Published on 03 Jul 2023
The Cyber Security Agency of Singapore (CSA) adopts the Traffic Light Protocol (TLP) 2.0 to define how cybersecurity-related information can be shared to relevant recipients using four (4) different TLP classification labels. As shown in Table 1 below, the four (4) TLP classification labels indicate the expected sharing boundaries and shall be adhered to by the Recipient(s).
Table 1: TLP 2.0 Classification
|Description on the Access Restriction and Usage
Not for further disclosure, restricted to Recipients only.
For the eyes and ears of individual recipients only, no further disclosure.
Sharing is restricted to the organisation only.
Information may be shared with inhouse contractors (i.e. the individual / staff working for the organisation) providing cybersecurity services to your organisation. However, these contractors shall not further disseminate the information to their parent company or other customers.
Recipients may share information with members of their own organisation and its clients, but only on a need-to-know basis to protect their organisation and its clients and prevent further harm.
Information may be shared with both inhouse and outsource contractors (i.e. the individual / staff working for the organisation) providing cybersecurity services to the receiving organisation; however, these contractors shall not further disseminate the information with their parent company or other customers.
Limited disclosure, Recipients can share this within their community.
Recipients may share information with peers and partner organisations within their community, but not via publicly accessible channels.
Recipients can spread this to the world, there is no limit on disclosure.