Open Exposure Management Framework (OEMF) TC

 View Only
Back to discussions
Expand all | Collapse all

Call for Participation: Open Exposure Management Framework (OEMF) TC

  • 1.  Call for Participation: Open Exposure Management Framework (OEMF) TC

    Posted 09-26-2025 11:28

    OASIS Members & Interested Parties:


    A new OASIS technical committee is being formed. The Open Exposure Management Framework (OEMF) TC has been proposed by the members of OASIS listed in the charter below.


    The TC name, statement of purpose, scope, list of deliverables, audience, IPR mode, and language specified in this proposal will constitute the TC's official charter. Submissions of technology for consideration by the TC, and the beginning of technical discussions, may occur no sooner than the TC's first meeting.


    The eligibility requirements for becoming a participant in the TC at the first meeting are:

    • You must be an employee or designee of an OASIS member organization or an individual member of OASIS, and

    • You must join the Technical Committee, which members may do by clicking here.

    To be considered a voting member at the first meeting:

    • You must join the Technical Committee at least 7 days prior to the first meeting (on or before October 23, 2025 ; and

    • You must attend the first meeting of the TC, on October 30, 2025


    Participants also may join the TC at a later time. OASIS and the TC welcomes all interested parties.


    If your employer is already on the OASIS TC member roster, you may participate in DPS TC (or any of our TCs) at no additional cost. Find out how.


    If your employer is not a member, we're happy to help you join OASIS. Contact us to discuss your options for TC membership.


    Please feel free to forward this announcement to any other appropriate lists. OASIS is an open standards organization; we encourage your participation.


    ----------

    CALL FOR PARTICIPATION

    OASIS Open Exposure Management Framework (OEMF) TC


    Section 1: TC Charter

    1.a. TC Name

    Open Exposure Management Framework (OEMF) TC

    1.b. Statement of Purpose


    The purpose of the Open Exposure Management Framework (OEMF) is to establish an unbiased, community framework to unite and direct the efforts in preventing, assessing, and resolving exposures in organizational technology. 


    The need for this framework emerged from a desire of cybersecurity professionals to have a thoughtful, purpose-driven set of parameters for managing exposure.  Some of the motivating forces behind creating the OEMF are: 


    • An aspiration to accommodate security domains such as Vulnerability Management and Cloud Security in a more detailed way than existing cybersecurity frameworks currently do. 

    • An opportunity to standardize and structure how technology exposures are defined, discovered, prioritized, and acted upon. 

    • A drive to include and focus on critically important upstream activities that prevent technology exposures. 

    • A desire to outline tactical guidance around the processes and technologies that intersect Exposure Management. 

    • A present need for an independent, industry accepted scale for measuring Exposure Management maturity. 

    • A present need to define best practices and terminology related to Exposure Management in a manner that is agnostic of specific vendor technologies.


    Major Goals (see Section 5 for more detailed explanations and timelines): 


    1. Propose a functional exposure management lifecycle. 

    2. Offer practitioners a common set of capability requirements per lifecycle stage. 

    3. Map capability requirements to prominent frameworks such as NIST, CIS, Gartner, etc. 

    4. Offer the Cybersecurity industry an acceptable maturity scale for Exposure Management. 

    5. Provide implementation parameters to achieve each maturity milestone. 

    6. Address data inconsistencies between disparate exposure data sources. 

    7. Map technology capabilities to the OEMF functional lifecycle.

    1.c. Business Benefits 


    The primary business benefit of the OEMF is to provide organizations (both private and public) with a structured methodology to better avoid and correct the exploitability of their technology footprints. By following the methodology outlined in the OEMF, organizations would benefit through:


    •  More effectively avoiding the creation of exploitable technology configurations at scale. 

    • Becoming more efficient in discovering, prioritizing, and resolving technology exposures. 

    • Maximizing limited technology and human resources on the Exposure Management activities that most significantly reduce organizational susceptibility.

    • Making better use of exposure data organizations may already have today. 

    • Being enabled to make more educated and effective decisions in technology investments and personnel allocation related to Exposure Management programs.


    1.d. Scope


    The primary scope is to enable the Cybersecurity community with a series of best practices around Exposure Management. Following that, the project intends to provide a methodology for Cybersecurity professionals or partners to perform selfassessments in Exposure Management maturity, much like OWASP has done with the Software Assurance Maturity Model. Additionally, the project seeks to develop reference material that Cybersecurity professionals can leverage to tactically drive Exposure Management maturity within their respective organizations.


    As such, the main scope of the OEMF is to provide framework documentation and supplemental educational materials such as videos, presentations, images, and templates regarding Exposure Management. 


    The OEMF will not produce any software products or engage in any direct commerce with outside entities.  The project assumes that the best practices put forth by the OEMF will organically drive an evolution in technology and human capabilities by those who consume the OEMF's materials.

    1.e. Deliverables

    Below are the major milestones/deliverables the OEMF is working towards, with target dates for each.


    1. Publish the first edition of the Open Exposure Management lifecycle. This lifecycle defines what best practice entails for preventing, assessing, and resolving technology exposure. (estimated December 2025) 

    2. Publish a set of capability requirements (both process and technology capabilities) for each OEMF lifecycle stage. (estimated February 2026) 

    3. Map the defined capability requirements to controls in prominent Cybersecurity frameworks including NIST CSF, CIS Critical Security Controls, and Gartner CTEM. (estimated February 2026) 

    4. Publish an OEMF maturity scale that Cybersecurity professionals can use to self-assess organizational Exposure Management maturity. (estimated May 2026)

    5. Provide implementation requirements to achieve each maturity milestone for each OEMF lifecycle stage. Once this is complete, stakeholders will be able to not only understand their maturity but to synthesize their own improvement plans. (estimated June 2026) 

    6. Publish a guide to mapping data inconsistencies between Exposure Management data sources, specifically targeting issues with disparate severity scales across different data sources. (estimated November 2026)

    1.f. IPR Mode

    Non-Assertion Mode

    1.g. Audience


    The primary stakeholders of the OEMF are Cybersecurity personnel, most notably personas such as Chief Information Security Officers (CISOs), Directors of Security, as well as managers and leads responsible for Vulnerability Management, Application Security, Cloud Security, and Identity Security. Secondary stakeholders would include executive leadership, Risk & Compliance Personnel, and even customers/partners of an organization since a more effective means of reducing technology exposure, and reporting on outstanding exposure, benefits these secondary stakeholders greatly. 

    Exposure Management is a domain of Cybersecurity that has a fairly consistent relevance across all industries, however, larger enterprises and public entities as well as organizations that design their own infrastructure and applications would benefit even further from the OEMF as those organizations have deeper, more complex Exposure Management considerations and would have more need for the secure design elements of the framework.

    1.h. Language

    The primary language of the OEMF TC is English.

    Section 2: Additional Information

    2.a. Identification of Similar Work


    The OEMF seeks to be a supplemental framework that integrates with existing Cybersecurity frameworks and models to achieve two critical outcomes: 


    1. A unification and detailed direction of "find and fix" security domains such as Vulnerability Management, Application Security, Cloud Security, Software as a Service Security, and Identity Security. 

    2. A bridging of best practices in secure design and Cybersecurity to give a consistent approach to preventing exposure in addition to assessing and resolving exposures that occur. 


    The OEMF mainly intends to augment and link to existing frameworks and models. For secure design lifecycle phases, mapping will be provided to the tenants of the latest version of OWASP SAMM. For Cybersecurity lifecycle phases, an initial mapping will be provided for the latest version of the NIST CSF, CIS Critical Security Controls, and Gartner's Continuous Threat Exposure Management framework. These mappings will be a guide that details how each lifecycle stage relates to a lifecycle stage in an existing framework, and which control domain each prescribed capability supports in those frameworks. 


    The intended outcome is that organizations can still use these prominent frameworks to direct their overall Cybersecurity and Operations programs, but when trying to assess and drive maturity on Exposure Management domains, that organizations can "drill in" utilizing the OEMF. The output of an OEMF maturity evaluation can be used to easily update maturity against these existing frameworks due to the mappings provided by the project.

    2.b. First TC Meeting


    The first OEMF TC meeting is expected to take place on/around October 30, 2025 via Zoom.

    2.c. Ongoing Meeting Schedule


    Virtual meetings are expected to meet weekly though completion of the first deliverable, then likely transition to semi- monthly. 

    2.d. TC Proposers


    1. Chris Peltz, Guidepoint Security

    2. Bill Olson, Tenable 

    3. Steve Carter, Nucleus 

    4. Nathan Paquin - Guidepoint Security

    5. Christopher Brown - Guidepoint Security

    6. Gavin Millard - Tenable 

    2.e. Primary Representatives' Support 


    I, Chris Peltz, as OASIS primary representative for Guidepoint Security, confirm our support for the OEMF TC and our participants listed above.


    I, Bill Olson, as OASIS primary representative for Tenable, confirm our support for the OEMF TC and our participants listed above.

    2.f. TC Convener


    Chris Peltz, GuidePoint Security, chris.peltz@guidepointsecurity.com

    2.g.  Anticipated Contributions


    The OEMF project is at its inception, there are no preexisting repositories or open source projects to donate.

    2.h. FAQ Document


    N/A

    2.i.  Work Product Titles and Acronyms


    N/A




Related Content