Add Custom Marking Specification

Specification Name: Enter the specification name. For example, EIP 2.0

Description: (Optional) Enter a description for the marking specification.

Type: (Optional) Select the marking specification type. Use Single-select to allow users to select only one marking definition for threat data, or Multi-select to enable the selection of multiple definitions. By default, the type is Single-select.

Marking Specification: Enter or upload the marking specification in JSON format. You can choose to beautify and format the JSON. The marking specification JSON must contain the schema and the subsequent marking definitions of the marking specification. The following example is a sample ACS marking specification:

{"$id":"extension-definition--3a65884d-005a-4290-8335-cb2d778a83ce.json","$schema":"https://json-schema.org/draft-07/schema#","title":"acs-marking-definition-extension","description":"This marking extension was created to apply the SD-EDH Cyber Profile to ISA shared documents (ACS)","type":"object","allOf":[{"$ref":"https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/marking-definition.json"},{"properties":{"extensions":{"type":"object","properties":{"extension-definition--3a65884d-005a-4290-8335-cb2d778a83ce":{"type":"object","properties":{"extension_type":{"type":"string","enum":["property-extension"]},"identifier":{"type":"string","description":"Single unique identifier associated with the resource. Pattern must allow for case insensitivity for 'isa' and 'guide'","pattern":"^[iI][sS][aA]:[gG][uU][iI][dD][eE]\\.(19001|999191)\\.([0-9a-zA-z]+-)?[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$"},"name":{"type":"string","description":"Some name for the data marking for user convenience."},"create_date_time":{"$ref":"https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json","description":"The date of the ACS creation."},"responsible_entity_custodian":{"$ref":"#/definitions/custodian","description":"custodian"},"responsible_entity_originator":{"type":"string","description":"originator","$ref":"#/definitions/organizations","$comment":"based on Appendix A of ACS 3.0a specification"},"authority_reference":{"type":"array","$comment":"pattern can be made more robust to represent a urn exactly","items":{"type":"string","$comment":"pattern can be made more robust to represent a urn exactly","pattern":"^(urn:isa:authority:\\w+)$"},"minItems":1},"policy_reference":{"type":"string","pattern":"^(urn:isa:policy:acs:ns:v3\\.0\\?privdefault=(permit|deny)&sharedefault=(permit|deny)\\s?)+$"},"original_classification":{"$ref":"#/definitions/original_classification","description":"Details for generating a classification authority block based on classification by an Original Classification Authority."},"derivative_classification":{"$ref":"#/definitions/derivative_classification","description":"Details for generating a classification authority block based on a derived classification."},"declassification":{"$ref":"#/definitions/declassification","description":"The declassification instructions associated with an original or derived classification for generating a classification authority block."},"resource_disposition":{"$ref":"#/definitions/resource_disposition","description":"Provide a fixed date and time at which an action is to be taken on the associated resource, such as destruction."},"public_release":{"$ref":"#/definitions/public_release","description":"The release authority and date for resources that have been through a formal public release determination process."},"access_privilege":{"type":"array","items":{"type":"object","$ref":"#/definitions/access_privilege"},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"further_sharing":{"type":"array","items":{"type":"object","$comment":"$ref - #/definitions/further_sharing"},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"control_set":{"$ref":"#/definitions/control_set","description":"Group of data tags that are used to inform automated access control decisions."}},"required":["identifier","create_date_time","responsible_entity_custodian","policy_reference","control_set","extension_type"]}}}},"required":["extensions"]}],"definitions":{"shareability":{"type":"string","enum":["NCC","EM","LE","IC"]},"entity":{"type":"string","enum":["MIL","GOV","CTR","SVR","SVC","DEV","NET"]},"custodian":{"type":"string","$comment":"a subset of Appendix A: List of Organizations of 'Information Sharing Architecture (ISA) Access Control Specification (ACS) Version 3.0a'","pattern":"[A-Z0-9]+\\.[A-Z0-9]+(\\.[A-Z0-9][A-Z0-9-]+)?"},"permitted_nationalities":{"type":"string","$comment":"should contain one or more values listed in 'Geopolitical Entities, Names, and Codes (GENC) Standard Edition 1'"},"organizations":{"type":"string","$comment":"based on Table A1 in Appendix A: List of Organizations of 'Information Sharing Architecture (ISA) Access Control Specification (ACS) Version 3.0a'","oneOf":[{"$ref":"#/definitions/custodian"},{"enum":["CDC","CIKR","DIB","FIN","ISAC","NONFED","PRIVATESECTOR"]}]},"control_set":{"type":"object","properties":{"classification":{"type":"string","enum":["U","C","S","TS"]},"sci_controls":{"type":"array","items":{"type":"string","$comment":"classified enum"},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"logical_authority_category":{"type":"array","items":{"type":"string","$comment":"values are listed in the NSA’s Master Data Registry"},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"formal_determination":{"type":"array","items":{"type":"string","enum":["PUBREL","NF","AIS","PII-NECESSARY-TO-UNDERSTAND-THREAT","NO-PII-PRESENT","FOUO","INFORMATION-DIRECTLY-RELATED-TO-CYBERSECURITY-THREAT"]},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"caveat":{"type":"array","items":{"type":"string","enum":["FISA","POSSIBLEPII","CISAPROPRIETARY"]},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"sensitivity":{"type":"array","items":{"type":"string","enum":["NTOC_DHS_ECYBER_SVC_SHARE.NSA.NSA","PCII","LES","INT","PII","PR","TEI"]},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"shareability":{"type":"array","items":{"$ref":"#/definitions/shareability"},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"entity":{"type":"array","items":{"$ref":"#/definitions/entity"},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"permitted_nationalities":{"type":"array","items":{"$ref":"#/definitions/permitted_nationalities"},"minItems":1,"$comment":"not required, but if used, there must be 1 item"},"permitted_organizations":{"type":"array","items":{"$ref":"#/definitions/organizations"},"minItems":1,"$comment":"not required, but if used, there must be 1 item"}},"additionalProperties":false,"required":["classification"]},"derivative_classification":{"type":"object","properties":{"classified_by":{"type":"string"},"classified_on":{"$ref":"https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json","description":"The date an original classification determination was made."},"derived_from":{"type":"string"}},"additionalProperties":false,"required":["classified_by","derived_from"]},"original_classification":{"type":"object","properties":{"classified_by":{"type":"string"},"classified_on":{"$ref":"https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json","description":"The date an original classification determination was made."},"classification_reason":{"type":"string"},"compilation_reason":{"type":"string"}},"additionalProperties":false,"required":["classified_by"]},"declassification":{"type":"object","properties":{"declass_exemption":{"type":"string"},"declass_period":{"type":"integer"},"declass_date":{"$ref":"https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json","description":"A date upon which a resource will be automatically declassified if not exempt."},"declass_event":{"type":"string"}},"minProperties":1,"additionalProperties":false},"resource_disposition":{"type":"object","properties":{"disposition_date":{"$ref":"https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json","description":"The date of the disposition is initiated"},"disposition_process":{"type":"string"}},"required":["disposition_date","disposition_process"],"additionalProperties":false},"public_release":{"type":"object","properties":{"released_by":{"type":"string"},"released_on":{"$ref":"https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/timestamp.json","description":"The date of public release."}},"required":["released_by"],"additionalProperties":false},"privilege_scope":{"type":"object","$comment":"At least one property must be present","allOf":[{"properties":{"permitted_nationalities":{"$comment":"use oneOf construction (see entity), once permitted_nationalities is the actual enum","type":"array","anyOf":[{"items":{"$ref":"#/definitions/permitted_nationalities"}},{"items":{"type":"string","enum":["ALL"]},"maxItems":1}],"minItems":1},"permitted_organizations":{"$comment":"use oneOf construction (see entity), once permitted_organizations defined based on Appendix A of ACS 3.0a specification","type":"array","anyOf":[{"items":{"$ref":"#/definitions/organizations"}},{"items":{"type":"string","enum":["ALL"]},"maxItems":1}],"minItems":1},"shareability":{"type":"array","oneOf":[{"items":{"$ref":"#/definitions/shareability"}},{"items":{"type":"string","enum":["ALL"]},"maxItems":1}],"minItems":1},"entity":{"type":"array","oneOf":[{"items":{"$ref":"#/definitions/entity"}},{"items":{"type":"string","enum":["ALL"]},"maxItems":1}],"minItems":1}},"additionalProperties":false},{"anyOf":[{"required":["permitted_nationalities"]},{"required":["permitted_organizations"]},{"required":["shareability"]},{"required":["entity"]}]}]},"access_privilege":{"type":"object","properties":{"privilege_action":{"type":"string","enum":["DSPLY","IDSRC","TENOT","NETDEF","LEGAL","INTEL","TEARLINE","OPACTION","REQUEST","ANONYMOUSACCESS","CISAUSES","ALL"]},"privilege_scope":{"$ref":"#/definitions/privilege_scope"},"rule_effect":{"type":"string","enum":["permit","deny"]}},"additionalProperties":false,"required":["privilege_action","privilege_scope","rule_effect"]},"further_sharing":{"type":"object","properties":{"sharing_scope":{"type":"array","items":{"oneOf":[{"$ref":"#/definitions/organizations"},{"enum":["FOREIGNGOV","SECTOR"]}]},"minItems":1},"rule_effect":{"type":"string","enum":["permit","deny"]}},"additionalProperties":false,"required":["sharing_scope","rule_effect"]}}}

Sample Marking Definition: Enter or upload a sample definition that is used for validation of the marking specification and is subsequently available for preview on the Marking Specification listing page. The following example is a sample marking definition:

{"id":"marking-definition--479081c8-3a60-4eb8-b410-96a30f395def","type":"marking-definition","created":"2023-03-18T03:23:00.000Z","extensions":{"extension-definition--3a65884d-005a-4290-8335-cb2d778a83ce":{"identifier":"isa:guide.19001.ACS3-9e0cd50e-6efc-45b3-8a3d-b6376541c9c5","control_set":{"classification":"U","formal_determination":["INFORMATION-DIRECTLY-RELATED-TO-CYBERSECURITY-THREAT","PUBREL"]},"extension_type":"property-extension","access_privilege":[{"rule_effect":"permit","privilege_scope":{"entity":["ALL"],"shareability":["ALL"],"permitted_nationalities":["ALL"],"permitted_organizations":["ALL"]},"privilege_action":"CISAUSES"}],"create_date_time":"2023-03-18T03:23:00.000Z","policy_reference":"urn:isa:policy:acs:ns:v3.0?privdefault=deny&sharedefault=permit","authority_reference":["urn:isa:authority:ais"],"responsible_entity_custodian":"USA.DHS.NCCIC","responsible_entity_originator":"USA.DHS.NCCIC"}},"spec_version":"2.1"}

Marking Definitions: Click Add to add marking definitions based on the specification you previously added. You can enter or upload the marking definition in JSON format. Additionally, you can choose colors for each definition. The default marking definition color is grey.