OASIS Open Command and Control (OpenC2) Technical Committee

The fact that cyber-attacks are increasing in terms of sophistication, speed and dynamics of the attack steps is well documented. Advanced cyber actors are utilizing automation with adaptive tradecraft and these trends are likely to continue.

The traditional cyber security and response approach is through the use of monolithic systems that tightly couple the sensing, analytics, decision making and acting blocks of cyber-defense activities. Upgrading or modification of the functional blocks within the cyber-defenses is intensive, may impact the efficacy of the system as a whole and in many cases cannot be realized within cyber-relevant time. The traditional approach can lead to systems that are relatively static and are difficult to coordinate inter-domain responses to cyber-attacks.

Future defenses will require the integration of new functional blocks, coordination of responses between domains, synchronization of cyber defense mechanisms and automated actions to mitigate current and pending attacks within cyber relevant time. Key enablers for the realization of more responsive, flexible, product agnostic and interoperable cyber defense components include the standardization of interfaces and the adoption of standard protocols. This will facilitate interoperability and enable unambiguous machine to machine command and control messages.

The purpose of this technical committee is to create a standardized language for the command and control of technologies that provide or support cyber defenses.

The technical committee will draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner. The technical committee will leverage pre-existing standards to the greatest extent practical. Therefore identifying gaps pertaining to the command and control of technologies that provide or support cyber defenses is within the technical committee's scope of work.

The technical committee will base its initial efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency. The OpenC2 Forum drafted a language description document, actuator profiles and open source prototype implementations. Since its inception, the Forum intended to transition its efforts to a recognized standards body. This TC can leverage the pre-existing artifacts produced by the OpenC2 Forum to provide a foundation to base its development.

It is recognized that command and control of technologies is necessary but insufficient for cyber-security, therefore every effort will be made to ensure that artifacts produced will be done so in the context of being implementation agnostic and striving toward an architecture that decouples the functional blocks utilized by cyber-defense.

Other implementation aspects such as transport, authentication, key management, cyber-threat sharing, situational awareness, and other services are being addressed by other efforts. The OpenC2 Forum may specify or otherwise leverage pre-existing standards to address external dependencies, identify implementation considerations etc., however the creation of additional standards for these aspects are beyond the scope of this technical committee.

This technical committee will collaborate with other technical communities to ensure consistency and avoid duplicative efforts. In particular, this committee will work closely with the OASIS Cyber Threat Intelligence Technical Committee (CTI TC). The OpenC2 Technical Committee will focus on the Acting or Response portion of cyber defense but recognizes that there are significant interactions with the functional blocks associated with sensing, analytics and decision making.

In its work to-date the TC has produced Committee Specifications for the OpenC2 Language Specification, an actuator profile for stateless packet filtering, and a message transfer specification using HTTPS. Future deliverables will address broadening the application of OpenC2 to additional actuator types and transfer protocols, along with other supporting work products such as:

• An OpenC2 architecture specification
• An information modeling language to facilitate the TC’s work
• Other to-be-determined artifacts agreed upon by the TC such as interoperability specifications, implementation guidelines, OpenC2 tutorials etc.

In addition to the identified deliverables, this TC shall maintain the following:

• Library of prototype implementations, sample commands, polyglot implementation and other artifacts as they pertain to the command and control of cyber defense technologies. This library will be maintained as a collection of OASIS Open Repositories managed by the TC.

This TC will operate under the Non-Assertion IPR mode as defined in Section 10.3 of the OASIS IPR Policy document.

The anticipated audience for this work includes:

• Vendors of products that execute tasks in order to investigate, mitigate and/or remediate cyber-attacks.
• Vendors of products that orchestrate coordinated responses by execution of a workflow.
• Organizations that architect and or integrate defenses for cyber domains.
• Academia or other stakeholders interested in the research, development and prototyping of cyber defense strategies, architectures and/or technologies.

TC business will be conducted in English. The output documents will be written in (US) English.