4.1 Marking Definition
Type Name: marking-definition
The marking-definition object represents a specific marking. Data markings typically represent handling or sharing requirements for data, and are applied in the object_marking_refs and granular_markings properties on STIX Objects, which reference a list of IDs for marking-definition objects.
Two marking definition types are defined in this specification: TLP, to capture TLP markings, and Statement, to capture text marking statements. In addition, it is expected that the FIRST Information Exchange Policy (IEP) will be included in a future version once a machine-usable specification for it has been defined.
Unlike STIX Objects, Marking Definition objects cannot be versioned because it would allow for indirect changes to the markings on a STIX Object. For example, if a Statement marking is changed from "Reuse Allowed" to "Reuse Prohibited", all STIX Objects marked with that Statement marking would effectively have an updated marking without being updated themselves. Instead, a new Statement marking with the new text should be created and the marked objects updated to point to the new marking.
The JSON MTI serialization uses the JSON object type [RFC7159] when representing marking-definition.
4.1.1 Properties
| Property Name | Type | Description |
|---|---|---|
| type (required) | string | The type property identifies the type of object. The value of this property MUST be marking-definition. |
| id (required) | identifier | The id property universally and uniquely identifies this Marking Definition. |
| created_by_ref (optional) | identifier | The created_by_ref property specifies the ID of the identity object that describes the entity that created this Marking Definition. |
| created (required) | timestamp | The created property represents the time at which the Marking Definition was created. The object creator can use the time it deems most appropriate as the time the object was created. |
| external_references | list of type external-reference | The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. |
| object_marking_refs (optional) | list of type identifier | The object_marking_refs property specifies a list of IDs of marking-definitions that apply to this Marking Definition. This property MUST NOT contain any references to this Marking Definition object (i.e., it cannot contain any circular references). |
| granular_markings (optional) | list of type granular-marking | The granular_markings property specifies a list of granular markings applied to this. This property MUST NOT contain any references to this Marking Definition object (i.e., it cannot contain any circular references). |
| definition_type (required) | open-vocab | The definition_type property identifies the type of Marking Definition. The value of the definition_type property SHOULD be one of the types defined in the subsections below: statement or tlp (see sections 4.1.3 and 4.1.4) |
| definition (required) | <marking object> | The definition property contains the marking object itself (e.g., the TLP marking as defined in section 4.1.4, the Statement marking as defined in section 4.1.3, or some other marking definition defined elsewhere). |
4.1.2 Relationships
Data Marking is not a STIX Object and MUST NOT have any SRO relationships to it or from it. This table lists the embedded relationships by property name along with their corresponding target.
| Embedded Relationships | |
|---|---|
| created_by_ref | identity |
| object_marking_refs | marking-definition |
4.1.3 Statement Marking Object Type
The Statement marking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition. The value of the definition_type property MUST be statement when using this marking type. Statement markings are generally not machine-readable and this specification does not define any behavior or actions based on their values.
Content may be marked with multiple Statement marking types that do not override each other. In other words, the same content can be marked both with a statement saying "Copyright 2016" and a statement saying "Terms of use are ..." and both statements apply.
| Property Name | Type | Description |
|---|---|---|
| statement (required) | string | A Statement (e.g., copyright, terms of use) applied to the content marked by this marking definition. |
Examples
{
"type": "marking-definition",
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"created": "2016-08-01T00:00:00.000Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2016, Example Corp"
}
}
4.1.4 TLP Marking Object Type
The TLP marking type defines how you would represent a Traffic Light Protocol (TLP) marking in a definition property. The value of the definition_type property MUST be tlp when using this marking type.
| Property Name | Type | Description |
|---|---|---|
| tlp (required) | string | The TLP level [TLP] of the content marked by this marking definition, as defined in this section. |
The following standard marking definitions MUST be used to reference or represent TLP markings. Other instances of tlp-marking MUST NOT be used (the only instances of TLP marking definitions permitted are those defined here).
| white | { |
|---|---|
| green | { |
| amber | { |
| red | { |