States the permitted actions that recipients can take upon receiving information.
Enumerations
NONE recipients MUST NOT act upon the information received. CONTACT FOR INSTRUCTION recipients MUST contact the providers before acting upon the information received. An example is where information redacted by the provider could be derived by the recipient and the affected parties identified. INTERNALLY VISIBLE ACTIONS recipients MAY conduct actions on the information received that are only visible on the recipient's internal networks and systems, and MUST NOT conduct actions that are visible outside of the recipient's networks and systems, or that are visible to third parties. EXTERNALLY VISIBLE INDIRECT ACTIONS recipients MAY conduct indirect, or passive, actions on the information received that are externally visible and MUST NOT conduct direct, or active, actions. EXTERNALLY VISIBLE DIRECT ACTIONS recipients MAY conduct direct, or active, actions on the information received that are externally visible.
Required
NO
Policy statement
AFFECTED PARTY NOTIFICATIONS
Type
ACTION
Description
Recipients are permitted to notify affected third parties of a potential compromise or threat. Examples include permitting National CSIRTs to send notifications to affected constituents, or a service provider contacting affected customers.
Enumerations
MAY recipients MAY notify affected parties of a potential compromise or threat. MUST NOT recipients MUST NOT notify affected parties of potential compromises or threats.
