OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Request for Public Comments on STIX 2.0

Dear CTI TC member –


As I mentioned during the Monthly TC meeting this morning, we are in the midst of the public review and comment period on the STIX 2.0 CSD.  As CTI TC members, we’ve had the opportunity to develop and refine these specifications over the past eighteen months – now it is time for those outside of the CTI TC to have a chance to review and comment.  In order to maximize the usefulness of the comments we receive, we think it is essential that any and all reviewers understand the design and implementation decisions that we’ve adopted as a TC.  Most importantly, it is critical that reviewers understand that STIX 2.0 is intended to serve as a foundation for additional releases and therefore there are certain objects and features that have been intentionally deferred until a later release (e.g. STIX 2.1).  Therefore, the call for public comments below attempts to convey this information in as clear and consistent a manner as possible. 


I encourage all TC members to forward the message below to individuals, organizations and/or communities that are not part of the CTI TC.  To avoid duplicate outreach, here are the organizations/communities that we’ve already reached out to:

IETF MILE WG, IETF SACM WG, Forum of Incident Response and Security Teams (FIRST), National Council of ISACs (NCI), Defense Security Information Exchange (DSIE), Cyber Threat Alliance (CTA), Malware Information Sharing Platform (MISP) community, OpenC2 community


I would greatly appreciate it if you could let me know if/when you reach out to an organization/community so that we can keep track of exactly who we’ve asked to comment.  Please let me know if you have any questions and thanks in advance!





Dear Cybersecurity Community Member,


The OASIS Cyber Threat Intelligence Technical Committee (CTI TC) members have recently approved STIX 2.0 as a Committee Specification Draft (CSD) and submitted it for 30-day public review.  The public review started 08 March 2017 at 00:00 UTC and ends 06 April 2017 at 23:59 UTC


This is an open invitation to comment. OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.


What is STIX?

Structured Threat Information _expression_ (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.  More information can be found here.


What’s New in STIX 2.0?

STIX 2.0 represents a significant evolution in the design and implementation of STIX.  To date, STIX has been very successful in demonstrating that machine-readable cyber threat intelligence can be widely shared and used operationally. Both commercial and government threat intelligence feeds provide it and many threat intelligence tools produce and/or consume it.  As with anything, however, in developing and implementing STIX 1.x the community (both vendors and consumers) have found that it also had some shortcomings. These included excessive complexity and excessive flexibility. In addition, STIX 1.x used XML, which has fallen out of favor with much of the developer community.


STIX 2 is a redesign of STIX that has the same goals and builds on the same foundational concepts but in a way that addresses those shortcomings. It is not backwards-compatible but is intended to be a replacement for STIX 1.x.  STIX 2.0 is the first release of STIX 2 and is intended to be a framework on which future capabilities can be built. In fact, while STIX 2.0 is currently under review, the community is already working on additional capabilities to add in STIX 2.1. All of the releases in the STIX 2 series will build on each other such that upgrading from one version to the next should be easy (unlike the change from STIX 1 to STIX 2).  For more information, consult the FAQ.


STIX 2.0 Documents

STIX Version 2.0 is a five-part specification. The prose documents and related files are available here:


Part #




STIX Core Concepts

Editable Authoritative Source (DOCX)




STIX Objects

Editable Authoritative Source (DOCX)




Cyber Observable Core Concepts

Editable Authoritative Source (DOCX)




Cyber Observable Objects

Editable Authoritative Source (DOCX)




STIX Patterning

Editable Authoritative Source (DOCX)




For your convenience, OASIS also provides a complete package of the prose documents and related files in a ZIP distribution file. You can download the ZIP file here.


How To Comment on STIX 2.0

Comments on STIX 2.0 may be submitted to the TC by any person through the use of the OASIS TC Comment Facility.  Comments submitted by TC non-members for this work and for other work of this TC are publicly archived and can be viewed herePlease submit any comments before the public comment period ends on April 6, 2017.


By submitting comments you implicitly agree to the terms of the OASIS Feedback License, which ensures that any alterations made to the specifications based upon your feedback are covered by the same IPR protections under which TC members operate.  In addition, in connection with this public review of STIX 2.0, we call your attention to the OASIS IPR Policy applicable to the work of this technical committee. While all members of the TC should already be familiar with this document (which may create obligations regarding the disclosure and availability of a member's patent, copyright, trademark and license rights that read on an approved OASIS specification), public reviewers who are not TC members are encouraged to review the OASIS IPR Policy.  OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC's work.


Invitation to Forward This Call for Comments

OASIS and the CTI TC encourage widespread public review of the STIX 2.0 specifications.  Therefore, please feel free to forward this call for comments onto any and all interested parties.

Thank you.




Richard J. Struse 

Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee


Chief Advanced Technology Officer

National Cybersecurity and Communications Integration Center (NCCIC)

Cyber Security & Communications

U.S. Department of Homeland Security

e-mail:  Richard.Struse@dhs.gov
Phone:  202-527-2361


Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]