CCWG Terms Of Service

Commercial Facilities Cyber Working Group listerver/portal terms of use

Last updated: 11/18/2019

Effective date: 11/18/2019

The Commercial Facilities Cyber Working Group (CCWG) portal is a closed, vetted information-sharing platform created by the Executive Partnership for Integrated Collaboration (EPIC), a nonprofit 501(c)3 organization based in Charlotte, NC.  Admission to the group is supervised by the National Capital Region chapter of InfraGard (InfraGardNCR) under rules developed by the CCWG Steering Committee.  EPIC and InfraGardNCR are individually and collectively the CCWG Portal Parties.  The CCWG Portal Parties have created and operate an Internet-based, closed, vetted, information sharing platform (the CCWG Portal), the purpose of which is to provide a collaboration platform for invited participants (Participants) to share information about cyber threats, vulnerabilities, and mitigation information (Information). Participants are selected by CCWG Portal Parties at their sole and absolute discretion and are invited by CCWG Portal Parties to review and contribute to the CCWG Portal. Subject to the discretion of the CCWG Portal Parties, Participants are generally cybersecurity professionals in the Commercial Facilities sector who are members of InfraGard and who have agreed to these Terms of Use and any other terms required from time to time by the CCWG Portal Parties. Information shared by Participants via the CCWG Portal may include real-time tactical information, threat actor information, suspicious Internet Protocol addresses, possible cyber intrusion attempts, or best practices to improve cyber security postures.

 

The following terms of use pertain to Information shared on the CCWG Portal:

For consistency and clarity, Participants are encouraged to utilize the TLP Protocol.

  1. Confidentiality. Unless otherwise expressly stated by the contributing Participant in writing, all Information posted to the CCWG Portal is CONFIDENTIAL and should be treated as TLP RED. Information posted to the portal may be seen by law enforcement and may (with the consent of the contributor) become part of a new or ongoing investigation. This reinforces the need to maintain confidentiality of all Information posted to the NCR IT Portal.
  2. Contribution. When contributing information to the CCWG Portal, Participants are expected to do so in accordance with the NCR IT Portal’s purpose, as described above. No sensitive or proprietary information, including but not limited to personally identifiable information and specific customer information, should be posted to the CCWG Portal.
  3. Solicitation. Soliciting (selling or offering to sell) to any member of the CCWG Portal is strictly prohibited through or across the CCWG Portal. Participants must not intentionally send advertising material to other Participants through the Portal nor outside the portal unless otherwise requested by a fellow Participant. This clause is critical to the integrity of the CCWG Portal, and any violation will result in immediate removal of the Participant.
  4. Sharing limitations. Information about the individuals, including the identity of any Participant(s) participating on the NCR IT Portal, shall not be shared outside the NCR IT without the prior written consent of the affected Participant(s). In addition, sharing information through the CCWG Portal that constitutes advertising, is pornographic, discriminatory, constitutes a deceptive or unfair trade practice, is otherwise illegal, or which is likely to cause harm to other Participants, their technical infrastructure, or their organizations or affiliates (including but not limited to malware and viruses) is prohibited. The CCWG Portal Parties reserve the right to remove any content shared by any Participant at any time for any reason without notice.
  5. Membership. The CCWG Portal is a closed group, and subscription to the CCWG Portal is by invitation only. Membership queries may be sent directly to This email address is being protected from spambots. You need JavaScript enabled to view it.. By accepting an invitation to become a Participant, such participant agrees to these terms of use. The CCWG Portal Parties reserve the right to remove Participants from the CCWG Portal for noncompliance with these terms of use. At the sole discretion of CCWG Parties, without limiting the foregoing, CCWG Parties may specifically remove Participants from the CCWG Portal without notice for submitting information that constitutes advertising, is pornographic, discriminatory, constitutes a deceptive or unfair trade practice, is otherwise illegal or which is likely to cause harm to other Participants, their technical infrastructure, or their organizations or affiliates.
  6. Security. CCWG Portal traffic is encrypted via SSL (Secure Socket Layer). However, SSL may not always be sufficient to secure Portal traffic. If you have sensitive information to share but don’t wish to share through the CCWG Portal, please contact the listserver administrators at This email address is being protected from spambots. You need JavaScript enabled to view it. for instructions and options.
  7. YOU ACKNOWLEDGE AND AGREE THAT EACH OF THE NCR IT PARTIES PROVIDES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, AND SPECIFICALLY DISCLAIMS, ON ITS OWN BEHALF AND ON BEHALF OF ITS AFFILIATES, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SECURITY OR NON-INFRINGEMENT WITH RESPECT TO THE CCWG PORTAL OR RELATED SERVICES (CCWG SERVICES), WHICH INCLUDES THE CCWG PORTAL’S WEBINARS. CCWG PORTAL SERVICES, INCLUDING ANY AND ALL INFORMATION FURNISHED THEREWITH, ARE PROVIDED “AS IS,” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, OMISSIONS, COMPLETENESS, CURRENTNESS, CONFIDENTIALITY, INTEGRITY OR AVAILABILITY.
  8. Sensitivity. To further the information-sharing function of the CCWG Portal, Participants are encouraged to mark their contributed Information either with a notation included with the Information or with the appropriate sensitivity level or traffic light protocol level (TLP Protocol) as described below:

If a recipient needs to share the information more widely than indicated by the original TLP designation, they must obtain explicit permission from the original source.

TLP Definitions

Color

When should it be used?

How may it be shared?

TLP:RED Not for disclosure, restricted to participants only.

Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.

Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting or email exchange, for example, TLP:RED information is strictly limited to those present at the meeting or specifically included in the email exchange.

TLP:AMBER Limited disclosure, restricted to participants’ organizations.

Sources may use TLP:AMBER

when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.

Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP:GREEN Limited disclosure, restricted to the community.

Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.

Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community.

TLP:WHITE Disclosure is not limited.

Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.

Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction (subject to copyright or trademark laws)

(source: adapted from: https://www.us-cert.gov/tlp)

Usage

How to use TLP in email

TLP-designated email correspondence should indicate the TLP color of the information in the Subject line and in the body of the email, prior to the designated information itself. The TLP color must be in capital letters: TLP:RED, TLP:AMBER, TLP:GREEN, or TLP:WHITE.  As a reminder, unless otherwise noted, all communication across the NCR IT listserver is to be treated as TLP: RED.

  1. Amendments. All Participants shall be notified of any amendments or modifications to these terms of use by notification through the NCR IT Portal. If any Participant does not agree to the amendments or modifications, such participant shall notify the NCR IT Parties by email to This email address is being protected from spambots. You need JavaScript enabled to view it.. Upon receipt of such notification the notifying participant will be removed from the NCR IT Portal, and his or her status as a Participant shall be removed. Continued use of the NCR IT Portal following notification of amendments or modifications to these terms of use without notification of objection shall be deemed agreement to abide by these terms of use as amended or modified.
  2. Governing law. The terms shall be governed by and construed enforced in accordance with the laws of the state of North Carolina without regard to any choice of law or conflicts of law rules or principles of the state of North Carolina or any other jurisdiction.
  3. Litigation. The state and federal courts located in Mecklenburg County, North Carolina shall be the exclusive forums for all litigation or other proceedings initiated by either Party under or in connection with these terms or the subject matter hereof. Each Party consents to the jurisdiction of such courts and agrees that venue in such courts shall be convenient and proper in connection with all such litigation and proceedings. Each Party agrees not to commence any such action or proceeding in any other forum. Each Party consents to service of process by U.S. mail in connection with any such litigation or proceedings.