OASIS Staff Honors Gershon Janssen with the Distinguished Contributor Award

It is our privilege to announce that Gershon Janssen has been awarded the OASIS Distinguished Contributor Award — an honor he has richly deserved for many years. 

With his recent announcement of transitioning off the OASIS Board of Directors, it’s a fitting time to reflect on Gershon’s extraordinary contributions. Since joining OASIS in 2007, he has given more than his time — he has offered steady leadership, sharp insight, and unwavering commitment to our mission. Over the past 18 years, he has served in numerous roles, including:

  • OASIS Member since 2007, elevated to Sponsor Member status in 2022
  • Board Member since 2012, serving as Secretary (2012–2016) and as President and Chairman (2016–2025)
  • Secretary and Contributor for the PMRM and WS Calendar Technical Committees
  • Contributor to the IDtrust and WS-I Member Sections, as well as the PKCS #11, KMIP, MQTT, VIRTIO, BPEL4People, OData, and many other Technical Committees
  • Member of the OECD Internet Technology Advisory Council and Chair of its Security and Privacy Working Group
  • Board of Managers member for the OASIS Open Development Foundation
  • Treasurer for the OASIS Open Europe Foundation
  • Active member of the Process, Finance, Staffing, Governance, and Technology Committees

Much of Gershon’s work has been in roles that rarely receive deserved recognition — yet are vital. His steady hand has been a stabilizing force during turbulent times, including leadership transitions in which he shouldered the responsibilities of both Chair and Interim Executive Director on multiple occasions, some lasting from several months to nearly a year. 

Gershon’s dedication has gone far beyond formal responsibilities. On his own time — and at his own expense — he has served as an ambassador for OASIS around the globe, personally sponsoring activities when resources were stretched, representing our work as a TC member at key events, and acting as a liaison to numerous industry and government bodies. 

Through it all, Gershon led with quiet strength, patience, and a deep respect for the collaborative process, OASIS staff, and the members. His influence has helped guide OASIS through challenges and successes alike, ensuring our community remained strong and forward-looking. 

Words cannot truly capture our appreciation for Gershon’s years of service, nor can they measure the impact he has made. We thank him not only for his leadership, but for his enduring dedication to OASIS and the global open standards community. 

Please join us in congratulating Gershon on this well-deserved recognition. 

— OASIS Staff

OASIS to Advance Global Adoption of Data & Trust Alliance’s Data Provenance Standards

Boston, MA, and New York, NY, USA; 6 March 2025OASIS Open, a global open source and standards organization, and the Data & Trust Alliance, a consortium dedicated to developing data and AI practices that create business value and earn trust, announced the upcoming launch of the OASIS Data Provenance Standards Technical Committee (DPS TC). Building on version 1.0.0 of the Data Provenance Standards created by the Data & Trust Alliance’s cross-industry Working Group, the TC will bring more enterprises to the table to create de jure technical standards that aim to advance data transparency, accountability, and trust. Founding sponsors include Cisco, IBM, Intel, Microsoft, and Red Hat. 

“The Data & Trust Alliance has done exceptional work in developing the Data Provenance Standards, and OASIS is privileged to partner with them to expand the community actively developing and implementing these standards,” said Jim Cabral, Interim Executive Director of OASIS Open. “By advancing these standards in our open, consensus-driven environment, we ensure their continued evolution, interoperability, and adaptability to meet evolving industry demands.”

With AI and data-driven decision-making now central to business operations, organizations require robust mechanisms to verify data lineage, transformations, and compliance. The DPS TC will develop a standardized metadata framework for tracking data origins, transformations, and compliance, helping businesses establish clearer governance practices. The TC will also define metadata models that span databases, tables, and data pipelines to ensure interoperability and reliability across different platforms. 

“For AI to create value for business and society, the data that trains and feeds models must be trustworthy. Launching the Data Provenance Standard Technical Committee marks a milestone in fostering greater transparency and trust of AI-driven data,” said Saira Jesani, Executive Director, Data & Trust Alliance. “We look forward to bringing the TC’s expertise to bear to not only refine these standards but also bridge the gap between standards and implementation, as we drive towards industry-wide adoption.” 

The standards will enable data producers to deliver clear and consistent data lineage information; support companies in managing compliance and mitigating risks associated with data privacy, security, and intellectual property rights; provide data acquirers with transparency around the data they aim to acquire and a mechanism to determine whether to trust and use the data on offer, request changes to the data set, or reject its use; and help end-users by providing transparency into how their data is managed and protected, fostering trust in data-driven solutions. 

The DPS TC’s first meeting will be held on 8 April 2025. Participation in the DPS TC is open to all through membership in OASIS. Organizations, industry leaders, and experts are encouraged to join and actively contribute to these data provenance standards that will shape the future of transparent and trusted data governance. For more information, please visit the DPC TC’s homepage.

About OASIS Open
One of the most respected, nonprofit open source and open standards bodies in the world, OASIS advances the fair, transparent development of open source software and standards through the power of global collaboration and community. OASIS is the home for worldwide standards in AI, emergency management, identity, IoT, cybersecurity, blockchain, privacy, cryptography, cloud computing, urban mobility, and other content technologies. Many OASIS standards go on to be ratified by de jure bodies and referenced in international policies and government procurement. 

About Data & Trust Alliance
The Data & Trust Alliance was founded as a not-for-profit consortium to bring together leading businesses and institutions across multiple industries to learn, develop, and adopt responsible data and AI practices. Data & Trust Alliance member companies span 15 industries, operate in more than 175 countries, and generate more than $1.6 trillion in annual revenues.

Media Inquiries:
OASIS Open: communications@oasis-open.org
Data & Trust Alliance: inquiries@dataandtrustalliance.org

Additional Information:
DPS TC Project Charter

Support for the Data Provenance Standards Technical Committee:  

Cisco

“I applaud the OASIS community for its forward-thinking creation of the Data Provenance Standards TC. By creating standardized descriptors at the point of data creation, we are forging a path that empowers organizations to safeguard data integrity, security, and privacy throughout its entire lifecycle. This is essential for both AI-driven and traditional applications. These standards will not only enhance transparency and accountability, but also lay the foundation for robust, cross-industry data governance.” 

–Omar Santos, Distinguished Engineer at Cisco, OASIS Board Member

IBM:

“IBM is proud to build on its partnership with the Data & Trust Alliance to become a founding member of the OASIS Data Provenance Standards Technical Committee. As a contributor to the Data & Trust Alliance’s Data Provenance Standards, we are pleased that the DPS TC will evolve the critical work of advancing data transparency started by the Data & Trust Alliance. We look forward to helping organizations accelerate the business impact of AI through trust in our work with the DPS TC.”

–Christina Montgomery, Vice President and Chief Privacy & Trust Officer, IBM

Microsoft:

“Security and Trust remain at the top of mind while Microsoft executes its mission of empowerment. We promote and demand this ethos while developing operationally efficient and trustworthy AI systems. To do this successfully, we believe that full transparency into the data used including where it comes from, how it’s created, and whether it can be used legally is of extreme importance. As a founding member of the Data Provenance Standard Technical Committee (DPS TC), Microsoft will partner with similarly committed organizations towards creating industry standards for ensuring that AI systems are built with transparency, accountability, and trust through establishing data provenance standards as a foundation for improved data governance. Through membership and partnership in the DPS TC, Microsoft continues its commitment to empower every person and every organization on the planet to do more…securely.” 

–Raghu Ramakrishnan, CTO for DATA, Technical Fellow, R&D Azure Data, Microsoft

Red Hat:  

“Red Hat is proud to join the OASIS Data Provenance Standard Technical Committee. With AI rapidly evolving, it’s crucial we address the provenance challenge, together as a community, to help maintain data integrity and user trust. Red Hat is eager to collaborate on keeping security and compliance measures at the forefront of AI development, and we look forward to how this initiative will help unify our efforts toward an open and trusted AI ecosystem.”

–Vincent Danen, VP, Product Security, Red Hat

OASIS ebXML RegRep v4.0 Approved as International Standard

Boston, MA, 23 February 2023 — OASIS Open, the international open source and standards consortium, announced that the OASIS Electronic Business eXtensible Markup Language (ebXML) Registry and Repository (RegRep) v4.0 has been published as a global standard by the International Organization for Standardization (ISO) as ISO 15000-3, Electronic business eXtensible Markup Language (ebXML) – Part 3: Registry and repository. ISO 15000-3 is one of many data and documents standards approved by ISO Technical Committee (TC) 154.

Originally produced by the OASIS ebXML Registry Technical Committee (TC), ebXML RegRep v4.0 is a standard that defines the service interfaces, protocols, and information model for an integrated registry and repository. The repository stores digital content while the registry stores metadata that describes the content in the repository. The ebXML registry standard has been deployed in diverse applications by organizations worldwide. 

The ebXML RegRep standard allows for greater interoperability and cooperation between public and private authorities. Versions of ebXML RegRep are used in domains such as healthcare and geospatial information. The current version of the standard is adopted by one of the European Commission’s initiatives, the Once-Only Technical System (OOTS) for exchange of official documents and data for EU citizens and businesses. It is also used in OpenPeppol in pre-award electronic tendering specifications: “Search Notices” and “Publish Notice”.

The OASIS ebXML Core (ebCore) TC provides continued maintenance and related work on ebXML RegRep and other OASIS ebXML specifications. Its newest specification added an ebXML Messaging binding for RegRep.

“It is great to see ISO and OASIS working together in order to advance the ratification of ebXML specifications, in this case ebXML RegRep,” said Nikola Stojanovic, an author of the ebXML RegRep standard. “Congratulations to the EU teams on implementing such major initiatives while leveraging the ebXML RegRep standard.” 

“The Single Market is one of the EU’s greatest achievements. Online procedures mean that ever more citizens and businesses can make use of their rights and live, work, and do business in different EU countries. Through the Single Digital Gateway Regulation, the Commission and the EU Member States are implementing a large-scale distributed system called the Once-Only Technical System supporting the exchange of evidence in administrative procedures,” said Joao Rodrigues Frade, Head of Sector at the Directorate-General for Informatics of the European Commission. “The Once-Only Technical System will use OASIS RegRep version 4.0 as a key specification for the common services and secure exchange of evidence i.e. official documents exchanged by public administrations on the explicit request of the citizen. In this context, we welcome the adoption of this specification as use of open standards is a core principle of the Once-Only Technical System architecture.”

“OASIS ebXML RegRep is a robust specification for the definition of queries and realization of data requests to public registries,” said Andriana Prentza, Professor at University of Piraeus. “It has been proven very valuable in the realization of the once-only principle and implementation of data services that enable the service discovery and exchange of information between data consumers and data providers.”

Media Inquiries:
communications@oasis-open.org

GS1, Intel, MonetaGo, and Pinary Join OriginBX Sponsors to Define Product Data Standards for Global Tax, Trade and ESG Compliance

10 May 2022 — OASIS Open, the international open source and standards consortium, announced today that GS1, Intel, MonetaGo, and Pinary are the newest sponsors of OriginBX, an international movement to advance open source detail product component level data standards for facilitating digital tax, trade, and ESG attestations.

Launched in June 2021, the OriginBX community has a shared vision to reduce the inefficiency and cost incurred by manufacturers needing to comply with a growing list of complex tax, trade and ESG disclosure requirements.  Such claims range from forced labor and conflict minerals, to country of origin and preferential trade programs.  Among other costs of compliance benefits to producers and supply chain partners, the OriginBX standards aim to increase the utilization of free trade agreements to boost GDP of developing countries.  The new sponsors join Accenture, Amazon, CompTIA, IBM, the International Chamber of Commerce, Inveniam, KYG.Trade, Origin Experts Group, Skuchain, Thomson Reuters, and UPS in providing strategic vision, governance, technical guidance, and financial support for OriginBX’s work.

“We’re pleased that GS1, Intel, MonetaGo, and Pinary have joined the OriginBX community, alongside a growing list of leaders supporting this international alliance,” said Todd R. Smith of KYG.Trade, co-chair of the OriginBX Project Governing Board (PGB). “The more private enterprises and global policy setting organizations join OriginBX, the more collaboration and momentum there will be towards adopting digital ‘component-level’ product attribute standards.”

“It is inspirational to see OASIS enlisting the global community to create open source interoperable standards  for international product tax, trade and ESG compliance. It is a worthwhile initiative for which I am grateful to be appointed co-chair,” said Oswald Kuyler of MonetaGo, co-chair of the OriginBX PGB. “At MonetaGo, we advocate standards-based enablement for trade solutions – our Secure Financing system for trade finance deduplication exemplifies the power of standards to achieve scale and interoperability worldwide.”


Support for OriginBX

GS1

“GS1 is a neutral and not-for-profit standards organization developing open and interoperable global data standards. The objectives of GS1 and OASIS are well aligned, and we are proud to be involved as a project governing board member of OriginBX. We look forward to working with the participants of OriginBX on improving the ecosystem for identification, attestation and data sharing that will support cross-border trade facilitation going into the future.”

– Robert Beideman, Chief Product Officer, GS1

Intel  

“Reducing the digital divide between countries remains a top priority, previously thought beyond our reach. The standardization of trade data in digital global tax and trade attestations (“GTTAs”) innovations provides the backbone to strategies related to private/public data centrism within a trade context for an innovative, connected, and data-centric world. Partnering with OriginBX members, a like-minded coalition of tax and trade compliance experts and visionaries, is an honor as we collectively work to advance the potential of digital GTTA and blockchain technologies to achieve each trading partner’s economic and competitive goals.”

–Michelle Stout, Senior Director, Intel


About OriginBX

OriginBX supports trade specific digital product data open standards, SDKs, and APIs. In particular, by reducing complexity and the cost of complying with global tax, trade and ESG regulations. We work closely with global non-profit initiatives and alliances to promote the WTO trade facilitation agreement and the UN’s sustainable development goals. OriginBX is governed and supported as an OASIS Open Project.

www.originbx-oasis.org


Media inquiries:
communications@oasis-open.org

OASIS Approves OSLC PROMCODE Standard for Exchanging Project Management Information Across Organizational Boundaries

11 April 2022 — OASIS Open, the global open source and standards consortium, announced that its members have approved OSLC PROMCODE Version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. Developed by the OSLC Lifecycle Integration for Project Management of Contracted Delivery Technical Committee, OSLC PROMCODE is designed to address the need for systematic sharing of project management information within and between organizations.

Global software delivery is commonplace today. With ever increasing pressure, such as faster delivery, competitive cost, and skill availability, it is becoming common for software delivery to be done by collaboration of multiple organizations forming a chain of carriers and suppliers. Resembling the traditional manufacturing industry supply chain, this trend of software delivery is often called a Software Supply Chain (SSC). The SSC is a new paradigm of software delivery, where carriers and suppliers work together.

“Effective collaboration between a Software Supply Chain acquirer and supplier requires activities to be managed and information to be shared across organizational boundaries. As the number of organizations involved in software delivery increases, the need for more systematic and standards-based information sharing and coordination becomes critical,” said Tsutomu Kamimura, chair of the OSLC PROMCODE Technical Committee. “OSLC PROMCODE enables customers and vendors to manage project-management data via a standard interface across organizations and lowers the risk of project delays and cost overruns.”

Participation in the OASIS OSLC PROMCODE Technical Committee is open to all companies, nonprofit groups, governments, academic institutions, and individuals through membership in OASIS. As with all OASIS projects, archives of the Committee’s work are accessible to both members and non-members alike. OASIS also hosts an open mailing list for public comment.

Support for OSLC PROMCODE V1.0

IBM

“IBM is pleased to be a key contributor in the OSLC PROMCODE TC. The specification expands the existing OSLC standard so that we can realize more seamless communication between systems among organizations. Congratulations to all the contributors of the release.”

– Masaki Wakao, Senior Technical Staff Member, IBM

NEC

“NEC is pleased to have contributed to the release of the OSLC PROMCODE specification. Cooperation between software vendors is essential for large scale projects. We hope that PROMCODE, which realizes the alignment among software vendors via exchange of management data, will be the basis of smooth communication.”

– Shigenori Kobayashi, Director, Software and System Engineering Department, NEC

Additional Information

OASIS OSLC PROMCODE TC:   https://www.oasis-open.org/committees/oslc-promcode

Media inquiries:

communications@oasis-open.org

SAM Threshold Sharing Schemes V1.0 Approved as OASIS Standard

23 March 2022 — OASIS Open, the global open source and standards consortium, announced that its members have approved SAM Threshold Sharing Schemes Version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. Developed by the Security Algorithms & Methods (SAM) Technical Committee, SAM Threshold Sharing Scheme V1.0 is intended for developers and architects designing systems and applications that utilize threshold sharing schemes in an interoperable manner.

“SAM Threshold Sharing Schemes V1.0 aids in the interoperability of applications implementing cryptographic capabilities in support of OASIS and other standards and specifications,” said Tim Chevalier of NetApp, co-chair of the OASIS SAM Technical Committee. “Many organizations are unable to conform with a range of specifications that deal with cryptographic algorithms or methods because those algorithms and methods are not documented in a manner that is able to be referenced.” 

“The primary goal of OASIS SAM Threshold Sharing Scheme is to provide a standardized set of algorithms, mechanisms, and methods that can be used in an interoperable way to recover secret data in a secure way, this should be immediately available to other OASIS Technical Committees and recognized standards bodies,” said OASIS SAM co-chair, Greg Scott of Cryptsoft. 

Participation in the OASIS SAM Technical Committee is open to all companies, nonprofit groups, governments, academic institutions, and individuals through membership in OASIS. As with all OASIS projects, archives of the Committee’s work are accessible to both members and non-members alike. OASIS also hosts an open mailing list for public comment.

Support for SAM Threshold Sharing Schemes V1.0

Cryptsoft

“Cryptsoft is pleased to be a key participant in the SAM TC. Threshold Sharing Schemes (TSS) are widely used but have typically been non-interoperable between vendors and usage domains. Interoperable TSS allows for disaster recovery and cryptographic multi-party authorization systems to be cross-vendor. This advance will allow for greater security and recoverability of secure data for a wide range of systems used in today’s modern organizations.”

 – Tim Hudson, CTO, Cryptsoft

Additional Information:

OASIS Security Algorithms and Methods (SAM) TC: 
https://www.oasis-open.org/committees/sam

Media inquiries: 
communications@oasis-open.org

EMQ Becomes OASIS Open’s Newest Foundational Sponsor

18 February 2022 — OASIS Open, the international open source and standards consortium, announced today that EMQ, an open-source Internet of Things data infrastructure software provider, is its newest Foundational Sponsor. EMQ joins IBM at the Foundational Sponsor level supporting the mission of OASIS at the highest level.

A leading provider of open source software for IoT, EMQ, joined OASIS in 2020 to help advance the OASIS standard for the Message Queuing Telemetry Transport (MQTT) Protocol, the most commonly used messaging protocol for IoT. EMQ’s support is critical in advancing the development and adoption of open standards and helps enable OASIS to fulfill its mission. To learn more about EMQ’s work, please read this blog post on EMQ’s website.

“We are very pleased to welcome EMQ as a Foundational Sponsor,” said OASIS Open Executive Director Guy Martin. “Since EMQ joined OASIS, they have been leading the cutting edge research using MQTT over QUIC and aiming to standardize it with the MQTT Technical Committee. We appreciate EMQ’s generous support which demonstrates their commitment to MQTT and advancing open standards, and we admire their contributions to open source and the IoT industry.”

As a pioneering and leading IoT data infrastructure software provider, EMQ has been working on the open source distributed MQTT broker compatible with MQTT 3.1 and 3.1.1 specifications since 2013. When MQTT became an OASIS open standard in 2016, EMQ actively engaged in the development and discussion of the MQTT 5.0 specification. In 2020, EMQ released the world’s first MQTT 5.0 server fully implementing the latest specification.

“We are excited to be a Foundational Sponsor of OASIS and to participate in the MQTT TC. We hope that the innovations EMQ has made to the MQTT server, including MQTT over QUIC, and MQTT Streaming, will become part of the MQTT open standards in the future. We look forward to working closely with OASIS to further drive the application of MQTT in the IoT industry and scenarios, to power the future-proof IoT solutions and enterprise digital transformation,” said Feng Lee, CEO at EMQ.

About EMQ

EMQ is an open-source IoT data infrastructure software provider, delivering the world’s leading cloud-native MQTT-based IoT messaging platform and streaming database, providing a one-stop cloud-native solution for real-time IoT data connection, movement, processing and analytics, from edge to cloud to multicloud.

The flagship product EMQX is adopted by more than 10,000 enterprise users from over 50 countries, connecting more than 100 million IoT devices worldwide. Trusted by over 300 customers in a business-critical production environment, EMQ powers the future-proof IoT solutions and enterprise digital transformation.

Media inquiries:
communications@oasis-open.org
+1.941.284.0403

OriginBX Alliance for Digital Trade and STIX/TAXII Cybersecurity Standards Win Open Cup Awards

19 January 2022 — OASIS Open, the international open source and standards consortium, announced the winners of the 2021 Open Cup, which recognizes exceptional advancements within the OASIS technical community. The Cup for Outstanding New Initiative was awarded to OriginBX, an international alliance of organizations that are defining global standards for digital trade. The Open Cup for Outstanding Approved Standard was awarded to STIX v2.1 & TAXII v2.1, two widely used cybersecurity standards that enable the automated exchange of cyber threat intelligence. In addition, the consortium named Martin Chapman, Frederick Hirsch, and Duncan Sparrell as OASIS Distinguished Contributors.

Open Cup Recipients

The 2021 Outstanding New Initiative, the OriginBX OASIS Open Project, is a global alliance to advance open source product and trade data standards for facilitating digital tax and trade attestations. By reducing complexity and the cost of complying with preferential and non-preferential country of origin determinations, OriginBX OASIS seeks to increase the utilization of free trade agreements to achieve desired public policy outcomes.

“Launched in June, OriginBX has attracted organizations representing diverse stakeholders in the technology, ecommerce, and customs brokerage sectors. The OriginBX community’s vision is to help build common standards to allow for greater automation in identifying countries of origin for manufactured goods and their components,” said OASIS Executive Director Guy Martin. “We’re proud to support this innovative new project as it aims to streamline global trade.”

OriginBX was chosen as the winner in the New Initiative category that includes finalist Electronic Secure Authentication (ESAT) Technical Committee

Named the Outstanding Approved Standard was STIX v2.1 & TAXII v2.1. STIX defines a JSON-based language for sharing structured threat intelligence in a consistent, machine-readable manner, allowing organizations to better protect against, detect, and respond to cyber threats. STIX v2.1 adds new objects and capabilities, enabling it to better describe the cyber threats we confront today, as well as future-proofing STIX via STIX Extensions. As a result, STIX v2.1 creates a solid and stable foundation for vendors and consumers alike to exchange actionable CTI.

TAXII defines a transport protocol which supports the exchange of STIX data over Hyper Text Transfer Protocol Secure (HTTPS). TAXII enables machine-to-machine sharing of CTI by defining an API that supports common sharing models used by industry and Information Sharing and Analysis Organizations (ISAOs).

“The revamped version 2.1 of STIX and TAXII are fast becoming the foundation for automating information sharing to provide cybersecurity professionals with situational awareness, sophisticated threat analysis, and real-time network defense,” said Chet Ensign, OASIS Chief Technical Community Steward.

STIX v2.1 & TAXII v2.1 were chosen from a group of finalists that included:

  • OSLC (Core v3.0, Change Mgmt v3.0, Requirements Mgmt v2.1, & Query v3.0)
  • LegalRuleML Core Specification v1.0
  • BDXR (Service Metadata Publishing (SMP) v2.0 & Exchange Header Envelope (XHE) v1.0

Distinguished Contributors

Each year, the Distinguished Contributor designation is awarded to a select group of OASIS members who have made significant contributions to the advancement of open standards and/or open source projects.

Martin Chapman, Ph.D., served on the OASIS Board of Directors from 2013-2021, and his roles included Vice Chair and Board Process Committee Chair. Martin promoted open standards and interoperability across Europe, focusing on standardization activities in the areas of Web Services, SOA, Business Process, and Cloud, and became involved in many activities in organizations such as OASIS, W3C, OMG, WS-I, ISO, and ITU-T. Martin served as the OASIS Technical Advisory Board (TAB) Chair and member; the CAMP Technical Committee Chair; the Program Advisor for the OASIS Symposium series; the OASIS representative on the EU Stakeholder Cybersecurity Certification Group (SCCG); and Chair of the OASIS Open Europe Foundation.

Duncan Sparrell of sFractal Consulting serves as Chair of the OASIS Open Command and Control (OpenC2) Technical Committee and is a deeply engaged member of the Cyber Threat Intelligence (CTI) TC, the Collaborative Automated Course of Action Operations (CACAO) TC, and the Common Security Advisory Framework (CSAF) TC. Duncan is actively involved in the Open Cybersecurity Alliance (OCA), an OASIS Open Project, as a member of the Project Governing Board and the Technical Steering Committee. In addition, Duncan volunteers as the official OASIS liaison to ITU-T and is Editor of the ITU recommendation X.1144rev, which is XACML 3.0. He also served as Program Advisor to the OASIS Borderless Cyber Conference series. A seasoned network security evangelist with 40+ years of expertise in conceiving, developing and delivering state-of-the art software platforms, Duncan has published numerous articles and holds 7 patents.

Frederick Hirsch served on the OASIS Board of Directors for 18 years, from 2003-2021, and his roles included Board Chair, Treasurer and Chair of the Board Finance and Audit Committee, Chair of the OASIS Board Governance and IPR advisory committee, Vice-Chair, Board Secretary, and Technical Advisory Board Liaison. Frederick is an independent consultant focused on establishing trust in systems based on the trustworthiness characteristics of security, safety, reliability, resilience and privacy. Frederick was a member of the Privacy By Design Documentation for Software Engineers (PbD-SE) Technical Committee and previously served as an editor in the SAML, WSS and DSS Technical Committees.

Media inquiries:
communications@oasis-open.org
+1.941.284.0403

Open Cybersecurity Alliance Adds PACE Posture Assessment Project

9 December 2021 — The Open Cybersecurity Alliance (OCA), a global, ​standards-based initiative to simplify ​​integration across the threat lifecycle, announced today that it has accepted the Posture Attribute Collection and Evaluation (PACE) project contributed by the Center for Internet Security (CIS), the National Security Agency (NSA) and McAfee. PACE will focus on creating production-ready code that evaluates the posture assessment of computing resources using a communication fabric which will allow organizations to use this information in zero-trust architecture decisioning.

Based on an implementation effort from the IETF Security Automation and Continuous Monitoring (SACM) architecture, PACE will deliver community-maintained code that will arm operators with an interoperable out-of-the-box solution that monitors risk and threat exposure, reducing integration costs and redundancy while increasing resiliency. Providing comprehensive views into the endpoint, PACE will take advantage of existing standards such as SCAPv2 and leverage ongoing work in SBOM, to allow cybersecurity practitioners to fully utilize threat-informed defenses in their environment in an open and interoperable fashion.

The PACE project aligns with the OCA’s mission of integrating tools and solutions across security teams and will directly enable vendors and end users, advancing the OCA’s mission of building an open ecosystem where cybersecurity products interoperate without the need for customized integrations. 

“NSA Cybersecurity is proud to have supported the development of the OASIS standard OpenC2 language for command and control, which has been included in PACE. Additionally, PACE will leverage several of the cybersecurity standardization efforts NSA has been working on with industry partners to improve the cybersecurity of National Security Systems, the Department of Defense and the Defense Industrial Base.”
— Neal Ziring, Cybersecurity Technical Director, National Security Agency

PACE joins other OCA projects that include Kestrel, the threat hunting tool, the STIX Shifter patterning library, and the OCA Ontology.

The OCA is hosted by OASIS Open, one of the most respected, international bodies in the world for open source and standards. To learn more about the OCA, or other OCA technologies that are available to help security teams connect their security tools and data, please visit: https://github.com/opencybersecurityalliance.

SPONSOR QUOTES

Center for Internet Security
“Managing risk and addressing threat exposure are important facets of any security program. CIS is pleased to have introduced PACE as a new OCA project, we look forward to evaluating and integrating new posture assessment solutions as the cooperative ecosystem increases in participation and interest.”
– Adam Montville, Chief Product Architect, Center for Internet Security

CyberNB | CIPnet
“We applaud the work of OASIS and believe in the mission to create open, global standards that help strengthen digital resiliency. The new PACE project will help define standardized process to measure cybersecurity posture across computing resources. The team here at CyberNB and our Critical Infrastructure Protection Network (CIPnet) will benefit from the PACE project and its outcomes.”
– Tyson Johnson, CEO, CyberNB | CIPnet

Cydarm Technologies
“PACE is an important addition to the OCA project portfolio, as it enables faster gathering of context around intrusion alerts, enabling responders to more quickly triage possible incidents and reduce time wasted on repetitive queries across disconnected systems. Cydarm looks forward to integrating PACE, to further our goal of enabling better and faster security operations.”
– Dr. Vaughan Shanks, CEO, Cydarm Technologies

Cyware Labs
“Cybersecurity threats are rapidly evolving, making it essential for organizations to have complete visibility over their current security posture and the environment they are striving to protect. At Cyware, we facilitate the goal of collective defense for all organizations and communities through collaborative threat response and threat intelligence sharing. PACE, an OCA project will steer the community towards a collaborative framework, enabling them to have the right visibility over the security posture of any organization.”
– Avkash Kathiriya, VP – Research and Innovation, Cyware Labs

F5 Inc.
“Effectively sketching the cybersecurity posture of organizations to practically combat cyber threats requires the power of both enterprise and open-source tools to build a coherent and vigorous cyber defense platform. Fusion and integration of security products including information exchange with the PACE project in the OCA ecosystem not only helps the organizations to subvert cyber threats at scale by generating efficient threat intelligence but also helps to build a proactive and robust cybersecurity stance. In fact, that’s the need of the hour for organizations to provide a secure and safe digital transformation environment to customers.”
– Renuka Nadkarni, CTO Security, F5 Inc.

IBM Security
“Posture assessment is foundational for any zero-trust based approach to security. Having open and interoperable implementation of existing posture standards is critical to ensuring that innovations in this space can be effectively implemented by the broader community, and bringing the PACE project into the OCA will help the industry realize that goal.”
– Jason Keirstead, Senior Technical Staff Member and the Chief Architect of Threat Management, IBM Security

McAfee
“The state of a system at the time of an event is of utmost importance in an event driven system, perhaps as important as the event itself. Without this context, we cannot determine if an event is of high or low critical importance or what the resulting action should be to a given event. Posture attributes that we can broadly agree on as well as open tooling for the collection and evaluation of those attributes is a great move forward in making open, interoperable and event-driven cybersecurity a reality.”
– Mark Mastrangeli, Lead Technology Architect, McAfee

Rapid7
“Visibility is the cornerstone of cybersecurity. Being able to measure and effectively communicate the posture/state of business process assets fosters better (and faster) decision making and can significantly improve enterprise safety and resilience. By creating and relying on open standards for data storage and interchange and removing the need for vendors to reinvent the wheel on commodity architecture components, PACE will help bring security automation and continuous monitoring (SACM) to the widest possible audience, arming organizations of any size with the core components necessary to maintain the health of their IT ecosystems.”
– Bob Rudis, Chief Security Data Scientist, Rapid7

SAIC
“As a leading systems integrator for the federal government, SAIC assesses cyber security postures of large customers with complex cyber environments. We have made significant progress in creating a holistic picture with a repeatable process, and the PACE project will enhance our solutions by allowing us to generate the posture and compliance picture in a more rapid and standardized fashion.”
– Forrest Hare, Solution Developer, Cyberspace Operations, SAIC

sFractal Consulting
“PACE is a great fit for OCA’s mission of standards-based, vendor-agnostic, interoperable cybersecurity. One timely PACE example is the Software Bill of Materials (SBOM) – collecting the SBOM of a device or cloud-service and comparing it with vulnerabilities found in the National Vulnerability Database, and using the results to inform your threat-hunting.”
– Duncan Sparrell, Chief Cyber Curmudgeon, sFractal Consulting

ThreatQuotient
“ThreatQuotient believes in a data-driven approach to security that improves efficiency, has an open architecture, and enables balanced automation. We are proud to be a part of the OCA and to support protocols and standards such as PACE that simplify the exchange of information between different teams and technologies, and enable threat-informed defenses. We are encouraged by continued efforts across the industry to meet the needs of security teams and ultimately help them improve the resiliency of their organizations.”
– Haig Colter, Director, Alliances, ThreatQuotient

VISUA
“VISUA recently joined the OCA specifically because we saw the valuable work the member companies were doing to not only find new and innovative ways to detect compromises and behaviours, but also to communicate threat intelligence in a more cohesive and open way. This kind of work is very exciting to us as we bring new technology discussions to the world of cyber security and begin to integrate the wonderful innovations developed and ratified by OASIS members. PACE is yet another example of this great work.”
Alessandro Prest, CTO and Co-Founder, VISUA


About the Open Cybersecurity Alliance

The Open Cybersecurity Alliance brings together vendors and end-users to create an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures. The OCA is governed under the auspices of OASIS Open, which offers projects a path to standardization and de jure approval for reference in international policy and procurement.

The OCA is led by these organizations committed to solving the costly problem of siloed cyber tools and products: Center for Internet Security (CIS), Copado, Cybereason, CyberNB, Cydarm, Cyware, EclecticIQ, F5 Inc., IBM Security, McAfee, Prophecy International, Rapid7, sFractal Consulting, SafeBreach, SAIC, Tenable, ThreatQuotient, TruSTAR, VISUA and VMware.  

Contact information:
Dee Schur, Senior Manager, Development & Advocacy
OASIS Open
dee.schur@oasis-open.org
+1 941-321-6733

OASIS Open Approves LegalRuleML Core V1.0 Standard for Legislation, Contract, and Case Law

28 September 2021 — OASIS Open, the global open source and standards consortium, announced that its members have approved LegalRuleML Core V1.0 as an OASIS Standard, a status that signifies the highest level of ratification. The LegalRuleML Core is designed to capture the logical structure of legal rules and includes formal features specific to legal norms, guidelines, policies and reasoning.

Legal texts, e.g. legislation, regulations, contracts, and case law, are the source of norms, guidelines, and rules that govern societies. As text, it is difficult to label, exchange, and process content except by hand. In our current web-enabled world, where innovative e-government and e-commerce are increasingly the norm, providing machine-processable forms of legal content is crucial. The objective of LegalRuleML Core V1.0 is to define a standard (expressed with XML-schema and Relax NG and on the basis of Consumer RuleML 1.02) that is able to represent the particularities of the legal normative rules with a rich, articulated, and meaningful mark-up language.

LegalRuleML extends Rule Markup Language (RuleML) with a range of elements specifically designed for the legal domain. In particular, LegalRuleML offers specific operators appropriate to the requirements of legal theory e.g., override rules, temporal parameters for modeling the validity of rules, sub-order list of deontic expressions, jurisdiction metadata, official legal source URI, deontic modalities, and linking ontologies.

“Such a combination of features allows LegalRuleML to offer a conceptual modelling of legal notions and to achieve a close correspondence between textual provisions and the corresponding LegalRuleML encoding,” said OASIS LegalRuleML Technical Committee co-chair, Monica Palmirani. “This correspondence, called legal isomorphism, facilitates the maintenance of LegalRuleML rulesets, enables tracing and transparency of application of the code, and eases the understanding of the encodings.”

LegalRuleML enables the modeling of alternative representations of a textual provision in order to support multiple interpretations that can account for different times of applicability of the norms, the relevant jurisdictions, and other parameters. LegalRuleML has mechanisms to link external ontologies for specific domains, including IPR, privacy, geospatial, etc.

“LegalRuleML provides a common standard for modeling legal rules so as to model interoperable, annotated corpora of legal norms,” said Dr. Guido Governatori, OASIS LegalRuleML TC co-chair. “The LegalRuleML TC intends to develop use-cases to support the implementation of the standard in the market and the development of tools/editors to promote the representation of legal documents in LegalRuleML.”

Additional Information
OASIS LegalRuleML Technical Committee

Media inquiries:
communications@oasis-open.org
+1.941.284.0403

Accenture, Microsoft, and Oracle Executives Elected to OASIS Board of Directors

20 July 2021 — OASIS Open, the international open source and open standards consortium, today announced the election of three new members to its Board of Directors: Nima Dokoohaki of Accenture Strategy & Consulting; Ross Gardler of Microsoft Azure; and Anish Karmarkar of Oracle. Their collective experience in the standards and open source communities expands the Board’s reach and strengthens OASIS’ position as the home for worldwide standards in cybersecurity, blockchain, privacy, cryptography, cloud computing, IoT, emergency management, and other content technologies.

The newly elected members join the continuing members of the Board: Jeremy Allison of Google; Rich Bowen of Red Hat; Gershon Janssen, Independent Consultant; Wende Peters of Bank of America; and Richard Struse of MITRE. Jason Keirstead of IBM Security and Daniel Riedel of Copado were re-elected to the Board. Each director will serve a two-year term.

“At OASIS, it’s our mission to re-energize the collaboration between open source and open standards communities in order to fuel innovation. I’m confident that our Board will continue to provide valuable strategic guidance on the evolving needs of our organization,” said Guy Martin, Executive Director of OASIS Open. “I’m excited to welcome our new Board members Nima, Ross, and Anish, and I’m happy to welcome back our returning Board members, Jason and Daniel; thank you for your continued service to the OASIS community.”

Nima Dokoohaki, PhD, is a data science and engineering expert working with the Swedish Accenture Strategy and Consulting Applied Intelligence (S&C AI) team, a group focusing on delivering business value to clients using data analytics. Nima has several years of practical knowledge of the adoption of many enterprise data-centric products from both enterprise architecture as well as enterprise analytics perspectives across several European industries.

“It’s great to be among a select few members being elected by the community to serve on the directorial board. I’m personally humbled and pleased to get to act as a trustee of the organization,” said Nima Dokoohaki. “I hope we can inspire more organizations and members to make a conscious effort to join and contribute to open standards and technologies development that impact the way we do modern business, especially across geographical borders.”

Ross Gardler joined Microsoft in 2013 and works in the Linux Solutions Team on Azure, which owns the full end-to-end experience for customers running Linux workloads on Azure. His team is actively engaged with many open projects for standards, software, and hardware. Ross has more than 20 years of experience in open source, most notably within the Apache Software Foundation, and has been a long-time proponent of the collaboration between open source and open standards.

“A robust and diverse standards system is critical to the technology ecosystem. OASIS has a long-standing tradition of excellence in standards setting, and is among the leaders in defining the future of standardization. Openness is key to innovation and I look forward to working with OASIS as it leverages the intersection of open source and open standards,” said Ross Gardler, Principal Programme Manager, at Microsoft.

Anish Karmarkar, PhD, is a Senior Director at Oracle and member of its Standards Strategy & Architecture team. He is the chair of INCITS/Cloud38, the U.S. Technical Advisory Group to ISO/IEC JTC 1/SC 38 (Cloud Computing & Distributed Platforms) and the editor of ISO/IEC 5140 (Multi-cloud). In addition to his new duties on the OASIS Board, he also represents Oracle on the W3C Advisory Committee, Java Community Process (JCP) Executive Committee, and INCITS Executive Board. With 20+ years of experience in the software industry, Anish has a history of participation and leadership in standards setting organizations, serving on the Board of Directors of the Object Management Group (OMG) and OSGi Alliance, and as a longtime contributor to various OASIS Technical Committees.

“OASIS is a world class open, transparent, global collaboration environment for both standards and open source and Oracle is proud to continue its involvement in shaping it,” said Anish Karmarkar. “I’m honored and humbled to be elected by the membership to serve on the Board of Directors of OASIS. I’m excited to be given this opportunity to serve the needs of the community and use my experience in advancing the mission and vision of OASIS.”

“I want to give special recognition to our outgoing Board members: Dr. Martin Chapman of Oracle; Frederick Hirsch; Beth Pumo of Kaiser Permanente; and Bruce Rich of Cryptsoft,” said Guy Martin. “Thank you for your service; we’re very grateful for your commitment and contributions to OASIS over the years.”

Media inquiries:
communications@oasis-open.org
+1.941.284.0403

STIX and TAXII Approved as OASIS Standards to Enable Automated Exchange of Cyber Threat Intelligence

14 July 2021 – OASIS Open and the members of the Cyber Threat Intelligence (CTI) Technical Committee (TC) are pleased to announce that Structured Threat Information Expression (STIX) v2.1 and Trusted Automated Exchange of Intelligence Information (TAXII) v2.1 have been approved as OASIS Standards. STIX and TAXII are widely used to prevent and defend against cyberattacks by enabling threat intelligence to be analyzed and shared among trusted partners and communities. As full OASIS Standards, STIX and TAXII can now be recognized by other International Standards bodies and referenced in official government procurements and rules.

The STIX standard defines a JSON-based language for sharing structured threat intelligence in a consistent, machine-readable manner, allowing organizations to better protect against, detect, and respond to cyber threats. STIX v2.1 adds new objects and capabilities, enabling it to better describe the cyber threats we confront today, as well as future-proofing STIX via STIX Extensions. As a result, STIX v2.1 creates a solid and stable foundation for vendors and consumers alike to exchange actionable CTI.

The TAXII standard defines a transport protocol which supports the exchange of STIX data over Hyper Text Transfer Protocol Secure (HTTPS). TAXII enables machine-to-machine sharing of CTI by defining an API that supports common sharing models used by industry and Information Sharing and Analysis Organizations (ISAOs).

“When I launched the STIX and TAXII initiatives at the US Department of Homeland Security over nine years ago, I always hoped that one day we would reach this milestone of full international standard status,” said OASIS CTI TC Co-chair Richard Struse of MITRE. “Since transitioning this work to OASIS six years ago, the members of the CTI TC have done a tremendous amount of work to give the global community practical standards that empower defenders to maximize their use of threat intelligence to protect their organizations. The community now should focus on using these standards to solve actual cybersecurity problems and to help thwart future cyber attacks.”

“OASIS has given us the ability to create a scalable and sustainable community where like-minded, passionate people come together to solve problems,” said Trey Darley of the Belgian National CERT, who co-chairs the OASIS CTI TC with Richard. “STIX v2.1 and TAXII v2.1 have reached full OASIS Standard status at a critical inflection point, when there’s such a need for more flexible and faster information sharing to enable defense against global cybersecurity threats. We have laid the foundation for cross-implementation interoperability, future-proofed STIX with the new extensions mechanism…I believe that these standards will enable the creation of new classes of security countermeasures…we’ve barely begun to scratch the surface.”

OASIS CTI Technical Committee: https://www.oasis-open.org/committees/cti

Watch Open Matters: Cybersecurity & The Evolution of STIX & TAXII:

Support for STIX AND TAXII v2.1

Accenture

“Publishing STIX and TAXII as full OASIS cyber threat intelligence sharing standards represents a huge milestone for the cybersecurity community. It is our mission to help businesses achieve cyber resilience through the standardized sharing of threat data to help companies more easily consume threat intelligence at speed with action. We are proud to be an OASIS sponsor and member of the CTI Technical Committee dedicated to developing better standards to secure the world.”

— Josh Ray, Managing Director – Cyber Defense Lead, Accenture Security

Anomali

“We recognized early on the importance of a standardized method for exchanging cyber threat intelligence within our platform and our customers’ security ecosystem. We are excited to further the adoption and support of the latest STIX and TAXII versions for our customers and integration partners, which will help them to conduct more precise threat detection, optimize their response, and establish greater cyber resiliency.”

— Mark Alba, Chief Product Officer, Anomali

Copado

“Copado congratulates the OASIS CyberThreat Intelligence Committee in STIX 2.1 and TAXII 2.1 reaching Full OASIS Standard. The continuing effort to build automated defense methods through the open sharing of intelligence in machine-readable format is critical to ongoing efforts in cybersecurity. As a leader in DevOps, Copado will continue to support these efforts to bring humans and machines together to help build a safer, more secure internet.”

– Daniel Riedel, SVP, Copado

Cyware

“We are proud to support the continued refinement of this standard language. It further builds confidence with the threat intelligence community and enables a true collective defense. As a part of the community, Cyware understands how valuable the standard is, which is just one of the reasons we use it as a backbone for intel sharing and automation.”

Avkash Kathiriya, Vice President of Research and Innovation, Cyware

EclecticIQ

“The rapidly evolving threat landscape makes it more important than ever to exchange and operationalise threat intelligence. We believe the new STIX & TAXII 2.1 standards bring great advancements that will help our customers detect threats earlier, remediate faster and run their cyber defense operations more efficiently. We applaud OASIS and everyone in the threat intelligence community that has contributed to this tremendous milestone.”

Ciaran Bradley, CTO, EclecticIQ

IBM

“IBM has a long history of supporting industry standards to solve the world’s most pressing challenges. As cyberattacks have become one of the greatest threats facing modern society, defenders require a coordinated approach to succeed. To make this a reality, IBM has embraced an open, integrated approach to cybersecurity and is proud to support open standards such as STIX and TAXII to facilitate wide-ranging use cases across the entire threat management lifecycle – including intelligence, hunting, detection, and response.”

— Jason Keirstead, CTO, IBM Security Threat Management

SEKOIA

“SEKOIA.IO is a XDR platform leveraging threat intel at the highest level. This CTI is used for detection, context enrichment and reaction strategies. To do so, we aligned our solution with STIX2.1/TAXII2.1 since the beginning. Every day, we produce our exclusive technical and strategic CTI but we also ingest the worldwide cybersecurity news. This is a cornerstone for our XDR and this is done using STIX. Customers can also access this CTI using TAXII, TIPs, API or Web.”

— David Bizeul, CTO, SEKOIA

Sopra Steria

“We are pleased to welcome the new STIX standard release. It’s a step further into operational interaction between Cyber Threat Intelligence and Cyber Defense for detection and analysis. Straight relation between Indicators and Observed Data is a good example of the progress made. Sighting is a key to make global knowledge growth. Therefore, we set STIX 2 as the core standard of our services.”

— Alexandre Cabrol Perales, Head of Managed Detection and Response, Sopra Steria Group 

ThreatQuotient

“We believe that supporting open standards is essential to help organizations leverage the tools they are using and facilitates the exchange of information across those tools regardless of vendor. We are proud to support the approval of STIX v2.1 and TAXII v2.1 as OASIS Standards.”

— Haig Colter, Director of Alliances, ThreatQuotient

Media inquiries: 
Carol Geyer
communications@oasis-open.org
+1.941.284.0403

No results with the selected filters