The FIRST membership process

Version 1.32, 27 April 2005In the following these acronyms mean:
FSS - FIRST Secretariat Services
MC - Membership Committee
SC - Steering Committee

1. Types of Participation

There are two types of participants in the FIRST:

  • FIRST Full Members, and
  • Liaisons.

The selection and responsibilities of each type of participant are described in this framework. Throughout this framework "participant" is used when a regulation is valid for Full Members and Liaisons.

1.1 Full Members

A FIRST Full Member is a team of at least two individuals. Every Full Member is represented by a FIRST representative (see 2.2.1).

1.2 Liaisons

Individuals can participate in FIRST by applying for the Liaison membership.

2.1. Nomination Acceptance Procedures

New Full Members of FIRST must be nominated by two existing Full Members. New Liaisons must be nominated by one existing Full Member. The nominating Full Members are then called "sponsors".

2.1.1. Approval Rules

Each nomination has to be approved by a 2/3 vote of all members of the Steering Committee and the nominee must pay the initial membership fee upon Steering Committee approval for membership.

After approval by the SC and payment of the initial membership fee the applying participant's status is changed from "applying" (cf. 2.1.3.) to "confirmed" (cf. 2.2.2.).

2.1.2 Mandatory Information

A proposed new FIRST participant must provide the following information in support of its nomination:

  • The name or identification of the group, organization, or individual
  • Reasons for joining the FIRST
  • Benefits to the FIRST of nominee's participation
  • All information required by the membership process, as laid out in 2.2. and Appendix A or Appendix B.

2.1.3. Application Process

To start the process of FIRST application, the applying participant and their sponsor(s) should inform FIRST Secretariat Services (FSS) that they want to join FIRST. This starts a 6 month period which is the timeframe for the application to be successful. If the application isn't successful within that time, the process has to be started again. The applying participant will be added to the list of FIRST participants on the participant-restricted part of the FIRST website with a status of "applying". If the application isn't successful, the applying participant is removed from that list.

FSS will inform the Membership Committee (MC) and the Steering Committee (SC) about new applications, as well as all FIRST participants, after an applying participant has been added to list of FIRST participants on the FIRST website.

For applying new Full Members a site visit is mandatory. By a 2/3 vote of the MC and the SC the site visit can be omitted, if requested by both sponsors.

2.1.4. Site visit

The site visit is an essential part of the application. Among other questions at least the following topics should be covered:

  • Get to know all team members (and not only the First Representative).
  • Get to know the management.
  • Validate incident response plans or procedures, i.e. ensure that those exist and are in practice.
  • Logical and physical controls for handling of incident data and communications. This includes physical security as well as policies for information handling, etc.

View the FIRST Site Visit - Requirements and Assessment (version 2.0) in PDF format (696 KB)

2.2. The membership process

All FIRST participants are expected to meet at least the _MUST_ criteria as laid out in Appendix A and Appendix B. In order to do that the participant will send in data to the FSS, like filled-in Appendix A/B, PGP keys etc - these data will have to be provided on a trusted basis.

2.2.1. Trust basis, FIRST Representative

Providing information on a trusted basis means essentially that their authenticity (and integrity) is verifiably guaranteed by somebody whose personal ID has been checked and who can prove his/her right to represent the participant and/or its parent organization. For Full Members this _MUST_ be the FIRST Representative, for Liaisons the Liaison him/herself.

2.2.2. The "confirmed" status

If the participant then meets all MUSTs within the given timeframe, and the verification of all data provided has proven okay, then FSS _MUST_ upgrade the participant's status to "confirmed" and notify the participant and the MC thereof. FSS _MUST_ ensure that all data about confirmed participants (filled in Appendix A/B, relevant crypto keys, public contact information, hyperlinks, and if applicable RFC 2350 or other additional information) as provided by the participants themselves are available on the participant-restricted parts of the FIRST website.

FSS _MUST_ also ensure that for every confirmed participant FSS states how the information involved was originally gathered, compiled and verified (including the identity and status of the authenticator from the participant and the person involved in its role) plus giving possible additional relevant OBJECTIVE remarks. This extra information serves the purpose of enabling other confirmed participants of making their own qualitative assessment regarding the information available about a participant. The essence here is that it is not FSS who decides whether a participant joins the web-of-trust, but that it's the participants themselves that decide about that "confirmed" status means having fulfilled several formal duties making it easy to enter the web-of-trust inmate phase - but it's not a guarantee: trust cannot be bought, it can only be earned.

2.2.3. Maintenance of "confirmed" Status

As sometimes changes will not only impact the participant's staff, or its structure, but also service levels, constituency definition, contact data, etc, a one time only verification is simply not enough: the "confirmed" status requires maintenance. The participants already know about that, since the maintenance requirement is one of the criteria they had to agree on when acquiring FIRST membership.

Polled by FSS, it is assumed that the current available information is still current. To ensure this, the following approach is taken:

  • The information available and published about any participant _MUST_ be verified at least every six months by a joint effort of the participant and FSS. The verification is based on status updates and acknowledgements from the participant.
  • A participant _MUST_ at least reply to FSS requests regarding their status in order to maintain their "confirmed" status. Moreover, they are expected to behave more actively as mentioned below:
  • A participant _MUST_ inform FSS about any change that relates to contact or public key information within two weeks and provide the appropriate corrections. If public key information is changing, the participant SHOULD provide appropriate key revocation information.
  • A participant _MUST_ inform FSS and MC about changes that deeply impact their establishment, e.g. constituency changes, within one month and describe the approach taken to further provide its function.
  • A participant SHOULD inform FSS about other changes within the published report (notably the filled-in Appendix A/B, public contact info, availability of hyperlinks and such) within eight weeks.
  • FSS and MC _MUST_ react to complaints or reports about participants when these complaints or reports come from confirmed participants. All other sources of information are regarded non-authoritative and the information will be handled accordingly, i.e. FSS and MC will only take these information in addition to reports from confirmed participants, but they do not have to react.

FSS _MUST_ maintain an archive containing requests, acknowledgments and other communication that results into changes of the participant's information. Whenever information is not exchanged electronically, a paper copy _MUST_ be archived or in case of a verbal / telephone conversion, a written or electronic copy _MUST_ be created and archived.

The archive is kept at FSS and _MUST_ be accessible to the MC and the SC.

2.2.4. The "pending" status and termination of FIRST membership

If a participant does verifiably not comply with the above rules and does not react to subsequent FSS and MC requests, stating this fact and given a 3 months deadline, within that period of 3 months or fails to provide due content and authentication, then SC _MUST_ give the participant formal notice (by signed mail and written letter) that their FIRST membership status will expire within 3 months. FSS _MUST_ change the status of the participant to "pending". FSS will publish the expiry date on the restricted website together with the participant's data. If the participant does not react within that second 3 months period or fails to provide due content and authentication, then SC _MUST_ terminate the participant's FIRST membership and inform all FIRST participants. FSS will then change the status of the participant to "rejected". A "rejected" participant will have to reapply for Membership as explained in 2.1.3.

2.2.5. Migration process for existing participants

All FIRST participants whose status is not yet "confirmed" will get a poll by FSS to submit the mandatory and optional information, as explained in 2.2.3. The timeframe for this initial step of the then regular process is 9 months, starting in September 2004. This means that for the FIRST 2005 AGM all participants will have migrated to the new membership process, while all new participants will have already used the new membership process. (This part will be removed from the OF in June 2005)

2.3 Voluntary Termination

A participant may voluntarily resign from the FIRST at any time. The membership fee is not refundable if a participant resigns from FIRST. FSS will then change the status of the participant to "terminated". A "terminated" participant will have to reapply for Membership as explained in 2.1.3.

2.4 Suspension and Revocation

The Steering Committee will initiate membership revocation steps if any of the following conditions apply:

  • participant's status is "pending" for more than 3 months (cf. 2.2.4)
  • noncompliance with this FIRST Framework and membership process
  • failure to contribute to the purposes and goals of the FIRST
  • failure to pay the annual FIRST membership fee within the set time period
  • failure by a liaison to maintain a FIRST Full Member sponsor.

When a revocation process is begun the participant's access to FIRST rights and facilities may be suspended. Suspension or revocation shall require a 2/3 vote of all members of the Steering Committee, with the exception of a "pending" participant, which membership _MUST_ be terminated after 3 months (cf. 2.2.4).

The participant shall be provided an opportunity for rebuttal prior to revocation.

Lifting suspension and restoration of access to FIRST rights and facilities shall require a 2/3 vote of all members of the Steering Committee.

Participants who have their FIRST membership revoked or suspended for any reason are not entitled to a refund of their membership fee.