What is OpenC2?
OpenC2 is a standardized language for machine-to-machine communications for the command and control of technologies that provide or support cyber defenses.
What is the difference between OpenC2 and OASIS?
OpenC2 is an open source language, available for use and input across the cyber-security community. Many open source languages and technologies benefit from support of standards bodies, to help guide and champion on-going use and evolution of the software or technology. OpenC2 is a project under OASIS. OASIS is the Organization for the Advancement of Structured Information Standards, a nonprofit international consortium that develops open IT standards.
What can OpenC2 do for me?
As cyber-defense technology vendors and providers adopt OpenC2, OpenC2 can dramatically improve incident response to cyber-threats and allow for enterprise wide interoperability for cyber-security policy orchestration. Management and development of cyber-defense responses is simplified and greater collaboration and integration across a wide range of technologies is enabled.
- How can I access OpenC2?
Do I have to be a member of OASIS to use OpenC2?
No, OASIS OpenC2 specifications are available to all. There are no known intellectual property rights associated with OpenC2. See this page for additional information.
If you desire to participate in the OpenC2 Technical Committee and draft future specifications, then OASIS membership would be required.
How long has this been around?
The OASIS OpenC2 TC was formed in 2017 and the first 3 OpenC2 Specifications were approved in 2019.
What similiar efforts exist?
There are some similarities between OpenC2 and the recently announced Open Cybersecurity Alliance's OpenDXL Ontology. OpenDXL is a cybersecurity messaging format for use with the OpenDXL messaging bus. However, OpenC2 is transport agnostic allowing for granular implementations to various operational environments.
Is there an OpenC2 API?
The OpenC2 Language Specification and Actuator Profiles taken together define the request and response message content and expected actions, and a Transfer Specification defines the communications method. The exchange of OpenC2 command and response messages using the HTTPS Transfer Specification can be considered a Remote Procedure Call (RPC)-style Web API. OpenC2 does not have a Web API defined in terms of Representational State Transfer (REST).
How is the OpenC2 TC Organized
The OpenC2 Technical Committee, an OASIS TC, has three sub-committees:
Language: Responsible for the development, maintenance, and resolution of comments to the OpenC2 language documentation, including the language specification documents, use cases, glossary, etc.
Actuator Profiles: Defining actuator profiles, the mapping and description of OpenC2 elements applicable to specific cyber defense functions.
Implementation Considerations: Provides guidance for implementation aspects such as message transport and information assurance.
What is the TC's process for creating work products?
The OpenC2 TC's process for creating and managing work products is captured in the TC's Documentation Norms
What are the TC and Subcommittee meeting schedules?
All TC and SC meetings are nominally scheduled for 1 hour duration, and are conducted using Lucid Meetings. The current meeting schedule is as follows:
TC meetings are normally the 3rd Wednesday of the month, with two sessions: one at 11:00 AM and one at 9:00 PM US Easter time. For minutes and attendance purposes, the two sessions are treated as a single meeting.
Language SC meetings are held the first Monday of each month at 1:00 PM US Eastern time.
Actuator Profile SC meetings are held the second and forth Tuesdays of each month at 1:00 PM US Eastern time.
Implementation Considerations SC meetings are held the first Wednesday of each month at 2:00 PM US Eastern time.
How does OpenC2 relate to...
the OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC? CACAO's goal is defining the standard for creating machine-readable course of action playbooks for cybersecurity operations. CACAO will have the ability of integrating different languages for controlling components that are part of cyber defense ecosystems, thus, OpenC2 is a candidate.
STIX COA? Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). One of the STIX Domain Objects (SDOs), Course of Action, has the ability to capture structured/automated courses of action. OpenC2 can be utilized to populate STIX COA SDOs for sharing automated courses of action for the purpose of responding to cyber incidents in cyber-relevant time.
MISP? MISP originally stood for Malware Information Sharing Platform but it has evolved to "Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing" according to its homepage.
OpenDXL? an initiative to create adaptive systems of interconnected services that communicate and share information for real-time, accurate security decisions and actions.
Open Security Controls Assessment Language (OSCAL)? OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. OSCAL development is being managed in a GitHub repository.
FIRST Information Exchange Policy (IEP)? IEP is a framework that Computer Security Incident Response Teams (CSIRT), security communities, organizations, and vendors may consider implementing to support their information sharing and information exchange initiatives.
Turbinia? Turbinia is an open-source framework from Google for deploying, managing, and running distributed forensic workloads.
OpenDDS? OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS), a Data-Centric Publish-Subscribe (DCPS) model for distributed application communication and integration.
Business Process Modeling Notation (BPMN)?
ROLIE? ROLIE is the Resource-Oriented Lightweight Information Exchange, defined in RFC 8322. ROLIE defines a resource-oriented approach for security automation information publication, discovery, and sharing. Using this approach, producers may publish, share, and exchange representations of software descriptors, security incidents, attack indicators, software vulnerabilities, configuration checklists, and other security automation information as web-addressable resources. Furthermore, consumers and other stakeholders may access and search this security information as needed, establishing a rapid and on-demand information exchange network for restricted internal use or public access repositories. The specification extends the Atom Publishing Protocol and Atom Syndication Format to transport and share security automation resource representations.
Manufacturer Usage Descriptions (MUD)? Manufacturer Usage Description (MUD) is an embedded software standard defined by the IETF that allows IoT Device makers to advertise device specifications, including the intended communication patterns for their device when it connects to the network. The network can then use this intent to author a context-specific access policy, so the device functions only within those parameters. In this manner, MUD becomes the authoritative identifier and enforcer of policy for devices on the network. MUD is defined in RFC 8520.