SWID Tag Signing Guidelines (Public Review)
SWID Tags are more authoritative if they cannot be modified – that requires that the tag is signed. A TagVault.org working group has specified how SWID tags need to be signed. The working group consisted of members from MITRE, NIST, Microsoft and IBM to ensure that the signing approach is secure and interoperable.
Note, there are two independently developed SWID Tag Signing tools that will be available to use as a reference model. By providing a reference model that can validate interoperability other vendors can create their own SWID Tag signing tools because they can be validated.
ISO Standards related to SAM
The following standards can be purchased from ISO, or from your country’s national body (ANSI, DIN, Standards Australia, etc). Note, 19770-5 is available as a freely downloadable standard. Also note, you may find that the NIST-IR 8060 (listed in a section below) will provide all the information you need to understand use cases and implementation of SWID tags.
- 19770-1:2012 – Processes and tiered assessment of conformance
- 19770-2:2015 – Software Identification Tag
- 19770-3:2016 – Entitlement Schema
- 19770-4:(2017) – Resource Utilization Measurement
- 19770-5:2015 – Overview and Vocabulary (freely available)
US Department of Defense
DoD indicates the standards that are required to be supported by vendors. When an RFP indicates that specific capabilities are required (in this case, Meta data must be supplied with the software), then the organization is mandated to use the standard specified (SWID tags). The next step in this process is to define policy that all software purchased by DoD must include the requirement to include metadata in every RFP.
- Defense IT Standards Registry
Multiple Agencies Working Toward Better Cybersecurity
US Government is working to provide an effective Cybersecurity data source which is built up from something called the Security Content Automation Protocol (SCAP) – which is managed by NIST. SCAP provides multiple specifications and multiple freely available resources. Much of the SCAP environment link various resources (such as software, vulnerability information, patch information, etc) using something called a Common Platform Enumerator (CPE). Unfortunately, CPE’s were not normalized and are often created by individuals, making automation more difficult. NIST is working towards using SWID tag data for the canonical representations of software and allowing significantly better automation.
- Security Content Automation Protocol (SCAP)
- National Vulnerability Database (NVD)
- NIST-IR 8060
- NIST-IR 8060 Schema for extensions
Other Related Standards and Group References
- Trusted Computing Group – IF-M Standard
- DMTF – Software Entitlement Working Group
- Minnesota User Group comments on Adobe SWID tags and SCCM