The Cyber Ontology Foundry is a community-governed initiative to develop, maintain, and coordinate a suite of open, interoperable, formally grounded ontologies for the cyber domain.

Its purpose is to support shared understanding, data integration, automated reasoning, threat analysis, cyber mission planning, incident response, compliance, vulnerability management, and AI-enabled cyber operations across government, industry, academia, and standards communities.

The cyber domain contains many important standards, schemas, taxonomies, and knowledge resources, including STIX/TAXII, ATT&CK, D3FEND, CAPEC, CVE, CWE, CPE, NIST frameworks, OSCAL, and related resources. These resources are valuable, but they were not all designed to share a common formal semantic foundation.

The Cyber Ontology Foundry provides a complementary semantic layer that helps clarify what these resources are about, how their entities relate, and how cyber data can be integrated, validated, queried, and reasoned over across systems.

The Foundry does not aim to replace existing cyber standards. It aims to make them more semantically interoperable.

The Foundry is developing:

• Shared cyber ontology content for common entities, processes, artifacts, vulnerabilities, threats, controls, observations, evidence, and claims.
• Focused ontologies for areas such as vulnerabilities, incidents, controls, threat analysis, cyber operations, assets, and observations.
• Semantic mappings to existing cyber standards and resources.
• Reusable modeling patterns for recurring cyber ontology problems.
• Transparent procedures for contribution, review, release, and maintenance.

Foundry ontologies should be:

1. Open — publicly available for reuse, review, and extension wherever possible.
2. Formalized — represented in standard machine-readable ontology languages, at minimum OWL 2.
3. Scoped — explicit about what each ontology covers and does not cover.
4. Orthogonal — avoiding unnecessary duplication across modules.
5. Identified — using stable IRIs, managed prefixes, and clear identifier policies.
6. Defined — using clear textual definitions, preferably genus-differentia definitions.
7. Validated — checked for consistency, satisfiability, and structural integrity.
8. Justified — supported by use cases, provenance, sources, and design rationale.
9. Governed — maintained by named owners under transparent procedures.
10. Reviewed — developed through issue-driven, community-visible review.
11. Versioned — released with version IRIs, changelogs, release notes, and migration guidance.
12. Engaged — responsive to community needs and evolving cyber practice.

Contributions should begin with an issue. Please use the relevant template:

• Term request
• Definition improvement
• Mapping request
• Design pattern proposal
• Bug report
• Documentation issue
• Security or sensitive content review request

All ontology contributions should include:

• The use case or competency question motivating the change
• Proposed label and definition
• Source or provenance
• Examples and counterexamples
• Relationship to existing COF terms
• Relevant external standards or mappings
• Security/sensitivity considerations

The Cyber Ontology Foundry is public by default, but cyber ontology work can raise security concerns. Contributors must not submit classified information, controlled unclassified information without authorization, proprietary content without permission, unreleased vulnerability details, exploit-enabling operational details, or personal/organizational information not suitable for public release.

Sensitive submissions should be routed through the Foundry security review process.

The Cyber Ontology Foundry is governed by a Steering Committee responsible for scope, principles, official module recognition, working groups, release approval, and public communications.

Working groups may develop proposed Foundry content, but outputs become official only after review and approval under the Foundry governance process.