Skip to main content

Traffic Light Protocol (TLP Protocol)

The Traffic Light Protocol (TLP) provides a simple and intuitive scheme for indicating with whom potentially sensitive information can be shared.  Information exchange occurs from an information source to one or more recipients and is classified into a set of four labels that indicate the sharing boundaries to be applied by the recipients.

The four labels are: TLP:RED, TLP:AMBER, TLP:GREEN, and TLP:CLEAR. All of them are written without spaces and in capital letters. Furthermore, they must remain in their original form, even when used in other languages. This labelling and its definitions are not intended to have any effect on the freedom of information or sunshine laws of any jurisdiction. It is optimised for ease of adoption, human readability and person-to-person exchange. It can also be used in automated information exchange systems, such as MISP or IEP.

This protocol is applied differently:

  • Messaging: TLP-labelled messaging must indicate the TLP label of the information, as well as any additional restrictions, directly before the information itself. The TLP label must appear in the subject line of the e-mail. When necessary, also be sure to designate the end of the text to which the TLP label is applied.
  • Documents: TLP-labelled documents must indicate the TLP label of the information, as well as any additional restrictions, in the header and footer of each page. The TLP label must be in 12-point font or larger for users with low vision. It is recommended to right justify TLP labels.
  • Automated information exchanges: The use of TLP in automated information exchanges is not defined: this is left to the designers of such exchanges but must be in accordance with this standard.

TLP definitions:

  • Community: According to TLP, a community is a group that shares goals, practices and informal trusting relationships. A community can be as broad as all cybersecurity professionals in a country (or sector or region).
  • Organisation: In the TLP framework, an organisation is a group that shares a common affiliation through formal membership and is governed by common policies established by the organisation. An organisation can be as broad as all members of an information sharing organisation, but rarely broader.
  • Customers: Under TLP, customers are those individuals or entities that receive cybersecurity services from an organisation. Clients are included by default in TLP:AMBER so that recipients can share the information at a later date in order for clients to take steps to protect themselves. In the case of nationally responsible teams, this definition includes stakeholders and constituents.

When and how to use each colour

TLP:RED Hexadecimal RGB CMYK
 Color fuente #ff2b2b R=255,G=43,B=43 C=0, M=83, Y=83, K=0
 Color fondo #000000 R=0,G=0,B=0 C=0, M=0, Y=0, K=100

For individual recipients only, with no further disclosure. Sources may use TLP:RED when the information cannot be used effectively without significant risk to the privacy, reputation or operations of the organisations involved. Therefore, recipients cannot share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting.

 Color fuente #ffc000 R=255,G=192,B=0 C=0, M=25, Y=100, K=0
 Color fondo #000000 R=0,G=0,B=0 C=0, M=0, Y=0, K=100

Limited disclosure, recipients can only disseminate it on a need-to-know basis within their organisation and their customers. TLP:AMBER+STRICT restricts disclosure to the organisation only. Sources may use TLP:AMBER when the information requires support to act effectively, but carries a risk to privacy, reputation or operations if shared outside the organisations involved. Recipients may share TLP:AMBER information with members of their own organisation and their clients, but only to the extent necessary to protect their organisation and their clients and prevent further harm.

 Color fuente #33ff00 R=51,G=192,B=0 C=79, M=0, Y=100, K=0
 Color fondo #000000 R=0,G=0,B=0 C=0, M=0, Y=0, K=100

Limited disclosure, recipients can disseminate it within their community. Sources can use TLP:GREEN when the information is useful for raising awareness within their broader community. Recipients can share TLP:GREEN information with peers and partner organisations within their community, but not through publicly accessible channels. TLP:GREEN information cannot be shared outside the community.

 Color fuente #ffffff R=255,G=255,B=255 C=0, M=0, Y=0, K=0
 Color fondo #000000 R=0,G=0,B=0 C=0, M=0, Y=0, K=100

The recipients can broadcast it to the world, there is no limit to the number of times it can be disseminated. Sources may use TLP:CLEAR when the information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public disclosure. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.