The FIRST membership process

Version 1.4, September 24, 2021
Also available in PDF.
Please see Annex 1 for a list of acrynoms and terms.

1. Types of Participation

There are two types of participants in the FIRST:

FIRST Full Members, and
Liaisons.

The selection and responsibilities of each type of participant are described in this framework. Throughout this framework "participant" is used when a regulation is valid for Full Members and Liaisons.

1.1. Full Members

A FIRST Full Member is a team of at least two individuals. Every Full Member is represented by a FIRST representative (see 2.2.1).

1.2. Liaisons

Individuals can participate in FIRST by applying for the Liaison membership.

2. Membership Processes

2.1. Nomination Acceptance Procedures

New Full Members of FIRST must be nominated by two existing Full Members. New Liaisons must be nominated by one existing Full Member. The nominating Full Members are then called "sponsors". The primary sponsor may not be related to the applying team host/parent organization.

2.1.1. Approval Rules

Each nomination has to be approved by a 2/3 vote of all members of the Board of Directors and the nominee must pay the initial membership fee upon Board of Directors approval for membership.

After approval by the BD the applying participant's status is changed from "applying" (cf. 2.1.3) to "confirmed" (cf. 2.2.2).

2.1.2. Mandatory Information

A proposed new FIRST participant must provide the following information in support of its nomination:

The name or identification of the group, organization, or individual
A statement of why you would like to join FIRST and how you plan to participate
All information required by the membership process, as laid out in 2.2. and the online application forms.

2.1.3. Application Process

To start the process of FIRST application, the applying participant and their sponsor(s) should begin the online application form and complete within one year. If the application isn't completed/successful within that time, the pending application will be deleted and the process should be started again.

The Secretariat will inform the Membership Committee (MC), teams list and the Board of Directors (BD) about new applications that are completed by the monthly deadline.

For applying new Full Members a site visit is mandatory. By a 2/3 vote of the MC and the BD the site visit can be omitted, if requested by both sponsors.

2.1.4. Site visit

At their April 2020 meeting, the Board voted to suspend the requirement for a physical site visit for applying members until further notice. Sponsoring teams may conduct a virtual site visit. Please note additional considerations for virtual site visit here.

The site visit is an essential part of the application. Among other questions at least the following topics should be covered:

Get to know all team members (and not only the First Representative).
Get to know the management.
Validate incident response plans or procedures, i.e. ensure that those exist and are in practice.
Logical and physical controls for handling of incident data and communications. This includes physical security as well as policies for information handling, etc.

Applying teams and sponsors should review the FIRST Site Visit - Requirements and Assessment (version 3.1) in PDF format and the FIRST Membership Sponsoring Process.

2.2. The membership process

All FIRST participants are expected to meet at least the MUST criteria as laid out in Full Member Form and Liaison Form.

2.2.1. Trust basis, FIRST Representative

Providing information on a trusted basis means essentially that their authenticity (and integrity) is verifiably guaranteed by somebody whose personal ID has been checked and who can prove his/her right to represent the participant and/or its parent organization. For Full Members this MUST be the FIRST Representative, for Liaisons the Liaison him/herself.

The FIRST representative is someone with an operational role in the team, usually the operational incident response team manager.

voting at the AGM, online and/or other meetings;
providing updated team contact info for FIRST Portal;
commenting on new membership applications that are posted for review
keeping the team roster and mailing lists current;
responsible for reviewing e-mails to the first-reps and first-teams lists;
ensuring that their team keeps FIRST-sensitive information confidential and follows TLP guidelines.

2.2.2. The "confirmed" status

If the participant then meets all MUSTs within the given timeframe, and the verification of all data provided has proven okay, MC will be notified. The Secretariat will verify that all required information is included on the application web form.

FSS MUST also ensure that for every confirmed participant FSS states how the information involved was originally gathered, compiled and verified (including the identity and status of the authenticator from the participant and the person involved in its role) plus giving possible additional relevant OBJECTIVE remarks. This extra information serves the purpose of enabling other confirmed participants of making their own qualitative assessment regarding the information available about a participant. The essence here is that it is not FSS who decides whether a participant joins the web-of-trust, but that it's the participants themselves that decide about that "confirmed" status means having fulfilled several formal duties making it easy to enter the web-of-trust inmate phase - but it's not a guarantee: trust cannot be bought, it can only be earned.

2.2.3. Maintenance of "confirmed" Status

As sometimes changes will not only impact the participant's staff, or its structure, but also service levels, constituency definition, contact data, the "confirmed" status requires maintenance. The member agrees that:

The information available and published on the FIRST portal is current. Members agree to verifiy at least every six months by a joint effort of the participant and FSS.
A participant MUST at least reply to FSS requests regarding their status in order to maintain their "confirmed" status. Moreover, they are expected to behave more actively as mentioned below:
A participant MUST inform FSS about any change that relates to contact or public key information within two weeks and provide the appropriate corrections. If public key information is changing, the participant SHOULD provide appropriate key revocation information.
A participant MUST inform FSS and MC about changes that deeply impact their establishment, e.g. constituency changes, within one month and describe the approach taken to further provide its function.
A participant SHOULD inform FSS about other changes within the published report (notably the filled-in portal profile, public contact info, availability of hyperlinks and such) within eight weeks.
FSS and MC MUST react to complaints or reports about participants when these complaints or reports come from confirmed participants. All other sources of information are regarded non-authoritative and the information will be handled accordingly, i.e. FSS and MC will only take these information in addition to reports from confirmed participants, but they do not have to react.

FSS will maintain change logs and archive email requests, acknowledgments and other communication that results into changes of the participant's information for a period of 3 years in accordance with the FIRST data retention policy.

2.2.4. The "pending" status and termination of FIRST membership

If a participant does verifiably not comply with the above rules, FIRST bylaws and policies and does not react to subsequent FSS and MC requests, stating this fact and given a 3 months deadline, within that period of 3 months or fails to provide due content and authentication, then BD MUST give the participant formal notice that their FIRST membership status will be suspended or revoked within 3 months.

FSS MUST change the status accordingly.

2.2.5. Migration process for existing participants

All FIRST participants whose status is not yet "confirmed" will get a reminder by FSS to submit the mandatory and optional information, as explained in 2.2.3.

2.3. Voluntary Termination

A participant may voluntarily resign from the FIRST at any time. The membership fee is not refundable if a participant resigns from FIRST. FSS will then change the status of the participant to "disabled". A "disabled" participant will have to reapply for Membership as explained in 2.1.3.

2.4. Suspension and Revocation

The Board of Directors will initiate membership revocation steps if any of the following conditions apply:

noncompliance with this FIRST bylaws membership process or policies
failure to contribute to the purposes and goals of the FIRST
failure to pay the annual FIRST membership fee within the set time period
failure by a liaison to maintain a FIRST Full Member sponsor. If a sponsoring team withdraws support for a liaison that they sponsored (application).

When a revocation process is begun the participant's access to FIRST rights and facilities may be suspended. Suspension or revocation shall require a 2/3 vote of all members of the Board of Directors, with the exception of a "pending" participant, which membership MUST be terminated after 3 months (cf. 2.2.4).

The participant shall be provided an opportunity for rebuttal prior to revocation.

Lifting suspension and restoration of access to FIRST rights and facilities shall require a 2/3 vote of all members of the Board of Directors.

Participants who have their FIRST membership revoked or suspended for any reason are not entitled to a refund of their membership fee.

Annex 1 - Terms and Definitions

Candidate – The Team that wishes to become a full member of FIRST, and benefits from the sponsorship.
Sponsors – FIRST full members in good standing, who assist (sponsor) a Candidate in becoming a FIRST team member. Two Sponsors are needed for the membership process. Only Teams can sponsor a candidate, Liaisons cannot. However, for practical reasons, for each Sponsor, one of the team representatives will formally validate the proceedings.
Site Visit – The visit that one of the Sponsors makes to the candidate’s premises, with the goal of verifying if the candidate meets the FIRST membership requirements. In special cases, and only with explicit permission by FIRST, the Site Visit can be performed virtually instead of live, using videoconferencing tools (audio only is not permissible).
SIM3 –"Security Incident Management Maturity Model". CSIRT Maturity is an indication of how well a team governs, documents, performs, and measures their function. The maturity of a CSIRT is measured with SIM3.
Primary Sponsor – The Sponsor that performs the Site Visit and writes the report about it.
Secondary Sponsor – The additional Sponsor that supports both the Candidate and the Primary Sponsor.
FIRST Secretariat Services (FSS) – The FIRST secretariat receives the documents sent by the Candidate, validates them, and requests updates in case of discrepancies. Then it updates the FIRST portal, uploads the documents, and fills in the monthly "Membership Applications Status Report" to be sent to the FIRST Membership Committee for pre-validation. Once achieved, FIRST secretariat sends the applications to the FIRST Board and after validation, disseminate the new member to the FIRST community members.
FIRST Membership Committee (MC) – Standing committee that advises FIRST on all matters related to the FIRST Membership. The MC consists of volunteers from the ranks of FIRST full and liaison members. The MC reviews membership applications, and can recommend acceptance, or ask for more information/validations, or recommend rejecting the application.
Mentor – An MC member who helps Sponsors and Candidate throughout the process. Mentors are appointed by the FIRST Secretariat only in cases of perceived need for mentoring.
FIRST Board of Directors (BoD) – The Board of Directors of FIRST. Elected by the members, the Board is the highest decision-making body of FIRST.
Team Representative – A Candidate team member who will act as Representative for the Candidate team. Short name is "Team Rep". Two Team Representatives are required for each team: The "Primary Team Rep", and the "Secondary Team Rep". The Team Representative’s role is to represent the whole team, especially during the Annual General Meetings (AGM) of FIRST. The Team Representative does not need to have a formal management position inside the Candidate team, it is up to the Candidate to name a proper Team Rep. However, the Team Rep should either be a member of the Team, or of the hierarchy that governs the Team.