Traffic Light Protocol (TLP)

Traffic Light Protocol (TLP) was established to promote better exchange of sensitive information (but unclassified) in the field of information security. The author of that information needs to indicate where information can flow beyond the immediate recipient, and this should consult the original author when information needs to be distributed to third parties.

TLP version 2.0 is the current version approved by FIRST as of August 2022.

How to use it

  • How to use TLP in messaging (such as email and chat)

TLP-labeled messaging must indicate the TLP label of the information, as well as any additional restrictions, directly prior to the information itself. The TLP label should be in the subject line of email. Where needed, also make sure to designate the end of the text to which the TLP label applies.

  • How to use TLP in documents

TLP-labeled documents MUST indicate the TLP label of the information, as well as any additional restrictions, in the header and footer of each page. The TLP label SHOULD be in 12-point type or greater for users with low vision. It is recommended to right-justify TLP labels.

  • How to use TLP in automated information exchanges

TLP usage in automated information exchanges is not defined: this is left to the designers of such exchanges, but MUST be in accordance with this standard.

  • TLP color-coding

A code of four colours is used, whose meaning can be found in the following table:

CodeWhen to use itHow to share itColorBackground
 TLP:RED  TLP:RED  should be used when the information is limited to specific individuals, and could have an impact on privacy, reputation or operations if misused.Recipients should not share information designated as  TLP:RED  with any third party outside the area where it was originally exposed.#ff2b2b#000000
 TLP:AMBER  TLP:AMBER  should be used when information needs to be distributed to a limited extent, but poses a risk to the privacy, reputation or operations if shared outside the organization.Recipients can share information indicated as  TLP:AMBER  only with members of their own organization who need to knowand with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to. Note:  TLP:AMBER+STRICT  restricts sharing to the organization only.#ffc000#000000
 TLP:GREEN  TLP:GREEN  when the information is useful for all organizations involved, as well as with community or sector.Recipients can share information indicated as  TLP:GREEN  with affiliated organizations or members of the same sector, but never through public channels.#33ff00#000000
 TLP:CLEAR TLP:CLEAR  when information poses no risk of misuse, within the rules and procedures for public dissemination. TLP:CLEAR  information can be distributed without restrictions, but still subject to Copyright controls#ffffff#000000

Under TLP, an organization is a group who share a common affiliation by formal membership and are bound by common policies set by the organization. An organization can be as broad as all members of an information sharing organization, but rarely broader.

Under TLP, clients are those people or entities that receive cybersecurity services from an organization. Clients are by default included in TLP:AMBER so that the recipients may share information further downstream in order for clients to take action to protect themselves. For teams with national responsibility this definition includes stakeholders and constituents.

If the recipient needs to disseminate that information with third parties beyond the scope of the TLP designation indicated, should refer to the source of the information.

Why using it?

TLP is a simple and intuitive scheme to indicate when and how sensitive is the information on cybersecurity that will be shared, and facilitates collaboration with other entities or organizations at national and international level.

How TLP relates to other classification schemes?

TLP is not applicable to classified information, as is provided for in the Security Classification Information National Authority for the Protection of Classified Information

TLP designation is not a category or subcategory of these standards , and should only be used operationally.

Who does use TLP?

TLP is used by public and private organizations in the field of cybersecurity, both in Spain and in other countries like United States, Australia, Canada, Finland, France, Germany, Hungary, Italy, Japan, Netherlands, New Zealand, Norway, Sweden, Switzerland, and United Kingdom.

For more info about the TLP standard, please visit www.first.org/tlp