SWID Tag Signing Guidelines (Public Review)

SWID Tags are more authoritative if they cannot be modified – that requires that the tag is signed.  A TagVault.org working group has specified how SWID tags need to be signed.  The working group consisted of members from MITRE, NIST, Microsoft and IBM to ensure that the signing approach is secure and interoperable.

https://tagvault.org/2017/04/26/swid-tag-signing-guidelines-open-for-public-review/

Note, there are two independently developed SWID Tag Signing tools that will be available to use as a reference model.  By providing a reference model that can validate interoperability other vendors can create their own SWID Tag signing tools because they can be validated.

ISO Standards related to SAM

The following standards can be purchased from ISO, or from your country’s national body (ANSI, DIN, Standards Australia, etc).  Note, 19770-5 is available as a freely downloadable standard.  Also note, you may find that the NIST-IR 8060 (listed in a section below) will provide all the information you need to understand use cases and implementation of SWID tags.

• 19770-1:2012 –  Processes and tiered assessment of conformance
  https://www.iso.org/standard/56000.html 
• 19770-2:2015 – Software Identification Tag
  https://www.iso.org/standard/65666.html 
• 19770-3:2016 – Entitlement Schema
  https://www.iso.org/standard/52293.html 
• 19770-4:(2017) – Resource Utilization Measurement
  https://www.iso.org/standard/68431.html 
• 19770-5:2015 – Overview and Vocabulary (freely available)
  https://www.iso.org/standard/68431.html
  http://standards.iso.org/ittf/PubliclyAvailableStandards/
  http://standards.iso.org/ittf/PubliclyAvailableStandards/c068291_ISOIEC_19770-5_2015.zip

US Department of Defense

DoD indicates the standards that are required to be supported by vendors.  When an RFP indicates that specific capabilities are required (in this case, Meta data must be supplied with the software), then the organization is mandated to use the standard specified (SWID tags).  The next step in this process is to define policy that all software purchased by DoD must include the requirement to include metadata in every RFP.

• Defense IT Standards Registry
  http://www.dsp.dla.mil/Specs-Standards/List-of-DISR-documents/

Multiple Agencies Working Toward Better Cybersecurity

US Government is working to provide an effective Cybersecurity data source which is built up from something called the Security Content Automation Protocol (SCAP) – which is managed by NIST.  SCAP provides multiple specifications and multiple freely available resources.  Much of the SCAP environment link various resources (such as software, vulnerability information, patch information, etc) using something called a Common Platform Enumerator (CPE).  Unfortunately, CPE’s were not normalized and are often created by individuals, making automation more difficult.  NIST is working towards using SWID tag data for the canonical representations of software and allowing significantly better automation.

• Security Content Automation Protocol (SCAP)
  https://scap.nist.gov/
• National Vulnerability Database (NVD)
  https://nvd.nist.gov/
• NIST-IR 8060
  (http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8060.pdf )
• NIST-IR 8060 Schema for extensions
  (http://csrc.nist.gov/schema/swid/2015-extensions/swid-2015-extensions-1.0.xsd )

Other Related Standards and Group References

• Trusted Computing Group – IF-M Standard
  https://trustedcomputinggroup.org/tcg-updates-m-segmentation-enable-efficient-information-exchange/
• DMTF – Software Entitlement Working Group
  https://www.dmtf.org/standards/sewg
• Minnesota User Group comments on Adobe SWID tags and SCCM
  (https://mnscug.org/blogs/sherry-kissinger/419-gather-some-adobe-serial-numbers-and-version-using-configmgr-compliance-settings-and-hardware-inventory)