OASIS Open Command and Control (OpenC2) Technical Committee

The original Call For Participation for this TC may be found at https://lists.oasis-open.org/archives/openc2/201704/msg00000.html

  1. Name of the TC

    OASIS Open Command and Control (OpenC2) Technical Committee

  2. Statement of Purpose

    The fact that cyber-attacks are increasing in terms of sophistication, speed and dynamics of the attack steps is well documented. Advanced cyber actors are utilizing automation with adaptive tradecraft and these trends are likely to continue.

    The traditional cyber security and response approach is through the use of monolithic systems that tightly couple the sensing, analytics, decision making and acting blocks of cyber-defense activities. Upgrading or modification of the functional blocks within the cyber-defenses is intensive, may impact the efficacy of the system as a whole and in many cases cannot be realized within cyber-relevant time. The traditional approach can lead to systems that are relatively static and are difficult to coordinate inter-domain responses to cyber-attacks.

    Future defenses will require the integration of new functional blocks, coordination of responses between domains, synchronization of cyber defense mechanisms and automated actions to mitigate current and pending attacks within cyber relevant time. Key enablers for the realization of more responsive, flexible, product agnostic and interoperable cyber defense components include the standardization of interfaces and the adoption of standard protocols. This will facilitate interoperability and enable unambiguous machine to machine command and control messages.

    The purpose of this technical committee is to create a standardized language for the command and control of technologies that provide or support cyber defenses.

  3. Scope of Work

    The technical committee will draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner. The technical committee will leverage pre-existing standards to the greatest extent practical. Therefore identifying gaps pertaining to the command and control of technologies that provide or support cyber defenses is within the technical committee's scope of work.

    The technical committee will base its initial efforts on artifacts generated by the OpenC2 Forum. Prior to the creation of this TC, the OpenC2 Forum was a community of cyber-security stakeholders that was facilitated by the National Security Agency. The OpenC2 Forum drafted a language description document, actuator profiles and open source prototype implementations. Since its inception, the Forum intended to transition its efforts to a recognized standards body. This TC can leverage the pre-existing artifacts produced by the OpenC2 Forum to provide a foundation to base its development.

    It is recognized that command and control of technologies is necessary but insufficient for cyber-security, therefore every effort will be made to ensure that artifacts produced will be done so in the context of being implementation agnostic and striving toward an architecture that decouples the functional blocks utilized by cyber-defense.

    Other implementation aspects such as transport, authentication, key management, cyber-threat sharing, situational awareness and other services are being addressed by other efforts. The OpenC2 Forum may specify or otherwise leverage pre-existing standards to address external dependencies, identify implementation considerations etc, however the creation of additional standards for these aspects are beyond the scope of this technical committee.

    This technical committee will collaborate with other technical communities to ensure consistency and avoid duplicative efforts. In particular, this committee will work closely with the OASIS Cyber Threat Intelligence Technical Committee (CTI TC). The OpenC2 Technical Committee will focus on the Acting or Response portion of cyber defense but recognizes that there are significant interactions with the functional blocks associated with sensing, analytics and decision making.

  4. Deliverables

    Within 18 months of its first, meeting, this TC expects to deliver the following:

    • A Language Description Document (LDD). The LDD will define a lexicon, the actions, syntax, semantics and other general aspects of the language.
    • Security Considerations Document (SCD). By design, OpenC2 strives to be as agnostic of the message fabric as practical and in and of itself does not provide Information Assurance. The SCD will identify IA concerns that implementers should be aware of and are not addressed by OpenC2.
    • Implementation Considerations Document (ICD). By design, OpenC2 strives to be as agnostic of the message fabric as practical and matters other than the command itself are treated as external dependencies. The ICD will identify the transport and interface concerns that must be addressed.
    • JSON Abstract Encoding Notation (JAEN). JAEN will provide a schema so that commands may be validated and ensure interoperability.
    • OpenC2 JSON Schema. The OpenC2 JSON schema will facilitate the encoding and validation of commands for implementations that choose to use JSON encoding.
    • Other to be determined artifacts agreed upon by the TC such as interoperability specifications, implementation guidelines, OpenC2 tutorials etc.

    In addition to the identified deliverables, this TC shall maintain the following:

    • Actuator Profile Subcommittees. The cyber defense industry is evolving and producing new products and solutions, therefore it is not pragmatic for the LDD to encompass all aspects of the cyber defense industry. An actuator profile will document the portions of the LDD that are mandatory to implement, optional to implement as well as define any specifiers and modifiers that are specific to a particular cyber defense function.
    • Library of prototype implementations, sample commands, polyglot implementation and other artifacts as they pertain to the command and control of cyber defense technologies. This library will be maintained as an Open Repository of the TC.
    • Language Description Document Subcommittee. The purpose of this committee is to act as a focal point to submit comments to the language description document. The subcommittee will track comments and ensure that the comments are presented to the TC for resolution.
    • Implementation Considerations Subcommittee. The purpose of this subcommittee is to identify external dependencies and provide implementation guidance.
  5. IPR Mode

    This TC will operate under the Non-Assertion IPR mode as defined in Section 10.3 of the OASIS IPR Policy document.

  6. Audience

    The anticipated audience for this work includes:

    • Vendors of products that execute tasks in order to investigate, mitigate and/or remediate cyber-attacks.
    • Vendors of products that orchestrate coordinated responses by execution of a workflow.
    • Organizations that architect and or integrate defenses for cyber domains.
    • Academia or other stakeholders interested in the research, development and prototyping of cyber defense strategies, architectures and/or technologies.
  7. Language

    TC business will be conducted in English. The output documents will be written in (US) English.