James - I draw your attention to early work we did with STIXPreferred program that had different levels of certification on whether an entity requesting certification was getting STIX certified and/or STIX+TAXII certified.
There is no requirement for someone that is compliant with the STIX specification to implement TAXII. Whereas, there is an expectation/requirement that someone that is compliant with TAXII is also compliant with STIX.
Despite the STIXPreferred program not getting fully launched there is still a lot of thought and work that went into interoperability and compliance in the marketplace that is still very valid.
Regards
Allan