OASIS Cyber Threat Intelligence (CTI) TC

All,
 
As we discussed during the TC call this week, the recent decision by the TC to adopt a set of criteria for including new features in releases means that just because we have specification text for something
does NOT mean it is going into the release – the feature must meet all of the criteria required to be “Done”.  As described in the

proposal that the TC approved, a feature is only considered “Done” when it:

has at least 2 independent organizations using at least 2 separate code bases running at least POC code with real or semi-real data that can interoperate,
AND has all normative specification text complete, AND is covered by one or more interoperability tests and at least the 2 POC implementations pass those tests.
 
A new feature has 185 days (6 months) post-CSD ballot approval to show that it is done; if it does not meet the definition of done it will be removed from the next CSD.
 
Therefore, we are asking TC members to step up and offer to be “sponsors” of a feature. Sponsors are members that are interested in seeing a feature added and who are willing to help ensure that the feature
meets all of the criteria for “Done”.  Please note that a feature can (and should have) multiple sponsors – the more the merrier. And it is important to note that just because you offer to sponsor a feature, it doesn’t mean that you have to do
all of the work – you can (and should) collaborate with other TC members interested in that feature to ensure that all the requirements are met. But ultimately each feature needs at least two sponsors that will develop and test the proof of concept implementation
of the feature.
 




Feature


Sponsors




Confidence


 




Opinion


MITRE




Note


 




Internationalization


Fujitsu, New Context (Tentative)




Malware


Symantec (Tentative), DC3 (Tentative)




Location


 




 
Please take a look at the list of features above and consider which feature(s) your organization is willing to sponsor. If you are currently listed as a Tentative sponsor, please confirm if your organization
is actually willing to commit to sponsor that feature.
 
Remember – if a feature does not meet the definition of “Done” within 185 days of CSD approval,
that feature will be removed from the next CSD.  So, if your organization is counting on a particular feature, I urge you to sign up as a sponsor for it.

 
Please let me know if you have any questions.
 
Thanks,
Rich
 
Richard J. Struse
 
Chair, OASIS Cyber Threat Intelligence Technical Committee
Chief Strategist for Cyber Threat Intelligence
The MITRE Corporation
+1-703-983-7049 (office)

+1-703-342-8368 (mobile)

It is extremely likely we will take confidence
- however I need to confirm we will have the implementation in place. You
can put us down for now. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security "Things may come to those who wait, but only the things left by those
who hustle." - Unknown From:      
  "Struse, Richard
J." <rjs@mitre.org> To:      
  "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org> Date:      
  05/18/2018 02:05 PM Subject:    
    [cti] Sponsors
needed for STIX 2.1 CSD01 features Sent by:    
    <cti@lists.oasis-open.org> All,   As we discussed during the TC call this
week, the recent decision by the TC to adopt a set of criteria for including
new features in releases means that just because we have specification
text for something does NOT mean it is going into the release – the feature
must meet all of the criteria required to be “Done”.  As
described in the proposal that the TC approved, a feature is only considered “Done” when it: has at least 2 independent organizations
using at least 2 separate code bases running at least POC code with real
or semi-real data that can interoperate, AND has all normative specification text complete,
AND is covered by one or more interoperability
tests and at least the 2 POC implementations pass those tests.   A new feature has 185 days (6 months) post-CSD
ballot approval to show that it is done; if it does not meet the definition
of done it will be removed from the next CSD.   Therefore, we are asking TC members to
step up and offer to be “sponsors” of a feature. Sponsors are members
that are interested in seeing a feature added and who are willing to help
ensure that the feature meets all of the criteria for “Done”.  Please
note that a feature can (and should have) multiple sponsors – the more
the merrier. And it is important to note that just because you offer to
sponsor a feature, it doesn’t mean that you have to do all of the
work – you can (and should) collaborate with other TC members interested
in that feature to ensure that all the requirements are met. But ultimately
each feature needs at least two sponsors that will develop and test the
proof of concept implementation of the feature.   Feature Sponsors Confidence   Opinion MITRE Note   Internationalization Fujitsu,
New Context (Tentative) Malware Symantec
(Tentative), DC3 (Tentative) Location     Please take a look at the list of features
above and consider which feature(s) your organization is willing to sponsor.
If you are currently listed as a Tentative sponsor, please confirm if your
organization is actually willing to commit to sponsor that feature.   Remember – if a feature does
not meet the definition of “Done” within 185 days of CSD approval, that
feature will be removed from the next CSD.  So, if your organization
is counting on a particular feature, I urge you to sign up as a sponsor
for it.   Please let me know if you have any questions.   Thanks, Rich   Richard J. Struse   Chair, OASIS Cyber Threat Intelligence
Technical Committee Chief Strategist for Cyber Threat Intelligence The MITRE Corporation +1-703-983-7049 (office) +1-703-342-8368 (mobile)

John Wunder/Sarah Kelley: Can you tell me why the Infrastructure draft object did not make the list? This is a data object that is important to several key members of the CTI TC. Jane On 5/18/2018 9:21 AM, Jason Keirstead wrote: It is extremely likely we will take confidence - however I need to confirm we will have the implementation in place. You can put us down for now. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security Things may come to those who wait, but only the things left by those who hustle. - Unknown From:         Struse, Richard J. <rjs@mitre.org> To:         cti@lists.oasis-open.org <cti@lists.oasis-open.org> Date:         05/18/2018 02:05 PM Subject:         [cti] Sponsors needed for STIX 2.1 CSD01 features Sent by:         <cti@lists.oasis-open.org> All,   As we discussed during the TC call this week, the recent decision by the TC to adopt a set of criteria for including new features in releases means that just because we have specification text for something does NOT mean it is going into the release – the feature must meet all of the criteria required to be “Done”.  As described in the proposal that the TC approved, a feature is only considered “Done” when it: has at least 2 independent organizations using at least 2 separate code bases running at least POC code with real or semi-real data that can interoperate, AND has all normative specification text complete, AND is covered by one or more interoperability tests and at least the 2 POC implementations pass those tests.   A new feature has 185 days (6 months) post-CSD ballot approval to show that it is done; if it does not meet the definition of done it will be removed from the next CSD.   Therefore, we are asking TC members to step up and offer to be “sponsors” of a feature. Sponsors are members that are interested in seeing a feature added and who are willing to help ensure that the feature meets all of the criteria for “Done”.  Please note that a feature can (and should have) multiple sponsors – the more the merrier. And it is important to note that just because you offer to sponsor a feature, it doesn’t mean that you have to do all of the work – you can (and should) collaborate with other TC members interested in that feature to ensure that all the requirements are met. But ultimately each feature needs at least two sponsors that will develop and test the proof of concept implementation of the feature.   Feature Sponsors Confidence   Opinion MITRE Note   Internationalization Fujitsu, New Context (Tentative) Malware Symantec (Tentative), DC3 (Tentative) Location     Please take a look at the list of features above and consider which feature(s) your organization is willing to sponsor. If you are currently listed as a Tentative sponsor, please confirm if your organization is actually willing to commit to sponsor that feature.   Remember – if a feature does not meet the definition of “Done” within 185 days of CSD approval, that feature will be removed from the next CSD.  So, if your organization is counting on a particular feature, I urge you to sign up as a sponsor for it.   Please let me know if you have any questions.   Thanks, Rich   Richard J. Struse   Chair, OASIS Cyber Threat Intelligence Technical Committee Chief Strategist for Cyber Threat Intelligence The MITRE Corporation +1-703-983-7049 (office) +1-703-342-8368 (mobile) -- ***************************** Jane Ginn, MSIA, MRP Secretary, OASIS CTI TC jg@ctin.us 001 (928) 399-0509 *****************************

Jane, all, This call for sponsors includes only the features that, per the path forward ballot, are included in CSD01. As we work towards CSD02 and future drafts we’ll do additional calls for sponsors for those features, including infrastructure. Sorry for the confusion. Ballot results:  https://www.oasis-open.org/committees/ballot.php?id=3191 John From: JG < jg@ctin.us > Date: Monday, May 21, 2018, 10:15 PM To: cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: Re: [cti] Sponsors needed for STIX 2.1 CSD01 features John Wunder/Sarah Kelley: Can you tell me why the Infrastructure draft object did not make the list? This is a data object that is important to several key members of the CTI TC. Jane On 5/18/2018 9:21 AM, Jason Keirstead wrote: It is extremely likely we will take confidence - however I need to confirm we will have the implementation in place. You can put us down for now. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From:         "Struse, Richard J." <rjs@mitre.org> To:         "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Date:         05/18/2018 02:05 PM Subject:         [cti] Sponsors needed for STIX 2.1 CSD01 features Sent by:         <cti@lists.oasis-open.org> All,   As we discussed during the TC call this week, the recent decision by the TC to adopt a set of criteria for including new features in releases means that just because we have specification text for something does NOT mean it is going into the release – the feature must meet all of the criteria required to be “Done”.  As described in the proposal that the TC approved, a feature is only considered “Done” when it: has at least 2 independent organizations using at least 2 separate code bases running at least POC code with real or semi-real data that can interoperate, AND has all normative specification text complete, AND is covered by one or more interoperability tests and at least the 2 POC implementations pass those tests.   A new feature has 185 days (6 months) post-CSD ballot approval to show that it is done; if it does not meet the definition of done it will be removed from the next CSD.   Therefore, we are asking TC members to step up and offer to be “sponsors” of a feature. Sponsors are members that are interested in seeing a feature added and who are willing to help ensure that the feature meets all of the criteria for “Done”.  Please note that a feature can (and should have) multiple sponsors – the more the merrier. And it is important to note that just because you offer to sponsor a feature, it doesn’t mean that you have to do all of the work – you can (and should) collaborate with other TC members interested in that feature to ensure that all the requirements are met. But ultimately each feature needs at least two sponsors that will develop and test the proof of concept implementation of the feature.   Feature Sponsors Confidence   Opinion MITRE Note   Internationalization Fujitsu, New Context (Tentative) Malware Symantec (Tentative), DC3 (Tentative) Location     Please take a look at the list of features above and consider which feature(s) your organization is willing to sponsor. If you are currently listed as a Tentative sponsor, please confirm if your organization is actually willing to commit to sponsor that feature.   Remember – if a feature does not meet the definition of “Done” within 185 days of CSD approval, that feature will be removed from the next CSD.  So, if your organization is counting on a particular feature, I urge you to sign up as a sponsor for it.   Please let me know if you have any questions.   Thanks, Rich   Richard J. Struse   Chair, OASIS Cyber Threat Intelligence Technical Committee Chief Strategist for Cyber Threat Intelligence The MITRE Corporation +1-703-983-7049 (office) +1-703-342-8368 (mobile) -- ***************************** Jane Ginn, MSIA, MRP Secretary, OASIS CTI TC jg@ctin.us 001 (928) 399-0509 *****************************

Have we decided on the process by which
someone can submit an extension for inclusion in a future CSD ( CSD 02
or later ) ? How does one go about this. Thanks... - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security "Things may come to those who wait, but only the things left by those
who hustle." - Unknown From:      
  "Wunder, John
A." <jwunder@mitre.org> To:      
  JG <jg@ctin.us>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Date:      
  05/22/2018 12:10 AM Subject:    
    RE: [cti] Sponsors
needed for STIX 2.1 CSD01 features Sent by:    
    <cti@lists.oasis-open.org> Jane, all, This call for sponsors includes only the features that,
per the path forward ballot, are included in CSD01. As we work towards
CSD02 and future drafts we’ll do additional calls for sponsors for those
features, including infrastructure. Sorry for the confusion. Ballot results: https://www.oasis-open.org/committees/ballot.php?id=3191 John From: JG < jg@ctin.us > Date: Monday, May 21, 2018, 10:15 PM To: cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: Re: [cti] Sponsors needed for STIX 2.1
CSD01 features John Wunder/Sarah Kelley: Can you tell me why the Infrastructure draft object did
not make the list? This is a data object that is important to several key
members of the CTI TC. Jane On 5/18/2018 9:21 AM, Jason Keirstead wrote: It is extremely likely we will take
confidence - however I need to confirm we will have the implementation
in place. You can put us down for now. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security "Things may come to those who wait, but only the things left by those
who hustle." - Unknown From:         "Struse,
Richard J." <rjs@mitre.org> To:         "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Date:         05/18/2018
02:05 PM Subject:         [cti]
Sponsors needed for STIX 2.1 CSD01 features Sent by:         <cti@lists.oasis-open.org> All, As we discussed during the TC call this week, the recent decision by the
TC to adopt a set of criteria for including new features in releases means
that just because we have specification text for something does NOT mean
it is going into the release – the feature must meet all of the
criteria required to be “Done”.  As described in the proposal that
the TC approved, a feature is only considered “Done” when it: has at least 2 independent organizations
using at least 2 separate code bases running at least POC code with real
or semi-real data that can interoperate, AND has all normative specification text complete,
AND is covered by one or more interoperability
tests and at least the 2 POC implementations pass those tests.   A new feature has 185 days (6 months) post-CSD ballot approval to show
that it is done; if it does not meet the definition of done it will be
removed from the next CSD. Therefore, we are asking TC members to step up and offer to be “sponsors”
of a feature. Sponsors are members that are interested in seeing a feature
added and who are willing to help ensure that the feature meets all of
the criteria for “Done”.  Please note that a feature can (and should
have) multiple sponsors – the more the merrier. And it is important to
note that just because you offer to sponsor a feature, it doesn’t mean
that you have to do all of the work – you can (and should) collaborate
with other TC members interested in that feature to ensure that all the
requirements are met. But ultimately each feature needs at least two sponsors
that will develop and test the proof of concept implementation of the feature.   Feature Sponsors Confidence   Opinion MITRE Note   Internationalization Fujitsu,
New Context (Tentative) Malware Symantec
(Tentative), DC3 (Tentative) Location   Please take a look at the list of features above and consider which feature(s)
your organization is willing to sponsor. If you are currently listed as
a Tentative sponsor, please confirm if your organization is actually willing
to commit to sponsor that feature. Remember – if a feature does not meet the definition of “Done” within
185 days of CSD approval, that feature will be removed from the
next CSD.  So, if your organization is counting on a particular feature,
I urge you to sign up as a sponsor for it. Please let me know if you have any questions. Thanks, Rich Richard J. Struse Chair, OASIS Cyber Threat Intelligence Technical Committee Chief Strategist for Cyber Threat Intelligence The MITRE Corporation +1-703-983-7049 (office) +1-703-342-8368 (mobile) -- ***************************** Jane Ginn, MSIA, MRP Secretary, OASIS CTI TC jg@ctin.us 001 (928) 399-0509 *****************************

Hi TC,
 
DHS will sponsor the following:
·         
Confidence
·         
Note
·         
Location
 
 
Marlon Taylor
Program Management Branch
National Cybersecurity & Communications Integration Center (NCCIC)
U.S. Department of Homeland Security
 


From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Struse, Richard J.
Sent: Friday, May 18, 2018 1:06 PM
To: cti@lists.oasis-open.org
Subject: [cti] Sponsors needed for STIX 2.1 CSD01 features
Importance: High


 
All,
 
As we discussed during the TC call this week, the recent decision by the TC to adopt a set of criteria for including new features in releases means that just because we have specification text for something
does NOT mean it is going into the release – the feature must meet all of the criteria required to be “Done”.  As described in the

proposal that the TC approved, a feature is only considered “Done” when it:

has at least 2 independent organizations using at least 2 separate code bases running at least POC code with real or semi-real data that can interoperate, AND has all normative specification text complete, AND is covered by one or more interoperability tests and at least the 2 POC implementations pass those tests.
 
A new feature has 185 days (6 months) post-CSD ballot approval to show that it is done; if it does not meet the definition of done it will be removed from the next CSD.
 
Therefore, we are asking TC members to step up and offer to be “sponsors” of a feature. Sponsors are members that are interested in seeing a feature added and who are willing to help ensure that the feature
meets all of the criteria for “Done”.  Please note that a feature can (and should have) multiple sponsors – the more the merrier. And it is important to note that just because you offer to sponsor a feature, it doesn’t mean that you have to do
all of the work – you can (and should) collaborate with other TC members interested in that feature to ensure that all the requirements are met. But ultimately each feature needs at least two sponsors that will develop and test the proof of concept implementation
of the feature.
 




Feature


Sponsors




Confidence


 




Opinion


MITRE




Note


 




Internationalization


Fujitsu, New Context (Tentative)




Malware


Symantec (Tentative), DC3 (Tentative)




Location


 




 
Please take a look at the list of features above and consider which feature(s) your organization is willing to sponsor. If you are currently listed as a Tentative sponsor, please confirm if your organization
is actually willing to commit to sponsor that feature.
 
Remember – if a feature does not meet the definition of “Done” within 185 days of CSD approval,
that feature will be removed from the next CSD.  So, if your organization is counting on a particular feature, I urge you to sign up as a sponsor for it.

 
Please let me know if you have any questions.
 
Thanks,
Rich
 
Richard J. Struse
 
Chair, OASIS Cyber Threat Intelligence Technical Committee
Chief Strategist for Cyber Threat Intelligence
The MITRE Corporation
+1-703-983-7049 (office)

+1-703-342-8368 (mobile)

Thanks for offering to sponsor those items, Marlon (and DHS)! I have updated the google doc coversheet to reflect this.

 
Thanks,

Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
skelley@mitre.org


 



From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Taylor, Marlon
Sent: Tuesday, May 29, 2018 12:55 PM
To: Struse, Richard J. <rjs@mitre.org>; cti@lists.oasis-open.org
Subject: [cti] RE: Sponsors needed for STIX 2.1 CSD01 features


 
Hi TC,
 
DHS will sponsor the following:


Confidence
Note
Location
 
 
Marlon Taylor
Program Management Branch
National Cybersecurity & Communications Integration Center (NCCIC)
U.S. Department of Homeland Security
 


From:
cti@lists.oasis-open.org < cti@lists.oasis-open.org >
On Behalf Of Struse, Richard J.
Sent: Friday, May 18, 2018 1:06 PM
To: cti@lists.oasis-open.org
Subject: [cti] Sponsors needed for STIX 2.1 CSD01 features
Importance: High


 
All,
 
As we discussed during the TC call this week, the recent decision by the TC to adopt a set of criteria for including new features in releases means that just because we have specification text for something
does NOT mean it is going into the release – the feature must meet all of the criteria required to be “Done”.  As described in the

proposal that the TC approved, a feature is only considered “Done” when it:

has at least 2 independent organizations using at least 2 separate code bases running at least POC code with real or semi-real data that can interoperate, AND has all normative specification text complete, AND is covered by one or more interoperability tests and at least the 2 POC implementations pass those tests.
 
A new feature has 185 days (6 months) post-CSD ballot approval to show that it is done; if it does not meet the definition of done it will be removed from the next CSD.
 
Therefore, we are asking TC members to step up and offer to be “sponsors” of a feature. Sponsors are members that are interested in seeing a feature added and who are willing to help ensure that the feature
meets all of the criteria for “Done”.  Please note that a feature can (and should have) multiple sponsors – the more the merrier. And it is important to note that just because you offer to sponsor a feature, it doesn’t mean that you have to do
all of the work – you can (and should) collaborate with other TC members interested in that feature to ensure that all the requirements are met. But ultimately each feature needs at least two sponsors that will develop and test the proof of concept implementation
of the feature.
 




Feature


Sponsors




Confidence


 




Opinion


MITRE




Note


 




Internationalization


Fujitsu, New Context (Tentative)




Malware


Symantec (Tentative), DC3 (Tentative)




Location


 




 
Please take a look at the list of features above and consider which feature(s) your organization is willing to sponsor. If you are currently listed as a Tentative sponsor, please confirm if your organization
is actually willing to commit to sponsor that feature.
 
Remember – if a feature does not meet the definition of “Done” within 185 days of CSD approval,
that feature will be removed from the next CSD.  So, if your organization is counting on a particular feature, I urge you to sign up as a sponsor for it.

 
Please let me know if you have any questions.
 
Thanks,
Rich
 
Richard J. Struse
 
Chair, OASIS Cyber Threat Intelligence Technical Committee
Chief Strategist for Cyber Threat Intelligence
The MITRE Corporation
+1-703-983-7049 (office)

+1-703-342-8368 (mobile)