NIST Publishes Interoperable SWID Tag Guidelines!

NIST-IR 8060 is final and published!

The NIST-IR 8060 document was published on Friday, April 22, 2016.

NIST, MITRE and the Dept of Homeland Security have worked together to create a set of guidelines that specify the data requirements for SWID tags from commercial software providers that will enable a number of use cases in support of the ongoing work to automate security operations.

As this document was being developed, TagVault.org and a number of large commercial software vendors reviewed the document and provided feedback to ensure that the requirements were realistic and defined in such a way that they can be easily implemented by the publisher, and provide support for additional use cases, such as those around the Software Asset Management set of use cases.

For ISV’s and software purchasing organizations – you are highly encouraged to review this document to understand both what you will be expected to provide if you create software, or what you can reference as a requirement if you purchase software.

The document, a spreadsheet of requirements specified in the document and the XML Schema for the new attributes and types can all be found here:

http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-8060

The abstract for this document doesn’t do the document justice – NIST-IR 8060 has a number of SWID tag examples, use cases on how the data can support IT processes, as well as additional attributes and types that will be integrated into the ISO standard in the near future.  The Abstract as presented in the document is:

This report provides an overview of the capabilities and usage of software identification (SWID) tags as part of a comprehensive software lifecycle. As instantiated in the International Organization for Standardization/International Electrotechnical Commission 19770-2 standard, SWID tags support numerous applications for software asset management and information security management. This report introduces SWID tags in an operational context, provides guidelines for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable.

The authors of the document are:

David Waltermir – NIST
Brant A. Cheikes – MITRE
Larry Feldman – G2 Inc.
Greg Witte – G2 Inc.

The following acknowledgements for the document provide an indication of the reviewers and organizations that have an interest in seeing SWID tags benefit the end-user:

The authors would like to thank Harold Booth, Bob Byers, Christopher Johnson, and Alex J. Nelson of the National Institute of Standards and Technology (NIST); Steve Klos of TagVault.org and 1E; Christine Deal and Charles Schmidt of The MITRE Corporation; Piotr Godowski and Brian Turner of IBM; Hopeton Smalling of OQI Cares, Inc.; Sharon Hope of NASA Jet Propulsion Laboratory; and John Richardson of Veritas for their reviews and contributions of feedback to this report. The authors would also like to thank Dr. Peter Fonash and Juan Gonzalez from the U.S. Department of Homeland Security (DHS) for their ongoing support for and contributions to this report. The authors would also like to thank Jessica Fitzgerald-McKay from the National Security Agency (NSA) for supporting the development of this report.

If you have any questions about this document, please feel free to reach out to TagVault.org through the contact us web page – http://tagvault.org/about/contact-us/