FIRST: Standard Development for Incident Response Teams


FIRST: Standard Development for Incident Response Teams

Portal Team 's picture

Posted By: 

Portal Team


Forum of Incident Response and Security Teams (FIRST)


FIRST members, Organization of American States (OAS), International Telecommunication Union (ITU), OASIS

Target countries / regions:


Target group(s):

(National) Incident Response Teams; CSIRT; PSIRT; SIRR

Thematic focus:

Incident Response

Aims / objectives:

supports the development of standards and maintains four different cybersecurity standards: Throughout the year, groups worked on:


  • The Common Vulnerability Scoring System (CVSS): develops and maintains the CVSS standard, a robust and useful scoring system for IT vulnerabilities that allows organisations to prioritise them across their networks. CVSSv3 has also been published as an ITU recommendations in X.1521:2016. In the first half of 2017, FIRST released an interactive training “Mastering CVSSv3” through our learning platform
  • The Traffic Light Protocol (TLP), a set of designations used to ensure a common expectations in audience for (non-automated) interactive sharing of sensitive information between entities. The initial version of this standard, building on the original TLP, was released in September of 2016.
  • The Information Exchange Policy (IEP), a framework for defining information exchange policy, and set of common definitions for the most common sharing restrictions. It addresses information exchange challenges and promotes information exchange more broadly, primarily for machine automated communications. The first version of the standard was released in September of 2016.
  • Passive DNS exchange: a common output format for Passive DNS servers. Released in 2015, this standard is made available as part of an IETF RFC, and is seeing continued development within the FIRST community.

Outcome / impact:

  • FIRST continues to be represented as a sector member in the ITU as a standards body.
  • FIRST signed a Memorandum of Understanding with standards organisation OASIS to permit closer cooperation on threat intelligence specifications such as STIX and TAXII.



Contact details:

FIRST, via the FIRST secretariat at  or Maarten Van Horenbeeck, Director, Forum of Incident Response and Security Teams (FIRST),

For more information:

The GFCE inventory is being continuously updated, and the information it contains is either publicly available, or consent for publication was given by the owner. Please contact the portal manager with any additional information or corrections. Whilst every reasonable effort is made to keep the content of this inventory accurate and up to date, no warranty or representation of any kind, express or implied, is made in relation to the accuracy, completeness or adequacy of the information contained in these pages.