Traffic Light Protocol (TLP) 2.0 in Cyber Threat Intelligence
The Traffic Light Protocol (TLP) is a system of color codes to control the sharing of information with audiences. It was created by the UK Government’s National Infrastructure Security Coordination Centre (NISCC), and is used by the US Computer Emergency Readiness Team (US-CERT), the Forum of Incident Response and Security Teams (FIRST), and others.
TLP 2.0 was released in August 2022, and this post has been updated.
TLP 2.0 Definitions
TLP:RED
For the eyes and ears of individual recipients only, no further disclosure.
This info may not be shared with anyone outside the exchange, meeting, or conversation where the info was originally disclosed. The reason is that the misuse of the info could negatively affect a party’s privacy, reputation, or operations. This info should be exchanged verbally or in person.
TLP:AMBER
Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.
This info may only be shared with members of one’s own organization, and with clients/customers who need to know the info to protect themselves or prevent further harm. The reason is that the misuse of the info could negatively affect a party’s privacy, reputation, or operations.
TLP:AMBER+STRICT
Limited disclosure, recipients can only spread this on a need-to-know basis within their organization.
This is the same as TLP:AMBER, except that it’s limited to the organization.
TLP:AMBER+STRICT was introduced in TLP 2.0.
TLP:GREEN
Limited disclosure, recipients can spread this within their community.
This info may be shared with peers and partner organizations within a sector or community, but not outside the sector/community or via publicly accessible channels.
TLP:CLEAR
Recipients can spread this to the world, there is no limit on disclosure.
This info may be shared with anyone, as it has little or no known risk of misuse. The rules for public release of info still apply, as do copyright and intellectual property laws.
TLP:CLEAR replaced TLP:WHITE from TLP 1.0.
Following TLP
The source of the info is responsible for ensuring that recipients follow the sharing guidance.
If you want to share info with parties outside of the TLP designation, you must get permission from the original source of the info.
Using TLP in Communications
Email: Indicate the TLP color in the Subject and body of the email (above the designated info). The TLP color must be in capitals (e.g., TLP:RED).
Documents: Indicate the TLP color in the header and footer of each page. The TLP color must be in capitals (e.g., TLP:RED) and in 12-point font or larger.
If you want to use visible colors, these are the official color codes:
RGB:
- TLP:RED : R=255, G=43, B=43
- TLP:AMBER : R=255, G=192, B=0
- TLP:GREEN : R=51, G=255, B=0
- TLP:CLEAR : R=255, G=255, B=255
- Background for all: R=0, G=0, B=0
CMYK:
- TLP:RED : C=0, M=83, Y=83, K=0
- TLP:AMBER : C=0, M=25, Y=100, K=0
- TLP:GREEN : C=79, M=0, Y=100, K=0
- TLP:CLEAR : C=0, M=0, Y=0, K=0
- Background for all: C=0, M=0, Y=0, K=100
HEX:
- TLP:RED : #FF2B2B
- TLP:AMBER : #FFC000
- TLP:GREEN : #33FF00
- TLP:CLEAR : #FFFFFF
- Background for all: #000000
