30-day Public Review for #CybOX (TM) V2.1.1 - ends 28 October

The OASIS Cyber Threat Intelligence (CTI) TC [1] members have recently approved a Committee Specification Draft (CSD) and submitted it for 30-day public review:

CybOX(TM) Version 2.1.1
Committee Specification Draft 01 / Public Review Draft 01
20 June 2016

Please note: during final production, we noted that the Latest version links in each of the published files are wrong. Rather than further delay start of this review, I decided that we would fix these on the next publication cycle. For now, if you wish to copy a Latest version link so that you will always be brought to the most current version of a document, simply remove the /part###/ portion from the URL. For example, to correct http://docs.oasis-open.org/cti/cybox/v2.1.1/part01-overview/cybox-v2.1.1..., simply remove part01-overview/ for a URL of http://docs.oasis-open.org/cti/cybox/v2.1.1/cybox-v2.1.1-part01-overview.... We apologize for any inconvenience this may cause.

What is CybOX and why is it important?

The Cyber Observable Expression (CybOX) is a standardized language for encoding and communicating high-fidelity information about cyber observables, whether dynamic events or stateful measures that are observable in the operational cyber domain. By specifying a common structured schematic mechanism for these cyber observables, the intent is to enable the potential for detailed automatable sharing, mapping, detection and analysis heuristics. This specification serves as an overview of those specifications and defines how they are used within the broader CybOX framework.

About the TC:

The OASIS Cyber Threat Intelligence (CTI) TC is developing information representations and protocols to help industries, organizations, and governments model, analyze, and share cyber threat intelligence.

The TC has transitioned STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression) from the US Department of Homeland Security (DHS) for standardization under the OASIS open standards process.

Members of the TC are currently working on the next generation of these specifications.

STIX, TAXII, and CybOX recently received the European Identity Conference (EIC) 2016 Award for Best Innovation/New Standard in Information Security.

Public Review Period:

The public review starts 28 September 2016 at 00:00 UTC and ends 28 October 2016 at 23:59 UTC.

This is an open invitation to comment. OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.


The CybOX Version 2.1.1 Committee Specification Draft consists of 94 parts. In the interest of brevity, please see CybOX(TM) Version 2.1.1 Additional Artifacts to access all parts:


ZIP distribution file (complete):

For your convenience, OASIS provides a complete package of the prose document and related files in a ZIP distribution file. You can download the ZIP file here:


Additional information about the specification and the CTI TC can be found at the TC's public home page:


Comments may be submitted to the TC by any person through the use of the OASIS TC Comment Facility which can be used by following the instructions on the TC's "Send A Comment" page, or directly at:


Comments submitted by TC non-members for this work and for other work of this TC are publicly archived and can be viewed at:


All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review of "CybOX(TM) Version 2.1.1", we call your attention to the OASIS IPR Policy [2] applicable especially [3] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member's patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC's work.

========== Additional references:

[1] OASIS Cyber Threat Intelligence (CTI) TC

[2] http://www.oasis-open.org/who/intellectualproperty.php

[3] http://www.oasis-open.org/committees/cti/ipr.php
Non-Assertion Mode

Associated TC: 
Cyber Threat Intelligence (CTI)