TLP and PAP marking: FAQ


Version française
Version 1 (16/11/2022)

1. Frequently asked questions

Listed hereunder are the most frequent questions that may be asked about the marking policy of ANSSI for its operational information.

Click on the questions to display the answers.

1. May the information received be used for the protection of all kind of information systems (hereafter « IS ») (e.g. vital/critical IS or not, essential IS or not?)

Yes, as long as the requirements of the given TLP and PAP levels are respected and as long as use suitability has been verified.

2. For the protection of the IS of my entity, may the information received be shared with a contractor (for detection or incident response)?
TLP:CLEAR TLP:GREEN TLP:AMBER TLP:RED
Yes, regardless of the type of contractor. Yes, regardless of the type of contractor, exclusively for the protection of the entity’s IS. Yes, regardless of the type of contractor, exclusively for the protection of the entity’s IS. No, except if it is an embedded contractor.

⚠ Warning: the contractor has no right to share the information received, in particular with other clients, except for TLP:CLEAR information. ⚠

3. May the information received be shared with a parent entity (Group) or with a subsidiary entity?
TLP:CLEAR TLP:GREEN TLP:AMBER TLP:RED
Yes Yes Yes No

⚠ Warning: if the parent entity or the subsidiary entity in turn wishes to share a TLP:AMBER information, it musk seek express permission from ANSSI to do so. ⚠

4. Is it possible to share the information received with critical suppliers of my supply-chain (identified in my risk assessment), that may have an impact on the continuity of service or security of my business?
TLP:CLEAR TLP:GREEN TLP:AMBER TLP:RED
Yes Yes No, unless there is a contractual framework between the constituent and its supplier where both parties commit to guarantee the sharing and handling constraints set by ANSSI No

⚠ Warning: the supplier has no right to share the information received except for TLP:CLEAR information. ⚠

5. May the information received be stored or used in clear on an IaaS or SaaS public cloud service dedicated to investigation, log exploitation or detection?
PAP:CLEAR PAP:GREEN PAP:AMBER PAP:RED
Yes Yes Yes Yes

⚠ Warning: this investigation or detection infrastructure must have been designed and secured so as to ensure isolation in case the supervised IS is compromised. ⚠

6. May the information received be used to search on a production IS, including in the cloud?
PAP:CLEAR PAP:GREEN PAP:AMBER PAP:RED
Yes Yes Yes No
7. May the information received be used through a local detection and response solution (e.g. Endpoint detection response) deployed on workstations or production servers?
PAP:CLEAR PAP:GREEN PAP:AMBER PAP:RED
Yes Yes Yes for detection

No for blocking
No
8. Are open source searches or submissions allowed with the information received?
  • For searches (e.g.: using search engines or public knowledge databases accessible on the Internet in order to pivot on the information):
PAP:CLEAR PAP:GREEN PAP:AMBER PAP:RED
Yes Yes Yes No

 

  • For submission of the received information, or of the files containing such information, on an online analysis service, which can share this information or the results of such analysis (e.g.: Virus Total, urlscan, online sandboxes):
PAP:CLEAR PAP:GREEN PAP:AMBER PAP:RED
Yes Yes No No

⚠ Warning: in general, publicly accessible knowledge bases have terms and conditions of use which may differ according to the service subscribed. You must ensure that the offer you have subscribed to commits to not sharing you searches with third parties ⚠

9. May the information received be searched on a public knowledge base disconnected from public networks (e.g.: public base replicated on an infrastructure not connected to the Internet?)
PAP:CLEAR PAP:GREEN PAP:AMBER PAP:RED
Yes Yes Yes Yes
10. Is the blocking of network or aplication flows, on the basis of the information received, possible (e.g. blocking of an IP address on a firewall or of a web address on a proxy server)?
PAP:CLEAR PAP:GREEN PAP:AMBER PAP:RED
Yes Yes No No
11. Is it possible to use PAP:RED information on a dedicated workstation disconnected from the production IS (and not exposed to a public network)?

Yes, this can be considered as an infrastructure dedicated to investigations and detections.

12. How does ANSSI consider information received from third parties tagged only with TLP?

ANSSI only apllies its interpretation of TLP/PAP marking to the information it produces itself. Information received from outside and only tagged with TLP is interpreted in accordance with the FIRST’s definition. However, ANSSI encourages its partners to detail the conditions of handling of the information they share by marking it with a PAP tag or by indicating the limitations associated with its use.

2. Some use cases

In order to get started with this sharing and handling policy, a few use cases are described in the tables hereunder. For each case details are given regarding who can use the operational information received and on which perimeter.

Hunting
TLP:CLEAR
PAP:CLEAR
Who? Anyone TLP:AMBER
PAP:AMBER
Who? The constituent or a contractor
Where? Anywhere Where? On all its infrastructure
TLP:GREEN
PAP:GREEN
Who? A member of the community TLP:AMBER
PAP:RED
Who? The constituent or a contractor
Where? On all its infrastructure Where? On a dedicated investigation network, for instance after having collected elements of interest
TLP:GREEN
PAP:AMBER
Who? A member of the community TLP:RED
PAP:AMBER
Who? The constituent or its embedded contractor
Where? On all its infrastructure Where? On all its infrastructure
TLP:AMBER
PAP:GREEN
Who? The constituent or a contractor TLP:RED
PAP:RED
Who? The constituent or its embedded contractor
Where? On all its infrastructure Where? On a dedicated investigation network, for instance after having collected elements of interest

Real time detection
TLP:CLEAR
PAP:CLEAR
Who? Anyone TLP:AMBER
PAP:AMBER
Who? The constituent or a contractor
Where? Anywhere Where? On the constituent’s infrastructure

On the constituent’s cloud based infrastructure if there is an agreement with the cloud provider which provides for the exclusive control of its data by the constituent
TLP:GREEN
PAP:GREEN
Who? A member of the community TLP:AMBER
PAP:RED
Who? The constituent or a contractor
Where? On all its infrastructure Where? On a dedicated investigation network
TLP:GREEN
PAP:AMBER
Who? A member of the community TLP:RED
PAP:AMBER
Who? The constituent or its embedded contractor
Where? On all its infrastructure Where? On the constituent’s infrastructure

On the constituent’s cloud based infrastructure if there is an agreement with the cloud provider which provides for the exclusive control of its data by the constituent
TLP:AMBER
PAP:GREEN
Who? The constituent or a contractor TLP:RED
PAP:RED
Who? The constituent or its embedded contractor
Where? On all its infrastructure Where? On a dedicated investigation network

Real time blocking
TLP:CLEAR
PAP:CLEAR
Who? Anyone TLP:AMBER
PAP:AMBER
Who? N/A
Where? Anywhere Where? N/A
TLP:GREEN
PAP:GREEN
Who? A member of the community TLP:AMBER
PAP:RED
Who? N/A
Where? On all its infrastructure Where? N/A
TLP:GREEN
PAP:AMBER
Who? N/A TLP:RED
PAP:AMBER
Who? N/A
Where? N/A Where? N/A
TLP:AMBER
PAP:GREEN
Who? The constituent or a contractor TLP:RED
PAP:RED
Who? N/A
Where? On all its infrastructure Where? N/A

 
 
BACK TO THE SHARING AND HANDLING POLICY