Hi All,
I'd like to propose that we add an IEP Data Marking object to STIX 2.1 to allow object creators the option of marking their data using IEP v2.0. More information about the proposal is in the STIX2.1Proposal-InformationExchangePolicyMarkingType.pdf.
I've also included background information about the IEP Framework, and the IEP JSON Specification if you're interested. There two documents have been updated based on feedback from CTI members to better align IEP with STIX.
The FIRST Information Exchange Policy (IEP) Framework enables threat intelligence providers to inform recipients of how they may use the threat intelligence they receive. IEP ensures that both parties are aware of any restrictions on the use of the shared
threat intelligence, and reduces the likelihood of misunderstandings.
Think of it as TLP that also describes Handling, Action, Sharing and Licensing restrictions. In other words it answers "What am I allowed to do with this intel?"
The real power of IEP is in the ability for content producers to reference the same IEP policy. IEP allows communities to create and reference one or more shared IEP policies that members can choose from and reference. The FIRST IEP-SIG will be creating
and hosting some common IEP policies that anyone will be free to use, in the interest of making threat intelligence sharing easier.
Cheers
Terry MacDonald | Chief Product Officer