Government organizations can join TagVault.org for free.
In the United States, Presidential executive order #13103 requires that all government agencies must have accurate software inventories and must be in compliance with software license contracts. Congress is even getting involved and essentially requiring the the Department of Homeland Security use software asset management practices for license optimization efforts.
Twenty Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG) is a publication of best practice guidelines for computer security. This document specifies, as the second critical control, that governmental organizations ensure they can automatically and reliably track every software title installed and used on every system, validate that it is a known and approved title and securely and independently verify the publisher.
From a security perspective, the US Federal Government has established a Security Content Automation Protocol (SCAP) that is managed by the National Institute of Standards and Technology (NIST). Unfortunately, it is difficult if not impossible to ensure security unless you can validate exactly what is installed on an organizations computing devices. Prior to the 19770-2 specification, this was nearly impossible to do in a cost effective manner. With SWID tags, the tide is turning in favor of a more manageable environment.
The General Services Administration (GSA) spends millions of US taxpayer dollars every year simply to respond to data call requests from the Office of Management and Budget (OMB) when a software vendor requests an audit of the Governments use of a software vendors products. The cost is driven by the need to normalize and categorize software inventory from multiple different tools, all of which report their data differently to consolidate the numbers – this is because there was previously no standard for how software identifies itself.
There is a better way!
Software Tagging for Inventory Management and License Compliance
Maintaining a complete and accurate software inventory and checking this data against purchasing and licensing records demand automated processes. Without automation, the task is impossible, as unknown numbers of computers in the enterprise change their installed software and configurations each day.
Current discovery and SAM tools try various automated approaches to software identification, but none of these approaches provides fully accurate information, and the results are not independently tested and verified. TagVault.org is working with software publishers and tools developers to address these critical software management needs.
TagVault.org is a non-profit organization formed as a program of IEEE-ISTO. TagVault.org is the registration authority for ISO/IEC 19770-2 software identification tags (SWID tags). SWID tags are the key to automated software asset management. They are small XML files shipped and installed with software products. Discovery tools use the information contained in the tags to definitively identify installed software. Additional tools can then reconcile inventory records against purchasing and licensing data to ensure compliance.
With SWID tags in place, tools that inventory software and report on it can offer intelligence such as determining the United Nations Standard Products and Services Code® (UNSPSC) for each piece of installed software. UNSPCSCs can then be used to group applications by function, simplifying accounting processes and allowing for intelligent analysis to consolidate the software in use across an organization.
Software Tagging for Software Assurance
TagVault.org-certified software identification tags support automated process to comply with CAG controls by allowing publishers to provide accurate application identification details and provide independent and secure verification of the data. There is currently no market solution that supports the automated, independent verification of software publishers and installed software to prove it has not been tampered with between publication and installation. With support for certified software tags, automated tools can identify installed software and validate that it is from the advertised publisher and has not been tampered with.
Software Tagging and SCAP
TagVault.org has worked with NIST and MITRE to understand the needs of the SCAP community. Through this work, an initial integration guide with the Common Platform Enumeration (CPE), a component of the SCAP standards has been developed. This is just the start of a review and implementation effort that will allow software publishers to very easily provide exactly the information required to integrate with the SCAP standards while also providing significant added value to their commercial and non-profit customers as well.
Read more about this effort in the posting on CPE integration.
How TagVault.org Helps
By acting as the registration and certification authority for SWID tags, TagVault.org serves as the foundation for new software assurance and software asset management processes that allow you to comply with presidential executive orders and CAG.
By working with software tools providers, TagVault.org helps ensure that new tools will support the requirements of government agencies and other software consumers.
TagVault.org works with government agencies to help you learn what to specify in RFP documents, and what to negotiate into software contracts to ensure you receive software that will allow software titles and publishers to be accurately and securely identified.
By working with software consumers and SAM practitioners, TagVault.org helps organizations develop processes to meet their requirements efficiently and effectively.
TagVault.org is also compiling a repository of software identification tags for legacy software applications, extending the ability to authoritatively identify software to older applications already in the marekt. TagVault.org also provides a central location which members of the SAM eco-system can share, ensuring that tools and processes evolve to meet the needs of the entire community.
Free Membership For Government Organizations
By joining TagVault.org, you gain access to the information and tools you need to validate your installed software, and automatically gather its inventory for reconciliation with licensing and purchasing records. There is no cost for government organizations to join TagVault.org. Download the membership form now.