1. About this document
This document contains a description of the CSIRT Italia in accordance with RFC 2350 specification. It provides basic information about the CSIRT Italia, describes its responsibilities and the services it offers.
1.1	Date of Last Update
This is version 3, published 08/05/2023.
1.2	Distribution List for Notifications
There is no distribution channel to notify changes in this document.
Changes are announced in https://www.csirt.gov.it
1.3	Locations where this Document May Be Found
The current version of this document is available at: https://www.csirt.gov.it/rfc2350.txt
Please make sure you are using the latest version.
1.4	Authenticating this Document
This document has been signed with the CSIRT Italia's PGP/GPG key.
1.5	Document Identification
Title "CSIRT-Italia_RFC2350_EN"
Version: 3.0
Document Date: 2023-05-08
Expiration: this document is valid until superseded by a later version

2. Contact Information
2.1 Name of the Team
CSIRT: Computer Security Incident Response Team - Italia
2.2 Address
CSIRT Italia
National Cybersecurity Agency (ACN)
Via di Santa Susanna 15
00187 Roma
Italy
2.3 Time Zone
Central Europe, (GMT+1, and GMT+2 from the last Sunday of March to the last Sunday of October)
2.4 Telephone Number
Not disclosed
2.5 Fax Number
None
2.6 Other Telecommunication
The constituency of the CSIRT Italia shall communicate with the team members via the form mentioned in section 6 or via email.
2.7 Electronic Mail Address
info [at] csirt [.] gov [.] it [.]
This is an email alias that relays emails to the operator(s) on duty for the CSIRT Italia.
2.8 Public Keys and Other Encryption Information
The CSIRT Italia supports PGP/GPG encryption.
Fingerprint: 380C3534B07C9FF8A25316F4C52CA0E55A8212DE
The PGP/GPG public key is available on the official website of the CSIRT Italia, at the following address:
https://www.csirt.gov.it/pgp_key.txt
2.9 Team Members
CSIRT Italia operates as a National CSIRT. The team is made up of Cyber Security Analysts, Threat Analysts and Incident Responders.
2.10 Other Information
General information about the CSIRT Italia can be found at:
https://www.csirt.gov.it/chi-siamo
2.11 Points of Customer Contact
The preferred methods for contacting CSIRT Italia are via the form mentioned in section 6 or via email at info [at] csirt [.] gov [.] it. The mailbox is monitored during hours of operation. Please use PGP/GPG if you intend to send sensitive information. The CSIRT Italia operates 24/7 all year round, a telephone number operating 24/7 has been provided to a restricted group of users.

3. Charter
3.1 Mission Statement
The CSIRT Italia provides information and assistance to its constituency in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents when they occur.
The CSIRT Italia also ensure efficient cooperation at Union level participating in networks of CSIRTs.
3.2 Constituency
According to Law Decree n. 82/2021 the National Cybersecurity Agency (ACN) is the national cybersecurity authority and guarantees the coordination of all public stakeholders as a single cybersecurity interface. The Agency includes the function related to CSIRT Italia that operates as a National CSIRT.
The Constituency is then composed by:
- subjects included in the National Security Perimeter Law for cyber, as defined in the Legislative Decree n. 105/2019 (converted into law) and according to the Decree of the President of the Council of Ministers n. 131/2020; 
- critical IT business such as operators of essential services and digital service providers as defined in the Legislative Decree n.65/2018 (NIS Directive);
- TELCOs operators as defined in the Legislative Decree n.259/2003 and according to Ministerial Decree 12/12/2018 from Ministry of Economic Development;
- Italian Administration community: Italian Public Administration both central and local offices as defined in the Legislative Decree n.82/2005.
3.3	 Affiliation
The CSIRT Italia is part of the National Cybersecurity Agency (ACN), in which is also established the National Cyber Security Management Board (NSC) that supports the Italian Prime Minister and the Interministerial Committee for the Cybersecurity (CIC) in prevention, preparation, response and recovery activities related to national cyber crisis management.
The CSIRT Italia is part of the European CERT/CSIRT community “Trusted Introducer”.
3.4	 Authority
The CSIRT Italia's authority derives from the following legislation:
-	Decree of the president of the Council of Ministers of 17 February 2017;
-	Legislative Decree n. 65 of 18 May 2018;
-	Decree of the president of the Council of Ministers of 8 August 2019.

4. Policies
4.1	 Types of Incidents and Level of Support
The CSIRT Italia is responsible for addressing all types of computer security incidents occurring within its constituency. It can act as coordinator and facilitator for incident response or for threats with a large-scale impact at the national level.
The level of support given by the CSIRT Italia varies depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the CSIRT Italia's resources at the time.
Please note that no direct support is given to end users; they are expected to contact their system administrator, network administrator, or department head who will, in turn, be supported by the CSIRT Italia.
In case of transnational incidents, the CSIRT Italia cooperates in the CSIRTs network and acts as national technical Point of Contact (PoC). It receives and shares useful information for mitigating and solving incidents and/or coordinates the response among national and international technical counterparts.
The CSIRT Italia undertakes the task to keep its constituency updated on potential vulnerabilities, possibly before they can be exploited.
In addition, the CSIRT Italia liaises and is able to request to a matrix of other expertise and knowledge provided by other Italian government offices.
4.2 Co-operation, Interaction and Disclosure of Information
The CSIRT Italia highly regards the importance of technical and operational cooperation and information sharing among CSIRTs and other organizations which may contribute towards or make use of their services.
General incident-related information such as names and technical details is not published without agreement of the named parties. If agreed otherwise, supplied information is kept confidential.
The CSIRT Italia shares with other interested parties the information it receives, anonymized if possible, in order to solve or prevent security incidents and/or to handle specific security issues.
The CSIRT Italia may also possibly share or publish statistics related to the number of threat alerts and/or incidents, ensuring the confidentiality of its sources and providing only aggregate data and/or anonymous information.
Therefore, such information might be shared with entities such as:
-	National Cybersecurity Agency (ACN) technical experts;
-	Affected parties in out constituency;
-	Italian law enforcement agencies (if required by law or on request from information source);
-	CSIRT cooperation group.
The CSIRT Italia operates within the limits imposed by Italian and European legislation and protects sensitive information in accordance with relevant regulations and policies within Italia and the EU. In particular, the CSIRT Italia respects the sharing boundaries applied by originators of the transmitted information ("originator control") and ensures the confidentiality of its sources to the largest possible extent.
The CSIRT Italia handles and processes information in secured physical and technical environments in accordance with Italian regulations for the protection of information.
The CSIRT Italia observes the CSIRT Code of Practice.
4.3 Communication and Authentication
The preferred method for contacting the CSIRT Italia is via the notification forms mentioned in section 6. The alternative contacting method is via e-mail at: info [at] csirt [.] gov [.] it [.]
By default, all sensitive communication sent to the CSIRT Italia should be encrypted with our public PGP key detailed in Section 2.8.
CSIRT Italia recognizes and supports the TLP (Information Sharing Traffic Light Protocol).

5. Services
5.1 Incident Response
The CSIRT Italia is responsible for addressing all types of computer security incidents occurring within its constituency. CSIRT Italia provides assistance or advice with respect to the following aspects of incident management:
-	investigating the nature and the cause of the incident;
-	determining the initial cause (e.g. vulnerability exploited);
-	keeping contacts with other parties involved;
-	reporting to other CSIRTs;
-	supporting in response activities.
5.2 Proactive Activities
The CSIRT Italia provides to its constituency the following proactive services:
-	announcements;
-	security-related information dissemination;
-	security audits or assessments;
-	technology watch;
-	trend and neighborhood watch;
5.3 Reactive Activities
The CSIRT Italia provides to its constituency the following reactive services:
-	alerts and warnings;
-	forensic analysis;
-	incident analysis;
-	incident response support;
-	incident response coordination;
-	vulnerability response coordination;
- 	artifact analysis;
- 	artifact response coordination;
- 	incident response;
- 	incident response on site;
- 	vulnerability analysis;
- 	vulnerability response;

6. Incident Reporting Forms
Incident notification can be done through the form available on the public portal at the following address:
https://www.csirt.gov.it/segnalazione
In order to be able to fill in the form, the user is required to provide accurate contact information. In particular, the email address is necessary to receive the OTP code that has to be subsequently submitted to access the notification form.

7. Disclaimers
The CSIRT Italia is not responsible for any misuse of the information contained herein.