FIRST CSIRT Services Framework and Standards
The Forum of Incident Response and Security Teams (FIRST) is the leading global organization for Computer Security Incident Response Teams (CSIRTs) + Product Security Incident Response Teams (PSIRTs) + Vulnerability Coordinators + cybersecurity professionals. FIRST maintains a suite of community-developed standards + frameworks. KEY FIRST STANDARDS: (a) CSIRT SERVICES FRAMEWORK V2.1 (published 2019) - the canonical service-catalog defining 5 SERVICE AREAS + 36 SERVICES that CSIRTs deliver: Information Security Event Management; Information Security Incident Management; Vulnerability Management; Situational Awareness; Knowledge Transfer; (b) COMMON VULNERABILITY SCORING SYSTEM (CVSS) - the industry-standard vulnerability severity metric; CVSS v4.0 published 2023 with revised Base + Threat + Environmental + Supplemental metrics + Macro vector + qualitative severity rating (None/Low/Medium/High/Critical); CVSS v3.1 remains in use for prior advisories; CVSS scores feed into vulnerability management + patch prioritisation + the CISA Known Exploited Vulnerabilities (KEV) Catalog + the NVD; (c) TRAFFIC LIGHT PROTOCOL (TLP) v2.0 - the four-color information-sharing classification system (TLP:RED + TLP:AMBER + TLP:AMBER+STRICT + TLP:GREEN + TLP:CLEAR) used by CSIRTs + ISACs + vendors + governments + replaced TLP v1.0 (TLP:WHITE renamed to TLP:CLEAR in v2.0); (d) INFORMATION EXCHANGE POLICY (IEP) v2.0 - a machine-readable extension of TLP enabling automated policy-driven sharing of cyber threat intelligence; (e) MULTI-PARTY COORDINATED VULNERABILITY DISCLOSURE (MPCVD) GUIDELINES - best practices for coordinated disclosure when multiple affected vendors or affected parties exist; (f) PSIRT SERVICES FRAMEWORK - a parallel Product-team-focused service framework; (g) VULNERABILITY COORDINATION BEST PRACTICES GUIDELINES. FIRST is operated as a non-profit consortium + the standards are publicly available + freely-implementable. Coordination: FIRST standards underpin many national CSIRT regimes (US-CERT + DOE CIRC + CISA + UK NCSC + ENISA + AusCERT + JPCERT/CC + KrCERT/CC + many others) + are referenced in NIST SP 800-61 + ISO/IEC 27035 + NIS2 + CIRCIA + MITRE ATT&CK + the EU Cyber Resilience Act (CRA) vulnerability handling obligations.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
FIRST: CSIRT Services Framework v2.1 - Foundational and Mandate
| Code | Title |
|---|---|
| FIRST-CSIRTF-Mandate-Quality | CSIRT Services Framework v2.1 - Mandate, Scope and Quality Management |
FIRST: Related Standards - CVSS, TLP, IEP, MPCVD and PSIRT Services
| Code | Title |
|---|---|
| FIRST-CVSS-v4 | FIRST Common Vulnerability Scoring System (CVSS) v4.0 (2023) and CVSS v3.1 Legacy |
| FIRST-IEP-MPCVD | FIRST Information Exchange Policy (IEP) v2.0 + Multi-Party Coordinated Vulnerability Disclosure (MPCVD) |
| FIRST-PSIRT-Services | FIRST PSIRT Services Framework (2020) - Product Security Incident Response Team Service Catalog |
| FIRST-Sectoral-NationalCSIRT | FIRST Sectoral Coordination - National CSIRTs, ISACs, ENISA, NIS2 + Industry Frameworks |
| FIRST-Status-Pipeline | FIRST Standards Pipeline - 2024-2025 Roadmap and Coordination with NIS2, CIRCIA, EU CRA |
| FIRST-TLP-v2 | FIRST Traffic Light Protocol (TLP) v2.0 (2022) - Information-Sharing Classification |
FIRST: Service Area 1 - Information Security Event Management
| Code | Title |
|---|---|
| FIRST-CSIRTF-SA1-ISEM | Service Area 1 - Information Security Event Management (Monitoring, Detection, Triage) |
FIRST: Service Area 2 - Information Security Incident Management
| Code | Title |
|---|---|
| FIRST-CSIRTF-SA2-ISIM | Service Area 2 - Information Security Incident Management (Intake, Analysis, Containment, Recovery, Coordination, Crisis) |
FIRST: Service Area 3 - Vulnerability Management + Coordinated Disclosure
| Code | Title |
|---|---|
| FIRST-CSIRTF-SA3-VulnMgmt | Service Area 3 - Vulnerability Management and Coordinated Disclosure |
FIRST: Service Area 4 - Situational Awareness and Threat Intelligence
| Code | Title |
|---|---|
| FIRST-CSIRTF-SA4-SituationalAwareness | Service Area 4 - Situational Awareness and Threat Intelligence |
FIRST: Service Area 5 - Knowledge Transfer (Awareness + Training + Exercises)
| Code | Title |
|---|---|
| FIRST-CSIRTF-SA5-KnowledgeTransfer | Service Area 5 - Knowledge Transfer (Awareness, Training, Exercises, Advisory) |
Your Compliance Coverage
If you comply with FIRST CSIRT Services Framework and Standards, you already cover:
NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)
25%
3 controls mapped
Compare →FFIEC Cybersecurity Assessment Tool (CAT)
25%
3 controls mapped
Compare →OWASP Top 10:2025
17%
2 controls mapped
Compare →+ 57 more: AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association) (17%), ISO/IEC 30111:2019 (17%)
See all 60 mapped frameworks ↓Maps to 60 other frameworks
Frequently Asked Questions
What is FIRST CSIRT Services Framework and Standards?
FIRST CSIRT Services Framework and Standards is a compliance framework from International (FIRST — 107 countries) with 7 domains and 12 controls. The Forum of Incident Response and Security Teams (FIRST) is the leading global organization for Computer Security Incident Response Teams (CSIRTs) + Product Security Incident Response Teams (PSIRTs) + Vulnerability Coordinators + cybersecurity professionals. FIRST maintains a suite of community-developed standards + frameworks. KEY FIRST STANDARDS: (a) CSIRT SERVICES FRAMEWORK V2.1 (published 2019) - the canonical service-catalog defining 5 SERVICE AREAS + 36 SERVICES that CSIRTs deliver: Information Security Event Management; Information Security Incident Management; Vulnerability Management; Situational Awareness; Knowledge Transfer; (b) COMMON VULNERABILITY SCORING SYSTEM (CVSS) - the industry-standard vulnerability severity metric; CVSS v4.0 published 2023 with revised Base + Threat + Environmental + Supplemental metrics + Macro vector + qualitative severity rating (None/Low/Medium/High/Critical); CVSS v3.1 remains in use for prior advisories; CVSS scores feed into vulnerability management + patch prioritisation + the CISA Known Exploited Vulnerabilities (KEV) Catalog + the NVD; (c) TRAFFIC LIGHT PROTOCOL (TLP) v2.0 - the four-color information-sharing classification system (TLP:RED + TLP:AMBER + TLP:AMBER+STRICT + TLP:GREEN + TLP:CLEAR) used by CSIRTs + ISACs + vendors + governments + replaced TLP v1.0 (TLP:WHITE renamed to TLP:CLEAR in v2.0); (d) INFORMATION EXCHANGE POLICY (IEP) v2.0 - a machine-readable extension of TLP enabling automated policy-driven sharing of cyber threat intelligence; (e) MULTI-PARTY COORDINATED VULNERABILITY DISCLOSURE (MPCVD) GUIDELINES - best practices for coordinated disclosure when multiple affected vendors or affected parties exist; (f) PSIRT SERVICES FRAMEWORK - a parallel Product-team-focused service framework; (g) VULNERABILITY COORDINATION BEST PRACTICES GUIDELINES. FIRST is operated as a non-profit consortium + the standards are publicly available + freely-implementable. Coordination: FIRST standards underpin many national CSIRT regimes (US-CERT + DOE CIRC + CISA + UK NCSC + ENISA + AusCERT + JPCERT/CC + KrCERT/CC + many others) + are referenced in NIST SP 800-61 + ISO/IEC 27035 + NIS2 + CIRCIA + MITRE ATT&CK + the EU Cyber Resilience Act (CRA) vulnerability handling obligations. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does FIRST CSIRT Services Framework and Standards have?
FIRST CSIRT Services Framework and Standards has 12 controls organised across 7 domains. The largest domains are FIRST: Related Standards - CVSS, TLP, IEP, MPCVD and PSIRT Services (6 controls), FIRST: CSIRT Services Framework v2.1 - Foundational and Mandate (1 controls), FIRST: Service Area 1 - Information Security Event Management (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does FIRST CSIRT Services Framework and Standards map to?
FIRST CSIRT Services Framework and Standards maps to 60 other compliance frameworks. The top mapping partners are NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI) (25% coverage), FFIEC Cybersecurity Assessment Tool (CAT) (25% coverage), OWASP Top 10:2025 (17% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with FIRST CSIRT Services Framework and Standards compliance?
Start your FIRST CSIRT Services Framework and Standards compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FIRST CSIRT Services Framework and Standards requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 12 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 701 frameworks.
Get Started Free →Free forever — no credit card required