About TLP#

TLP stands for Traffic Light Protocol. TLP color codes flag information to provide handling and sharing guidelines.

TLP indicates if the information:

  • Is sensitive/reserved, or if you can share it with other parties.

  • Holds high risk, if it is useful to promote awareness of the content it describes, or if it holds no foreseeable risk of misuse.

  • Requires immediate action (deter/prevail), or if it can be part of a longer term strategy (prevent).

You can assign a TLP color value to restrict access to the following Intelligence Center items:

  • Entities.

  • Data you receive via incoming and send out via outgoing feeds.

  • Data created by users belonging to the groups associated with allowed data sources.

Observables do not have a TLP property.

About TLP as access control#

When TLP works as an access control mechanism, a TLP color selection includes other color values in a decreasing range.

For example, if you set a TLP color to assign the level of confidentiality a group can access, the group can access data sources and entities having the selected TLP color code, as well as data sources and entities whose TLP color indicates that they are progressively lower risk, less sensitive, and suitable for disclosure to broader audiences.

In this context, a group that can access one or more Allowed sources with a TLP access level set to amber, the group and its members are allowed to access content from the specified data sources up to TLP amber: this includes amber, green, and white.

About TLP as search and filter#

When TLP works as a search or as a filter mechanism, a TLP color selection returns only exact matches.

For example:

  • Setting a TLP filter or quick filter to green matches only entities whose TLP value is green.

  • A search for meta.tlp_color:AMBER returns only entities whose TLP value is amber.

Entities with no TLP color value do not show up in search or in filtered results.

About TLP overrides#

You can override the original or the current TLP color code of an (uploaded) entity, an incoming feed, or an outgoing feed.

TLP overrides have precedence over the original entity TLP value. TLP overrides always supersede the original TLP value assigned to an entity, regardless of the TLP override being more or less restrictive than the original TLP value.

TLP reference#

The table below sums up TLP behavior when TLP is used to control access to data, and when TLP is used to search and filter data.

Color

Disclosure

Access level

Filter and search

When should it be used?

How may it be shared?

Not set

Disclosure is not limited.

Not set

Not set

Some sources do not have a set TLP color code.

In that case, the sharing capabilities are treated as if they had the color White.

You can assign any color code to any entity, an incoming feed, or an outgoing feed without a TLP color code.

Subject to standard copyright rules.

White

Disclosure is not limited.

  • White

White

Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.

Subject to standard copyright rules.

TLP:WHITE information may be distributed without restriction.

Green

Limited disclosure, restricted to the community.

  • Green

  • White

Green

Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.

Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.

Information in this category can be circulated widely within a particular community.

TLP:GREEN information may not released outside of the community.

Amber

Limited disclosure, restricted to participants’ organizations.

  • Amber

  • Green

  • White

Amber

Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.

Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm.

Sources are at liberty to specify additional intended limits of the sharing.

These must be adhered to.

Red

Not for disclosure, restricted to participants only.

  • Red

  • Amber

  • Green

  • White

Red

Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused.

Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed.

For example, in the context of a meeting, TLP:RED information is limited only to the meeting attendees.

In most circumstances, TLP:RED should be exchanged verbally or in person.