OpenC2 is an open source language, available for use and input across the cyber-security community. Many open source languages and technologies benefit from support of standards bodies, to help guide and champion on-going use and evolution of the software or technology. OpenC2 is a project under OASIS. OASIS is the Organization for the Advancement of Structured Information Standards, a nonprofit international consortium that develops open IT standards.

As described in the OpenC2 Architecture Specification, there are multiple types of OpenC2 specifications, meant to be used in concert:

• The OpenC2 Architecture Specification describes the fundamental structures of OpenC2.

• The OpenC2 Language Specification provides the essential elements of the language, the structure for Commands and Responses, and the mechanisms for extending the OpenC2 language.

• OpenC2 Actuator Profiles specify the subset of the OpenC2 language relevant in the context of specific actuator functions (e.g., packet filtering, honeypots).

• OpenC2 Transfer Specifications utilize existing protocols and standards (e.g., HTTPS, MQTT) to implement OpenC2 message transfer in specific environments.

As cyber-defense technology vendors and providers adopt OpenC2, OpenC2 can dramatically improve incident response to cyber-threats and allow for enterprise wide interoperability for cyber-security policy orchestration. Management and development of cyber-defense responses is simplified and greater collaboration and integration across a wide range of technologies is enabled.

OASIS Specifications are open for all to use. The TC’s home page at OASIS lists the officially published specifications. This website includes a list of all OpenC2 specifications (published and under development), and a collection of open source software tooling to add in implementing OpenC2.

JSON Abstract Data Notation (JADN) is a UML-based information modeling language that defines information requirements and data structure independently of data format. JADN was created by the OpenC2 TC to assist with defining OpenC2 information models for the language and actuator profiles in a way that supports the language’s goal of enabling machine-to-machine communications for purposes of command and control of cyber defense components, subsystems and/or systems in a manner that is agnostic of the serialization formats.

A brief introduction to JADN can be found in the JADN and OpenC2 document in the TC’s operations repository. The TC has also developed a Committee Note (CN) on Information Modeling Using JADN. The CN provides an overview of information modeling and the use of JADN for that purpose. Detailed specifics can be found in the Specification for JSON Abstract Data Notation (JADN), an OASIS Committee Specification (CS) published in August 2021.

Open source tools to process JADN information models (abstract schemas) used to define OpenC2 content as well as other types of structured data, e.g., Software Bill of Materials (SBOM) documents and validate data against an information model can be found on Github in an OASIS TC Open Repository of JADN Software.

No, OASIS OpenC2 specifications are available to all. There are no known intellectual property rights associated with OpenC2 or JADN. See this page for additional information.

If you desire to participate in the OpenC2 Technical Committee and draft future specifications, then OASIS membership would be required.

The OASIS OpenC2 TC was formed in 2017 and the first 3 OpenC2 Specifications were approved in 2019. The OpenC2 TC continues to develop and improve the specifications in the suite.

The OpenC2 Language Specification and Actuator Profiles taken together define the request and response message content and expected actions, and a Transfer Specification defines the communications method. The exchange of OpenC2 command and response messages using the HTTPS Transfer Specification can be considered a Remote Procedure Call (RPC)-style Web API. OpenC2 does not have a Web API defined in terms of Representational State Transfer (REST).

The OpenC2 TC’s process for creating and managing work products is captured in the TC’s Documentation Norms.

The OpenC2 TC holds meetings on Wednesdays at 11:00am Eastern Time (“OpenC2 Time”). The TC conducts business meetings on the 3rd Wednesday of the month, and working meetings on the 1st, 2nd, and 4th Wednesdays of each month. See the Meeting Schedule portion of the General Member Information page of our TC Operations repository for more information.

The CACAO (Collaborative Automated Course of Action Operations for Cyber Security) TC’s goal is defining the standard for creating machine-readable course of action playbooks for cybersecurity operations. CACAO will have the ability of integrating different languages for controlling components that are part of cyber defense ecosystems, thus, OpenC2 is a candidate.

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). One of the STIX Domain Objects (SDOs), Course of Action (COA), has the ability to capture structured/automated courses of action. OpenC2 can be utilized to populate STIX COA SDOs for sharing automated courses of action for the purpose of responding to cyber incidents in cyber-relevant time.

OpenDXL is an initiative to create adaptive systems of interconnected services that communicate and share information for real-time, accurate security decisions and actions. As a communications fabric, OpenDXL supports both point-to-point and publish / subscribe communications models. OpenDXL could be used as a communications fabric for OpenC2, but no transfer specification has been formalized for it.

The Open Cybersecurity Alliance (OCA) is an OASIS Open Project focused on building “an open ecosystem where cybersecurity products interoperate without the need for custom integrations”. OpenC2 is being used on the OCA PACE sub-project as the preferred C2 mechanism, and development has started on a threat hunting AP for OpenC2 to invoke OCA’s Kestrel language. OpenC2 TC member organizations also participate in the Cybersecurity Automation Sub-Project (CASP).

Posture Attribute Collection and Evaluation (PACE) is an Open Cybersecurity Alliance effort to create a comprehensive automated strategy for understanding security posture. OpenC2 plays two roles in PACE. PACE uses OpenC2 for command & control to obtain security posture information, and for the command & control of the PACE system itself (e.g., request security posture evaluation of a device). OpenC2 also plays a role in implementing the actions that result from posture evaluation (e.g., add a firewall rule, sandbox a device, etc).

Kestrel is an Open Cybersecurity Alliance effort to create a threat hunting language that enables building reusable, composable, and shareable huntflows across different data sources and threat intel. Kestrel comprises a threat hunting language for a human to express what to hunt, and a runtime machine interpreter that deals with how to hunt. OpenC2 is collaborating with the Kestrel team to define an OpenC2 AP for Threat Hunting to automate the invocation of threat hunting activities, based on the threat hunting concepts embodied in Kestrel.

The Cybersecurity Automation Sub-Project (CASP) is an Open Cybersecurity Alliance effort to bring together like-minded cybersecurity vendors, end users, thought leaders, and individuals who are interested in cybersecurity automation. It is a forum to exchange information, insights, and reference implementations via commonly developed code and tooling, using mutually agreed upon technologies, specifications, and procedures. OpenC2 TC members participate in CASP, including plugfest events where members can test, enhance, and demonstrate interoperability among cybersecurity automation tools.

The Security Content Automation Protocol (SCAP) is “a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization” (Wikipedia). The SCAP program is managed by the US National Institute of Standards and Technology (NIST) as part of that organization’s broader security automation efforts. The initial set of SCAP standards were published in 2009. Security automation mechanisms could, for example, use OpenC2 commands to manage remediation of cybersecurity issues uncovered through SCAP.

The Open Cybersecurity Alliance’s OCA Ontology (formerly known as the OCA OpenDXL Ontology) is “an effort to bring semantic consistency to the full spectrum of enterprise cyber security.” Creating a common vernacular among different vendors and cybersecurity sub-disciplines, and establishing “formal, machine-readable representations” are means to improve interoperability, which OpenC2 should be able to leverage.

OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS), a Data-Centric Publish-Subscribe (DCPS) model for distributed application communication and integration.

Manufacturer Usage Descriptions (MUD) is an embedded software standard defined by the IETF that allows IoT Device makers to advertise device specifications, including the intended communication patterns for their device when it connects to the network. The network can then use this intent to author a context-specific access policy, so the device functions only within those parameters. In this manner, MUD becomes the authoritative identifier and enforcer of policy for devices on the network. MUD is defined in RFC 8520.

The IETF Supply Chain Integrity, Transparency, and Trust (SCITT) working group is “defin[ing] a set of interoperable building blocks that will allow implementers to build integrity and accountability into software supply chain systems to help assure trustworthy operation.” The group is working on multiple documnents, including an architecture.

At present there is no defined relationship between OpenC2 and SCITT, but the open nature of both provides opportunities where OpenC2-based interactions could be used in SCITT implementations.

NIEM, originally launched in 2005, is “a common vocabulary that enables efficient information exchange across diverse public and private organizations”, and as of early 2023 has shifted from being a government-driven activity to an OASIS Open Project.

The OpenC2 community has engaged with the NIEM Open Project regarding the potential to apply the JADN information modeling language to the evolution of NIEM.

The Open Cybersecurity Schema Framework (OCSF), originally announced during BlackHat USA 2022 is “an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. … The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes.”

The OpenC2 community has engaged with the OCSF project regarding the potential to apply the JADN information modeling language to the evolution of OCSF.