Re: [cti] RE: Road to final publication of STIX, TAXII, and CyBox as Oasis standards

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Just to offer my opinion - the question IMO for newcomers should not be framed as "should we do 1.X or wait"... I feel like that's a false dichotomy. There is no need for vendors to wait for .next to become a blessed OASIS standard to implement it, as nothing stops vendors from implementing and even stating support for provisional standards. The number of vendors who will have implemented support for .next before it is "blessed", is likely to be far greater than zero... vendors will simply make the minor revisions needed (if any) to meet the full compliance once it finally is blessed. This has been the workflow for many standards hotly demanded by the marketplace over the years... modem, wifi, HTML, CSS, bluetooth.. this happens all the time as vendors can't always wait for the process to come to conclusion before implementation.

I would also say, no one should "wait" - if they're interested then they should get involved, help us create the specs, and perhaps even more importantly, help us by writing code (even if it is internal and can't be shared)... the more people we have involved writing code and testing interoperability the more likely we will be to make a standard that works... waiting on the sidelines won't help that... that's my opinion.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Mark Clancy ---04/26/2016 10:06:56 PM---Thanks Rich this is very helpful! The main reason I asked about the timeline for “.next” is I have h

From: Mark Clancy <mclancy@soltra.com>
To: "Struse, Richard" <Richard.Struse@HQ.DHS.GOV>, "OASIS CTI TC Discussion List" <cti@lists.oasis-open.org>
Date: 04/26/2016 10:06 PM
Subject: Re: [cti] RE: Road to final publication of STIX, TAXII, and CyBox as Oasis standards
Sent by: <cti@lists.oasis-open.org>

---

Thanks Rich this is very helpful!  

The main reason I asked about the timeline for “.next” is I have had several conversations with people who are on the sidelines for implementation of “.current" saying in effect “well we will just wait until .next is released before we put this in our products”.   They may not realize this is still a far distance away so I advocate they should not wait.

-Mark

(P.s. Your message was digitally signed from a different address than the key do to the remailer I suppose so my mobile email client didn’t play nice with it)

From: <cti@lists.oasis-open.org> on behalf of "Struse, Richard" <Richard.Struse@HQ.DHS.GOV>
Date: Tuesday, April 26, 2016 at 11:23 AM
To: OASIS CTI TC Discussion List <cti@lists.oasis-open.org>
Subject: [cti] RE: Road to final publication of STIX, TAXII, and CyBox as Oasis standards

Mark,
Thanks for the question and the opportunity to help everyone understand where we are both with the existing specifications and the next major releases. 
 
For the existing specifications here is where we are at:

· STIX 1.2.1 – there will be a motion made during the TC meeting this Thursday to hold a “Special Majority Vote” to approve the “STIX Committee Spec Draft 01 with Non-Material Changes” as a Committee Specification. Once that motion is made and approved OASIS will open a formal ballot for the TC to vote to make this draft a Committee Specification. Assuming that ballot passes, the Committee Specification will be approved and at that point you have, in effect, a mini-OASIS Standard because all the IPR policy aspects lock-in and it is just a series of largely mechanical steps leading to an OASIS Standard vote.
· TAXII 1.1.1 – there will be a motion made during the TC meeting this Thursday to hold a new “Special Majority Vote” to approve the “TAXII Committee Spec” as a Committee Specification. Once that motion is made and approved OASIS will open a formal ballot for the TC to vote to make this draft a Committee Specification. Assuming that ballot passes, the Committee Specification will be approved and at that point you have, in effect, a mini-OASIS Standard because all the IPR policy aspects lock-in and it is just a series of largely mechanical steps leading to an OASIS Standard vote.
· CybOX 2.1.1 – we are doing a final review of the draft CybOX specification documents. There are close to 100 documents (there is one specification for each independent CybOX object) and it has taken a lot of effort to produce and review those. At this point we are planning to have those completed and ready for a formal motion to approve these as Committee Specification Drafts no later than May 13th. Assuming that ballot passes it will begin the comment period as we went through for the STIX and TAXII specifications. Assuming ten days for OASIS to publish the drafts and the required minimum thirty day review period and that there are no material comments that require substantial re-work, the CybOX specification should be ready to be voted on as a Committee Specification around June 25^th.

For each of the three families of specifications once they have been approved as Committee Specifications, the next steps are to collect three or more Statements of Use for each Committee Specification and then hold a Special Majority Ballot to submit those Committee Specifications as Candidate OASIS Standards (COSs).  OASIS then publishes the COSs and puts them out for a sixty-day public comment period. After that review, and again assuming we do not need to make any substantive changes, there is a two-week ballot period for voting by the member companies of OASIS.  If that ballot passes, the Committee Specifications immediately become OASIS Standards in perpetuity.  So, roughly speaking we could have full OASIS standards within ninety days of having approved the Committee Specifications.  For STIX and TAXII that translates into mid-August.  For CybOX that translates into mid-September.  
 
Separate from the text specifications we also need to approve the XML Binding specifications for STIX and CybOX, which includes the XSD schemas. We have a draft of the STIX document that’s being finalized and will be submitted to the TC shortly for the thirty day review period. The same draft should be usable for CybOX without many modifications and so should also be submitted soon. These specifications will need to go through the same process as the text specifications and, if all goes well, should be finalized a month later (mid-September).
 
One point of perspective – from my discussions with OASIS, TC’s generally average eighteen to twenty-four months from the initial meeting of the TC to having their first set of approved OASIS standards.  Therefore, the roughly fifteen months from TC inception that it will take to have approved OASIS standards for our initial specifications is actually faster than most.  
 
As far as the timeframe for the TC to consider and approve new releases of STIX, TAXII and CybOX (your “.next”) I think it is fair to say that we have a number of things going in our favor.  First, we are all now familiar with the OASIS process, the document templates and the intricacies of OASIS voting rules.  In addition, the specifications for STIX 2.0, TAXII 2.0 and CybOX 3.0 are all being developed with this process in mind and therefore we should be able to expedite this process as much as OASIS rules allow.   Assuming that the TC delivers solid Committee Specification Drafts for STIX, TAXII and CybOX in July, in theory we could have approved Committee Specifications by October and full OASIS standards for the next release before the end of Q1 of 2017.   Please note that there are a lot of moving parts and some assumptions in these timelines but they are certainly in the realm of the possible.  It is up to everyone in the TC to work assiduously to make these a reality.
I hope this addresses your questions.  
 
Regards,
Rich
 
Richard J. Struse 
Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee
 
Chief Advanced Technology Officer
National Cybersecurity and Communications Integration Center (NCCIC) and
Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)
Cyber Security & Communications
U.S. Department of Homeland Security

e-mail:  Richard.Struse@dhs.gov
Phone:  202-527-2361
 
 
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Mark Clancy
Sent: Thursday, April 21, 2016 11:43 AM
To: cti@lists.oasis-open.org
Subject: [cti] Road to final publication of STIX, TAXII, and CyBox as Oasis standards
 
Great to see so much activity on CTI standards version “.next”, but where exactly are we with getting CTI standards “.current” namely STIX 1.2.1, TAXII 1.1.1 and what ever version of CybOX goes with them to final approved, published standards under the Oasis process?
 
I know the STIX ballot was approved, but there was some formal response to comments needed. Is this complete?
I know the TAXII ballot was withdrawn. When does this come back up and what is needed to do this?
I don’t know where we stand with CyBox so any updates there?
 
We have had this TC for what like 8 months and we already started with a well sorted out candidate set for Oasis CTI standards (aka “.current”) to be published yet we don’t have any of the three actually in final approved & published status.  
 
The other reason I ask this to set realistic expectations as to how much longer it will be when we finally agree on CTI standards “.next” how frighteningly long it will take to get them to final approved & published status.
 
Thanks,
 
-Mark