[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-users] STIX 2.0 expected CS approval date
Dear Richard, You are correct that STIX 2.0 is currently in a public review phase and still has some time before it achieves final approval as a CS. Given the approval process and potential need for additional comment periods, we expect that the CS should be approved no later than June. This is expected to be shorter than the STIX 1.2.1 approval timeline because STIX 2.0 as a specification has been under development for longer, has had more internal TC review, and is somewhat smaller. It does include time for the initial public review to end (April 6), a (possible) second comment period ending in mid-May, and a ballot to approve the CS. TAXII will follow a similar timeline once the public review period is opened. We expect the public review process for TAXII to start shortly and lag by between 1-2 months. Given that, your assessment on TAXII 2.0 is probably accurate. We don’t recommend writing compliance guidance for the use of STIX 2.0 over TAXII 1.1.1. While it may be technically possible to use it in that manner, it’s not optimal and it would probably be better to just wait until TAXII 2.0 is done (or be silent on the topic of TAXII for the first version of STIX on the “comply or explain” list). Please let me know if this answers your questions or if you need anything else.
Rich Richard J. Struse Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee Chief Advanced Technology Officer National Cybersecurity and Communications Integration Center (NCCIC) Cyber Security & Communications U.S. Department of Homeland Security
From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Richard van den Berg (NCSC-NL) Dear list, We are starting the process to add STIX/TAXII to the “comply or explain” list of the Dutch government. We are aiming to add STIX 2.0, but the current Committee Specification Draft status might be an issue. I understand STIX 2.0 is currently in the Public Review stage since 24 February[1]. Is there an expected CS approval date for STIX 2.0? I see that for STIX 1.2.1 it took 5 months to get from Public Review[2] to Committee Specification approval[3]. Is that a fair timeline to work with for STIX 2.0? Additional, does it make any sense use STIX 2.0 in combination with TAXII 1.1.1 ? Because the CS approval date for TAXII 2.0 will most certainly be after our new “comply or explain” list is published (as it is lagging 2 months behind STIX 2.0 in the process). [1]: https://issues.oasis-open.org/browse/TCADMIN-2544 [2]: https://issues.oasis-open.org/browse/TCADMIN-2266 [3]: https://www.oasis-open.org/committees/ballot.php?id=2928 Kind regards, Richard van den Berg ............................................................................ Nationaal Cyber Security Centrum Postbus 117 | 2501 CC| Den Haag | www.ncsc.nl ............................................................................ T 070 888 7555 (algemeen) M 06 5207 1109 PGP 46FD 20E0 8257 9081 81A9 5254 A7A3 6869 5D24 D3B6 ............................................................................ Bezoekadres: Turfmarkt 147 | 2511 DP | Den Haag |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]