Understanding the Traffic Light Protocol (TLP)

The Traffic Light Protocol (TLP) takes something that most people know and applies it to a new problem.  In this case the simple concept of roadway traffic lights applied to information sharing.   As defined by FIRST, an organization formed by cyber first responders; the Traffic Light Protocol is “a set of designations used to ensure that sensitive information is shared with the appropriate audience”.

The TLP are important cybersecurity threat intelligence designations.

According to the TLP when sharing information between two parties (a source and a recipient) the traffic light colors instruct the party receiving the information (the recipient) what the party sending the information expects regarding how the information will be used.

The key to understanding TLP is its simplicity.  Traffic lights or signals are something used and seen by drivers and passengers on roadways around the world.

It’s important that each person in an organization handling information understand and use TLP all the time and the same way.  Successful implementation of TLP in an organization is when everyone uses the protocol to process information the same way.

While most roadway traffic signals have either two or three lights; the protocol defines 4 conditions.

TLP:Red – information classified as RED when the party sharing the information intends that it will not be disclosed.  The use of this information should be restricted to participants only.  I tell people that when information classified as TLP:Red is shared with you; that information should stay with you.

TLP:Amber –  Information classified as AMBER is intended for limited disclosure.  That means you should only share this information with people in your organization.  If you work for a company in the Information Security department when you receive information classified as TLP:Amber you can share it with others in your Information security department.  Some organizations stretch this to be interpreted as within the company.  Specific company policies and procedures should clarify this.

TLP:Green – Information classified as GREEN is also limited disclosure, however disclosure should be limited to the community; people in your organization and other organizations  whom you regularly work with.  Like TLP:Amber your organizations policies and procedures should define the community.

TLP:White –  Information classified as TLP:White “carries minimal or no foreseeable risk of misuse” and can be shared broadly.  It’s important to note that information classified as TLP:White is still subject to other organizational information classification (such as Secret, Top Secret , or NoForn and copyrights should be observed.

The TLP are important cybersecurity threat intelligence designations and one of the many topics that appear on the CompTIA Security+ SY0-701 exam.