Traffic Light Protocol (TLP)
The Traffic Light Protocol (TLP) was created in order to encourage greater sharing of information. Information sharing is important for helping mitigate the spread of electronic attacks, improving protection through sharing best practices, and building trust between players in this field. In order to encourage the sharing of sensitive (but unclassified) information, however, the originator needs to signal how widely they want their information to be circulated beyond the immediate recipient, if at all. The TLP provides a simple method to achieve this. It is designed to improve the flow of information between individuals, organisations or communities in a controlled and trusted way. It is important that everyone understands and obeys the rules of the protocol. Only then can trust be established and the benefits of information sharing realised. The TLP is based on the concept of the originator labelling information with one of four colours to indicate what further dissemination, if any, can be undertaken by the recipient. The recipient must consult the originator if wider dissemination is required.
In 2016, a task group of FIRST worked on resolving several deficiencies found with the original protocol, mainly regarding TLP Amber information.  Moreover, they defined the exact TLP label minimum size and colours in RGB and CMYK. The (new) TLP scheme is:
- TLP RED: Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
Formerly: personal for named recipients only; most often shared orally between the set of trusted participants.
- TLP AMBER: Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.
Formerly: Limited distribution. The recipient may share AMBER information with others within their organisation, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing.
- TLP GREEN: Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not released outside of the community.
Formerly: Community wide distribution. Information in this category can be circulated widely within a particular community. However, the information may not be published or posted on the Internet, nor released outside of the community.
- TLP WHITE: Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
Formerly: Unlimited distribution. Subject to standard copyright rules, WHITE information may be distributed freely, without restriction.
- Critical Infrastructure Protection
- Critical Information Infrastructure Protection
- Information Sharing
- OECD: Development of Policies for Protection of Critical Information Infrastructures. OECD (2012)
- TLP: FIRST Standards Definitions and Usage Guidance — Version 1.0
- CERT.IL Glossary