On Nov. 1, CISA Upgrades to Traffic Light Protocol 2.0 — Join Us!

By Tom Millar, Cybersecurity Senior Advisor, CISA, and Co-chair of the Forum of Incident Response Security Teams (FIRST) Traffic Light Protocol (TLP) Special Interest Group (SIG)

The Traffic Light Protocol (TLP) is the engine that powers cybersecurity information sharing all around the world and its effectiveness comes from its simplicity. The Cybersecurity and Infrastructure Security Agency (CISA) and our partners use TLP to establish boundaries and build trust within the cybersecurity community. By quickly understanding each other’s expected sharing boundaries, we foster timely, actionable, and effective information sharing to mitigate and even prevent cyber incidents.

Like the physical traffic light we’re all familiar with, TLP uses red, amber, and green (it also uses white/clear–more on this below). When the originator designates their information with one of these four colors, they immediately signal to the recipient just how far they deem the information may go.

While TLP is not legally binding, this is actually one of its strengths–it can cross all different types of organizational structures and even national boundaries and still be understood by the team members who need to share with one another.

Community-wide adoption of TLP strengthens trust among partners—including federal, state, local, tribal, and territorial (SLTT), industry, and international—and gets vital information where it needs to go as efficiently as possible. This efficiency is made even more straightforward by the fact that TLP color designations work the same, whether they’re used in an email, report, or slide, or even spoken at a conference or meeting.

Now—after nearly two decades of increasing use by the incident coordination and response community—TLP is getting an upgrade. In August 2022, the Forum of Incident Response and Security Teams (FIRST)—the organization responsible for the protocol—published TLP 2.0, which changes TLP:WHITE to TLP:CLEAR, a move to improve both inclusivity and connotation (most English speakers understand the expression, “ ‘cleared’ for publication”).

TLP 2.0 also makes a caveat many in the industry were already using into an official designation. TLP:AMBER+STRICT instructs the recipient that they must keep the information strictly within their organization only. FIRST decided to supplement AMBER with AMBER+STRICT to facilitate ease of interpretation and to establish clearer boundaries for information sharing.

In addition to these two significant upgrades, TLP 2.0 brings new clarity to the definitions of each of the TLP designations and improves the color coding of TLP:RED to improve its visibility (see CISA's TLP 2.0 User Guide for details).

As a leader of secure and effective cybersecurity information sharing, CISA is moving with FIRST to adopt TLP 2.0 on November 1, 2022. With one exception, all CISA tools, processes, and products will upgrade to TLP 2.0. The sole exception is CISA’s Automated Indicator Sharing (AIS) capability, which, for technical reasons, will not upgrade until March 2023.

Visit CISA.gov/TLP for additional information on TLP, its history, and use cases.

Taxonomy Topics