), Damir "Gaus" Rajnovic (Panasonic), Shawn Richardson (NVIDIA), Desirée Sacher-Boldewin (Liaison), Jonathan Spring (CISA), Thomas Schreck (Liaison), Laurie Tyzenhaus (CERT/CC), and Jeroen van der Ham-de Vos (Liaison).

Our committee co-chairs are Olin "Trey" Darley (Accenture), Brian DeWyngaert (CISA), Jason Keirstead (Liaison), Warren Kumari (Google), and Shawn Richardson (NVIDIA).

Our goals are to:

  1. Provide a single point of contact for FIRST SIGs seeking guidance in their standards-defining work.
  2. Provide a clearly defined path for FIRST standards to be formally recognized by external standards development organizations, and to help drive more effective adoption of FIRST's own cybersecurity standards.
  3. Define mechanisms and policies to provide a trusted contact point for handling potential vulnerabilities in FIRST standards.
  4. Establish (and strengthen existing) liaison relationships with external standards definition organizations to ensure that our collective real-world experience as cybersecurity professionals is reflected in key standards touching upon our work.
  5. Inform the FIRST community of emerging standardization efforts likely to impact upon our work, and to serve as a conduit for the FIRST community to provide feedback on draft standards being developed externally.

Why are standards important to our FIRST community?
When I did my private pilot license years ago, I learned that the design and arrangement of each instrument and control within an airplane cockpit reflects lessons learned from past accidents. Although most air accidents have a root cause of "human error", in the post-accident investigations, the findings are fed back into changes within the aircraft design so as to better accommodate the human operator, and to hopefully prevent that same failure mode from recurring in future. Effective standards in our profession play a similar role, in that reality-based standards are a way of "paying it forward" to prevent future damage.

Effective, interoperable, and ubiquitous standards are a key element in FIRST's mission, especially towards the pillar of "Global Language - Incident responders around the world speak the same language and understand each other's intents and methods. "The systems that underpin our digital world are increasingly diffuse and cross-border in nature, hence we need effective standards to increase public safety by supporting cross-border incident response coordination. Effective, understandable, reality-based standards serve to increase professionalization within the field of cybersecurity.

How can I get involved?
If you are aware of cybersecurity standardization efforts taking place inside or outside the FIRST community, give the FIRST standards committee a heads-up so we can make sure we have that on our collective radar. If you have a good idea for a new standard which might fill a gap and prevent future harm, by all means let us help you set up a new FIRST SIG (or engage with an existing one, whatever makes more sense) to advance the state of professionalization within our industry. Together we can make the notion of "best practices" more real than just a marketing buzzword.

The first Tuesday of each month we have our FIRST standards committee calls, limited to the standards committee plus invited guests. The third Tuesday of each month we host our FIRST standards community calls, which are basically open to everyone who wants to join.

If you would like to join our FIRST Standards Community (which is quite open, much like a FIRST SIG), here's the link you need: Standards Discuss

If you would like to present on one of our upcoming FIRST standards community (or committee) calls, please reach out to <sc-chairs@first. org>. You can communicate with the FIRST standards committee directly by emailing standards-committee@first.org.

Published on FIRST POST: Jan-Mar 2024