ISO IT Asset Management Standards Outreach Meeting

Date:  Thursday, November 9, 2017
Location:  Reston, VA

Overview

The ISO Working Group for IT Asset Management Standards (WG21) is holding an industry outreach day on Thursday November 9th, 2017. This event is kindly hosted by Oracle Corporation at their facility in Reston, VA.

Whether government or industry, IT Asset Management is a critical part of enterprise operations and provides the foundation for successful cybersecurity, entitlements and risk management functions.  Organizations depend on accurate, comprehensive inventory of IT assets for reducing licensing costs, tracking vulnerabilities and protecting critical systems.

The purpose of this event is to allow interested representatives of the US Federal, State and Local Governments as well as software and tool vendors and private sector attendees to meet with WG21 members, including with the editors of the standards, learn about ISO developments and direction, discuss some of the ISO standard in details, provide feedback and comments, ask questions, and network with each other.

Why should you care about Standards – read this article about some of the ways SAM Standards provide significant benefits!

Logistics

This event shall take place between 9am – 5pm at Oracle Corporation, located at 1900 Oracle Way Reston, VA 20190.

Per government regulations, lunch cannot be provided. However, a number of restaurants are available within walking distance.

Participants are responsible for their own travel, accommodations, meals, and other similar personal logistics.

There is no fee to attend this event. However, advance registration is required (please see instructions below).

Tentative Agenda

09:00am – 09:30am Opening remarks and introductions
09:30am – 10:45am Overview of ISO/WG21 & details of the current/future ITAM standards – why should you care…
10:45am – 11:00am Break
11:00am – 12:00pm SWID tagging standard (19770-2) – detailed walkthrough
12:00pm – 01:30pm Lunch break (no organized lunch)
01:30pm – 02:30pm SWID tagging standard – industry adoption/TagVault overview
02:30pm – 03:45pm Case studies shared by participants
03:45pm – 04:00pm Break
04:00pm – 05:00pm Q&A with WG21 members, closing remarks

 

 

Registration

Please register for this event in the form below.

Advance registration is required. Registration will close on November 8 at 12 PM Eastern.

Contact

For any questions, suggestions, or comments, please contact both of the following individuals:

  • Steve Klos, Executive Director of TagVault, stevek@tagvault.org
  • Ron Brill, Convenor of WG21, ronb@anglepoint.com
  • Should there be any changes to the meeting, we'll contact you via this phone number.

ISO SAM Standard Talking Points

Exec Summary:

The 19770 family of standards provide new way of addressing existing critical problems in IT management, where they enable the creation and management of lean, rightsized and effective infrastructures, and cybersecurity, where they enable accurate hardware and software inventory to be taken and up-to-date patch status to be managed and maintained.

These standards may, or may not be appreciated by current SAM tool vendors because they flatten  the playing field when it comes to software recognition, handling vendor licensing entitlements and tracking usage.  No longer will proprietary data be required.

Likewise, these standards may, or may not be  embraced by software vendors.  In most cases, allowing customers to buy right, easily true up and to immediately and automatically know their license position is beneficial to keeping customer satisfaction rates high.  However, some software vendors prefer to manage license management through a more audit-centric approach.

In both cases, customers documenting requirements to support the SAM standards will cause the industry to move towards their utilization.

The following are a few high-level talking points for organizations looking to understand how the SAM standards can benefit their organization.

Discussion Points:

There are 3 core scenarios covered below.  Obviously, there is some overlap between these scenarios and there are quite a few additional scenarios that would benefit from the use of the ISO SAM standards.

Software Asset Management (SAM)

  • Organizations need to know what software products are installed where (including at what revision/version/patch level) etc., to manage these assets. Software ID (SWID) Tags (19770-2) provide identification of what software products are found on a computer or device, including their relationship to other software components, who the publisher is, etc.
  • Organizations must be able to work with normalized data that is consistent across any IT tools used within the organization. Currently, most inventory and discovery tools use their own proprietary recognition catalogs to normalize to details that work for their tools, but are not generally usable by other tools.  By having vendors provide canonical details for software products, all IT tools will be working with the same exact data and data can be shared and utilized across different toolsets.
  • Utilization monitoring, reporting, and management (not just what is installed but how much it is being used or not used) is aided by Software ID (SWID) Tags (19770-2) and Resource Utilization Measurement (RUM) tags (19770-4). This enables scenarios such as right sizing licensing, ensuring effective utilization of resources, and “pay by use” licensing scenarios.
  • Patch management is aided by knowing what endpoints have what software product (SWID tags) on them, identifying potential needed patches or updates. This can include feature updates but also critical security updates. SWID Tags paired with RUM data can provide unique identification for each asset, which could allow for automated patch management in scenarios where that is appropriate.

License Management / Reconciliation

  • SWID Tags (19770-2) identify what software is running on what endpoints.
  • Entitlement information structured according to the standard schema (19770-3) used in conjuncture with SWID Tags help organizations “true up” what organizations are licensed to use, vs. what they are actually using (either surplus against licensed, or deficit).
  • Helps greatly in audit/compliance, which can be extremely manual and time consuming

Cybersecurity endpoint threat monitoring

  • SWID tags (19770-2) augmented with authoritative file manifests from the publisher provide a more complete picture of not only THAT a software product is installed on a computer or device (network endpoint) but also WHAT that product contains in sufficient detail to aid in threat assessment.
  • Publishers can associate SWID Tags with their provided full file manifest (including file hashes for integrity verification) of the files which should be present.
  • This helps in security endpoint monitoring, as the “known good” files list can significantly shrink the full list of files found on an endpoint which need to be analyzed for potential vulnerability.
  • This also enables critical security patch management scenarios.

TagVault.org publishes Software Identification (SWID) Tag Signing Guidelines for Software Security and Compliance with the U.S. Department of Defense Mandate

Piscataway, NJ – 11 September 2017 – TagVault.org, the neutral not-for-profit clearing house for software tagging, primarily focused on software identification tags and related standards in the ISO/IEC 19770 family, announces today the public availability of its SWID Tag Signing Guidelines.  This document defines the best practice for signing SWID tags in accordance with common industry standards.  When digitally signing SWID tags, software publishers/providers will, at minimum, follow the W3C XMLDSig recommendation, include an enveloped signature – the public signature of the signing entity, and add a timestamp per the W3C XAdES-T format.

The SWID tag signing guidelines were drafted with the needs of implementers in mind, but all members of the software ecosystem (publishers, tool vendors, service providers and end users) will find them useful.  When tags are signed and thus verifiable as being from an authoritative entity, they aid organizations in managing software assets, assessing and remediating security issues, supporting forensics and improving licensing accountability.  Signed SWID tags provide high value via trusted data.

Software end users benefit from SWID tags; the efficiencies that SWID tags bring to IT operations drive down costs and improve security. NIST has also been working to enhance the SWID tag standards and to promote their use as building blocks in security management. The U.S. Department of Defense has mandated the inclusion of SWID tags, and organizations like MITRE and the IEEE Clean File Metadata eXchange (CMX) team recognize the benefits of SWID Tags.  CMX identifies “clean” files from verified software sources and SWID tags provide an excellent platform for automating CMX data submission.

TagVault.Org Board Director, Mark Kennedy, Symantec notes, “By working together with the CMX team, publishers providing this information in their SWID tags provide a high value to security companies.  This data allows security companies to differentiate commercially published and known files from potential malware threats and allows the automation of data population in the CMX repository in a secure and efficient manner.”

Download your copy of the guidelines.

About TagVault.Org

TagVault.org is a Federation Member Program of the IEEE Industry Standards and Technology Organization (ISTO) and publishes its bylaws for public access. The TagVault.Org Board of Directors includes, Microsoft, IBM, Symantec and the Department of Homeland Security. Organizations interested in joining TagVault.org can download the membership packet from www.tagvault.org.

###

Media Contact

Steve Klos

Executive Director, TagVault.org

+1 732 562-6031

stevek@tagvault.org

IAITAM Reference Material – 2017

SWID Tag Signing Guidelines (Public Review)

SWID Tags are more authoritative if they cannot be modified – that requires that the tag is signed.  A TagVault.org working group has specified how SWID tags need to be signed.  The working group consisted of members from MITRE, NIST, Microsoft and IBM to ensure that the signing approach is secure and interoperable.

https://tagvault.org/2017/04/26/swid-tag-signing-guidelines-open-for-public-review/

Note, there are two independently developed SWID Tag Signing tools that will be available to use as a reference model.  By providing a reference model that can validate interoperability other vendors can create their own SWID Tag signing tools because they can be validated.

ISO Standards related to SAM

The following standards can be purchased from ISO, or from your country’s national body (ANSI, DIN, Standards Australia, etc).  Note, 19770-5 is available as a freely downloadable standard.  Also note, you may find that the NIST-IR 8060 (listed in a section below) will provide all the information you need to understand use cases and implementation of SWID tags.

US Department of Defense

DoD indicates the standards that are required to be supported by vendors.  When an RFP indicates that specific capabilities are required (in this case, Meta data must be supplied with the software), then the organization is mandated to use the standard specified (SWID tags).  The next step in this process is to define policy that all software purchased by DoD must include the requirement to include metadata in every RFP.

Multiple Agencies Working Toward Better Cybersecurity

US Government is working to provide an effective Cybersecurity data source which is built up from something called the Security Content Automation Protocol (SCAP) – which is managed by NIST.  SCAP provides multiple specifications and multiple freely available resources.  Much of the SCAP environment link various resources (such as software, vulnerability information, patch information, etc) using something called a Common Platform Enumerator (CPE).  Unfortunately, CPE’s were not normalized and are often created by individuals, making automation more difficult.  NIST is working towards using SWID tag data for the canonical representations of software and allowing significantly better automation.

Other Related Standards and Group References

TagVault.Org announces that the Department of Defense (DoD) IT Standards Registry now lists Software ID Tags, as defined in ISO/IEC Standard 19770-2, as MANDATORY

Software companies hoping to bid on government contracts in the future must now add a set of standards software ID tags to their software.   

Piscataway, NJ – 10 November 2016 TagVault.org Board Chair, Michael Godsey of Microsoft notes that, “Seeing ISO/IEC standard 19770-2 listed as a mandatory standard on the DoD IT Standards Registry provides concrete proof to the software publishing industry that SWID tags are a priority. TagVault.org is proud to be the industry alliance leader in bringing all the 19770-2 and the National Institute of Standards and Technology Internal Report 8060 requirements together for the creation and validation of Software ID tags (SWID).”

TagVault.org is the neutral, not-for-profit leading the way on developing the standard for SWID tags. The DoD IT Standards Registry listing all requirements is available here. The DOD IT Standards Registry shows ISO/IEC Standard 19770-2 is now listed as a mandatory Standard.  The objective of ISO Standard 19770-2 is to give organizations of all sizes information and to assist with minimizing risks and costs of IT Asset Management (ITAM) assets.

While SWID tags are not a new concept in the industry, advancements in security and software asset tracking require a new level of standard. SWID tags, and the utilities to create and sign them, are used by security software and asset tracking software to identity the software installed on any given system or across a network. By identifying and authenticating the software in a standard way, the standard adds another layer of safety to the system, and saves time and energy by eliminating the computing overhead for servers in datacenters and clouds. The standard also reduces costs for software and cyber security companies who now don’t have to spend development cycles on creating, advancing, and maintaining proprietary solutions. Companies like Microsoft, IBM, and Symantec are at the forefront of this movement, and are part of TagVault.Org organization.

TagVault.org is the neutral not-for-profit validation authority for software tagging, primarily focused on software identification tags (as specified by ISO/IEC 19770-2) and software entitlement tags (as specified by ISO/IEC 19770-3). TagVault.org provides a shared library of software tools, technical knowledge and communications forums that decrease the costs of creating, managing and using software identification tags.

About TagVault.Org

TagVault.org is a Federation Member Program of the IEEE Industry Standards and Technology Organization (ISTO) and publishes its bylaws for public access. The TagVault.Org Board of Directors includes, Microsoft, IBM, Symantec and the Department of Homeland Security. Organizations interested in joining TagVault.org can download the membership packet from www.tagvault.org.

###

Media Contact

Steve Klos

Executive Director, TagVault.org

+1 732 562-6031

stevek@tagvault.org

NIST Publishes Interoperable SWID Tag Guidelines!

NIST-IR 8060 is final and published!

The NIST-IR 8060 document was published on Friday, April 22, 2016.

NIST, MITRE and the Dept of Homeland Security have worked together to create a set of guidelines that specify the data requirements for SWID tags from commercial software providers that will enable a number of use cases in support of the ongoing work to automate security operations.

As this document was being developed, TagVault.org and a number of large commercial software vendors reviewed the document and provided feedback to ensure that the requirements were realistic and defined in such a way that they can be easily implemented by the publisher, and provide support for additional use cases, such as those around the Software Asset Management set of use cases.

For ISV’s and software purchasing organizations – you are highly encouraged to review this document to understand both what you will be expected to provide if you create software, or what you can reference as a requirement if you purchase software.

The document, a spreadsheet of requirements specified in the document and the XML Schema for the new attributes and types can all be found here:

http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-8060

The abstract for this document doesn’t do the document justice – NIST-IR 8060 has a number of SWID tag examples, use cases on how the data can support IT processes, as well as additional attributes and types that will be integrated into the ISO standard in the near future.  The Abstract as presented in the document is:

This report provides an overview of the capabilities and usage of software identification (SWID) tags as part of a comprehensive software lifecycle. As instantiated in the International Organization for Standardization/International Electrotechnical Commission 19770-2 standard, SWID tags support numerous applications for software asset management and information security management. This report introduces SWID tags in an operational context, provides guidelines for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable.

The authors of the document are:

David Waltermir – NIST
Brant A. Cheikes – MITRE
Larry Feldman – G2 Inc.
Greg Witte – G2 Inc.

The following acknowledgements for the document provide an indication of the reviewers and organizations that have an interest in seeing SWID tags benefit the end-user:

The authors would like to thank Harold Booth, Bob Byers, Christopher Johnson, and Alex J. Nelson of the National Institute of Standards and Technology (NIST); Steve Klos of TagVault.org and 1E; Christine Deal and Charles Schmidt of The MITRE Corporation; Piotr Godowski and Brian Turner of IBM; Hopeton Smalling of OQI Cares, Inc.; Sharon Hope of NASA Jet Propulsion Laboratory; and John Richardson of Veritas for their reviews and contributions of feedback to this report. The authors would also like to thank Dr. Peter Fonash and Juan Gonzalez from the U.S. Department of Homeland Security (DHS) for their ongoing support for and contributions to this report. The authors would also like to thank Jessica Fitzgerald-McKay from the National Security Agency (NSA) for supporting the development of this report.

If you have any questions about this document, please feel free to reach out to TagVault.org through the contact us web page – http://tagvault.org/about/contact-us/

SAVE THE DATE – April 26-27 – SWID Tag Implementation Workshop!

Invitation to the Workshop on Software Identification (SWID) Tag Implementation
Hosted by the National Institute of Standards and Technology (NIST) on
26-27 April 2016, in Rockville, MD

The National Institute of Standards and Technology (NIST) is pleased to announce a workshop on Software Identification (SWID) Tag Implementation and Use. This event will be held from 9:00 a.m. to 5:00 p.m. on 26 April and 9:00 a.m. to 3:00 p.m. on 27 April at the National Cybersecurity Center of Excellence (NCCoE), 9700 Great Seneca Highway, Rockville, MD.

Strengthening the security and resilience of United States Government (USG) civilian and military networks and critical infrastructure is a top national priority. If broadly implemented by software providers, SWID tags promise to significantly enhance the ability of USG departments and agencies to rapidly and accurately characterize the software assets discovered to be present within their enterprise networks. In turn, this will facilitate efforts to reduce vulnerabilities in our information technology systems and prevent future attacks. In addition to their value for cybersecurity, SWID tags will also help USG departments and agencies improve their ability to track and manage software licenses, thereby reducing cost and increasing efficiency.

The SWID tag effort aligns with the President’s 2016 Federal Cybersecurity Research and Development Strategic Plan, which was released on February 5, 2016. The plan challenges the cybersecurity research and development (R&D) community to provide methods and tools for deterring, protecting, detecting, and adapting to malicious cyber activities. Use of SWID tags in this context helps to provide the information necessary for tools to ensure that software is updated, resulting in fewer exploitable vulnerabilities, and that software integrity can be measured to detect and prevent software tampering.

The goal of the workshop is to assemble a broad audience of SWID tag creators, users, and stakeholders to actively participate in engineering-level discussions on various topics relative to SWID tags, including implementation challenges. The agenda, while still under development, will be comprised of detailed technical topics culled from the guidelines within the NIST Interagency Report (IR) 8060, “Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.” We plan to cover some or all of the following topics:

  • SWID tag 101 (general overview of SWID tags)
  • Digital signing of SWID tags
  • Internationalization of SWID tags
  • Provision of payload and evidence elements of SWID tags
  • Distribution mechanisms for SWID tags
  • Implementation of patch and corpus tags

We encourage your feedback regarding the proposed topics and welcome additional topic ideas. Please send your ideas and feedback to us at nistir8060-comments@nist.gov.

It is recommended that participants attending the workshop be familiar with NIST IR 8060. The fourth public draft can be found here: http://csrc.nist.gov/publications/drafts/nistir-8060/nistir_8060_draft_fourth.pdf. The final report is expected to be ready by early March.

Conference registration and attendance will be free of charge, but advanced registration will be required.  You can register at this URL – https://register.mitre.org/swid/.

If you have questions about this workshop, or would like to contact someone for more information, please send your request to nistir8060-comments@nist.gov.

19770-3 is approved to move to publication!

The Final Draft of the international standard, ISO/IEC 19770-3 was approved by the International Community in February of 2016.  This means that the standard moves to an ISO editorial process to ensure it meets all formatting, editorial and other documentation requirements.  The standard will be published soon

When published, the front matter of the standard can be found here – https://www.iso.org/obp/ui/#search.  Just type in 19770-3 and click on the standard to see the first few sections of the standard.

In the meantime, the following is the introduction to the standard.  The following material is from the ISO/IEC 19770-3 standard and is provided for reference only.  Some text may change prior to the standard being published, so this is informational only.

Introduction to ISO/IEC 19770-3 From the Standard

This part of ISO/IEC 19770 provides a technical definition of a schema that can encapsulate the details of software entitlements, including usage rights, limitations and metrics.

The primary intentions of this part of ISO/IEC 19770 are

  1. to provide a basis for common terminology to be used when describing entitlement rights, limitations and metrics, and
  2. to provide a schema which allows effective description of rights, limitations and metrics attaching to a software license.

The specific information provided by an entitlement schema (Ent) may be used to help ensure compliance with license rights and limits, to optimize license usage and to control costs. Though Ent creators are encouraged to provide the data that allow for the automatic processing, it is not mandated that data be automatically measurable. The data structure is intended to be capable of containing any kind of terms and conditions included in a software license agreement.

This part of ISO/IEC 19770 supports software asset management (SAM) processes as defined in ISO/IEC 19770-1. It is also designed to work together with software identification tags as defined in ISO/IEC 19770-2. Standardization in the field of software entitlements provides uniform, measurable data for both the license compliance, and license optimization, processes of SAM practice.

This part of ISO/IEC 19770 does not provide requirements or recommendations for processes related to software asset management or Ents. The software asset management processes are within the scope of ISO/IEC 19770-1.

This part of ISO/IEC 19770 has been developed with the following practical principles in mind.

  • Maximum possible usability with legacy entitlement information. The Ent or software entitlement schema, is intended to provide the maximum possible usability with existing entitlement information, including all historical licensing transactions. While the specifications provide many opportunities for improvement in entitlement processes and practices, they should also able to handle existing licensing transactions without imposing requirements which would prevent such transactions being codified into Ent records.
  • Maximum possible alignment with ISO/IEC 19770-2. This part of ISO/IEC 19770 (entitlement schema) is intended to align closely with part ISO/IEC 19770-2 (software identification tags). This should facilitate both understanding and their joint use.

It is intended that this standardized schema will be of benefit to all stakeholders involved in the creation, licensing, distribution, release, installation and ongoing management of software and software entitlements.

  • Benefits to software licensors who provide Ents include, but are not limited to:
    • immediate software consumer recognition of details of the usage rights derived from their software entitlement;
    • ability to specify details to customers that allow software assets to be measured and reported for license compliance purposes;
    • increased awareness of software license compliance issues on the part of end-customers;
    • improved software consumer relationships through quicker and more effective license compliance audits.
  • Benefits to SAM tool providers, deployment tool providers, resellers, resellers, software packagers and release managers include, but are not limited to:
    • receipt of consistent and uniform data from software licensors and Ent creators;
    • more consistent and structured entitlement information, supporting the use of automatedtechniques to determine the need for remediation of software licensing;
    • improved reporting from additional categorization made possible by the use of Ents;
    • improved SAM tool entitlement reconciliation capabilities resulting from standardization in location and format of software entitlement data;
    • ability to deliver value added functionality for compliance management through the consumption of entitlement data.
  • The benefits for software consumers, SAM practitioners, IT support professionals and end-users include, but are not limited to:
    • receipt of consistent and uniform data from software licensors, resellers and SAM tools providers;
    • more consistent and structured entitlement information supporting the use of automated techniques to determine the need for remediation of software licensing;
    • improved reporting from additional categorization made possible by the use of Ents;
    • improved SAM and software license compliance capabilities stemming from standardized, software licensor-supplied, ISO/IEC 19770-2 software identification tags to reconcile with these Ents;
    • improved ability to avoid software license under-procurement or over-procurement with subsequent cost optimization;
    • standardized usage across multiple platforms, rendering heterogeneous computing environments more manageable.

SWID Tag Signing Working Group

If you’re interested in participating in the SWID tag signing working group, login to your members page and add your name to the working group there.  If you need details on how to get to the members area, let Jane, or Steve know and we’ll be happy to provide the information you need.  If you don’t have our e-mail addresses, please let us know via the Contact Us page..

The Charter for the Tag Signing Working Group is shown below:

Charter for Tag Signing Working Group

  1. This charter is for a ‘Working Group’ (‘WG’) which is acting on behalf of TagVault.org and which shall have primary responsibility for developing interoperability guidance and supporting documentation for SWID tag implementers and users that details how tags should be digitally signed and validated.
  2. The Chairperson of the WG (‘Chair’) shall be Brant Cheikes.
  3. Participation in the WG shall be open to the following:
  • All members of TagVault.org.
  • Non-members of TagVault.org who are both (a) working on behalf of a member of TagVault.org, and (b) providing unique technical expertise to the WG’s design and decision-making activities.
  • WG membership composition: The Chair of the WG shall agree on the final composition of the WG along with the Executive Director of TagVault.org. All members of the WG will be required to remain active and contribute meaningful content to the WG in order to maintain their membership status.
  1. Copyright in all work products developed by the WG shall be held by IEEE-ISTO on behalf of TagVault.org, a program of IEEE-ISTO as specified in the TagVault.org membership agreement.
  2. The process by which the working group operates is defined in Article 8 of the TagVault.org bylaws which are available on the TagVault.org website.
  3. The names and contact information of all members of the WG shall be openly shared within the WG subject to members’ acknowledgement that such information shall be used for committee purposes only.
  4. The Chair shall be able to organize work in such ways as considered appropriate, including physical meetings, conference calls, and other forms of virtual collaboration. There shall be no minimum period of notification for calling a meeting of the WG except that reasonable care should be taken to obtain a consensus of WG members when scheduling meetings.
  5. The main work expected to be completed is the following, although this is subject to revision by the WG:
  • Specification of technical procedures for digitally signing and certifying SWID tags
  • Specification of technical procedures for validating SWID tag digital signatures
  • Preparation of interoperability guidance and supporting documentation for SWID tag implementers and users that details how tags should be digitally signed and validated
  1. In the event of any problems or omissions in this charter or in the activity of the WG, in the first instance reference shall be made to the Executive Director of TagVault.org. The Board of Directors of Tagvault.org shall have final say.