1. Low Condition (Green). This condition applies when there is no discernible network incident activity. Under these conditions, only a routine security posture, designed to defeat normal network threats, is warranted. Automated systems and alerting mechanisms should be used.

2. Elevated Condition (Orange). This condition applies when knowledge or the expectation of attack activity is present, without specific events occuring. Under this condition, a careful examination of vulnerable and exposed systems is appropriate, and careful monitoring of logs is recommended. No changes to actual security infrastructure is required.

3. Severe Condition (Red). This condition applies when extreme global network incident activity is in progress. Implementation of measures in this Threat Condition for more than a short period probably will create hardship and affect the normal operations of network infrastructure.