Yet another tool vendor has added support for the ISO SAM Standards. The Sassafras K2 product has added support for 19770-2 (SWID) and 19770-3 (Entitlement) standards. See more about their announcement here – http://www.sassafras.com/k2-iso-19770/.
This document defines guidelines for signing SWID tags in support of the [SWID] standard. The standard states that when digitally signing SWID tags, implementors will follow at a minimum the [XMLDSIG] recommendations, use an enveloped signature, add a timestamp per [W3C-XAdES], and include the public signature for the signing entity.
This document details and builds on those requirements. The guidance drafted herein supports the security and reliability of tag signing. These guidelines are drafted with the needs of implementors in mind and to provide value for all members of the software eco-system (publishers, tools and service providers, and end-users).
The public review for the SWID Tag Signing Guidelines Paper opens on April 26, 2017, and will remain open until June 25, 2017.
Download the SWID Tag Signing Guidelines HERE.
Access the SWID Tag Signing Guidelines comments page HERE.
Alternatively, comments can be submitted as a .pdf to firstname.lastname@example.org. Please include your name, company, title, email address used to download the paper and follow the format below:
Step 1: Please specify the type of comment: GT = General Technical – the comment applies to may areas of the document
TH = Technical High – the comment is technical and is considered important
TL = Technical Low – the comment is technical in nature but is a lower priority
GE = General Editorial – the comment is editorial in nature and is seen throughout the document
E = Editorial – the comment is editorial and found in one location in the document
Step 2: Enter the Line #, Figure # or Table #
Step 3: Provide proposed new text
Step 4: Provide supporting reasons
SWID Tag Signing Guidelines (Public Review)
SWID Tags are more authoritative if they cannot be modified – that requires that the tag is signed. A TagVault.org working group has specified how SWID tags need to be signed. The working group consisted of members from MITRE, NIST, Microsoft and IBM to ensure that the signing approach is secure and interoperable.
Note, there are two independently developed SWID Tag Signing tools that will be available to use as a reference model. By providing a reference model that can validate interoperability other vendors can create their own SWID Tag signing tools because they can be validated.
ISO Standards related to SAM
The following standards can be purchased from ISO, or from your country’s national body (ANSI, DIN, Standards Australia, etc). Note, 19770-5 is available as a freely downloadable standard. Also note, you may find that the NIST-IR 8060 (listed in a section below) will provide all the information you need to understand use cases and implementation of SWID tags.
- 19770-1:2012 – Processes and tiered assessment of conformance
- 19770-2:2015 – Software Identification Tag
- 19770-3:2016 – Entitlement Schema
- 19770-4:(2017) – Resource Utilization Measurement
- 19770-5:2015 – Overview and Vocabulary (freely available)
US Department of Defense
DoD indicates the standards that are required to be supported by vendors. When an RFP indicates that specific capabilities are required (in this case, Meta data must be supplied with the software), then the organization is mandated to use the standard specified (SWID tags). The next step in this process is to define policy that all software purchased by DoD must include the requirement to include metadata in every RFP.
- Defense IT Standards Registry
Multiple Agencies Working Toward Better Cybersecurity
US Government is working to provide an effective Cybersecurity data source which is built up from something called the Security Content Automation Protocol (SCAP) – which is managed by NIST. SCAP provides multiple specifications and multiple freely available resources. Much of the SCAP environment link various resources (such as software, vulnerability information, patch information, etc) using something called a Common Platform Enumerator (CPE). Unfortunately, CPE’s were not normalized and are often created by individuals, making automation more difficult. NIST is working towards using SWID tag data for the canonical representations of software and allowing significantly better automation.
- Security Content Automation Protocol (SCAP)
- National Vulnerability Database (NVD)
- NIST-IR 8060
- NIST-IR 8060 Schema for extensions
Other Related Standards and Group References
- Trusted Computing Group – IF-M Standard
- DMTF – Software Entitlement Working Group
- Minnesota User Group comments on Adobe SWID tags and SCCM
Software companies hoping to bid on government contracts in the future must now add a set of standards software ID tags to their software.
Piscataway, NJ – 10 November 2016 TagVault.org Board Chair, Michael Godsey of Microsoft notes that, “Seeing ISO/IEC standard 19770-2 listed as a mandatory standard on the DoD IT Standards Registry provides concrete proof to the software publishing industry that SWID tags are a priority. TagVault.org is proud to be the industry alliance leader in bringing all the 19770-2 and the National Institute of Standards and Technology Internal Report 8060 requirements together for the creation and validation of Software ID tags (SWID).”
TagVault.org is the neutral, not-for-profit leading the way on developing the standard for SWID tags. The DoD IT Standards Registry listing all requirements is available here. The DOD IT Standards Registry shows ISO/IEC Standard 19770-2 is now listed as a mandatory Standard. The objective of ISO Standard 19770-2 is to give organizations of all sizes information and to assist with minimizing risks and costs of IT Asset Management (ITAM) assets.
While SWID tags are not a new concept in the industry, advancements in security and software asset tracking require a new level of standard. SWID tags, and the utilities to create and sign them, are used by security software and asset tracking software to identity the software installed on any given system or across a network. By identifying and authenticating the software in a standard way, the standard adds another layer of safety to the system, and saves time and energy by eliminating the computing overhead for servers in datacenters and clouds. The standard also reduces costs for software and cyber security companies who now don’t have to spend development cycles on creating, advancing, and maintaining proprietary solutions. Companies like Microsoft, IBM, and Symantec are at the forefront of this movement, and are part of TagVault.Org organization.
TagVault.org is the neutral not-for-profit validation authority for software tagging, primarily focused on software identification tags (as specified by ISO/IEC 19770-2) and software entitlement tags (as specified by ISO/IEC 19770-3). TagVault.org provides a shared library of software tools, technical knowledge and communications forums that decrease the costs of creating, managing and using software identification tags.
TagVault.org is a Federation Member Program of the IEEE Industry Standards and Technology Organization (ISTO) and publishes its bylaws for public access. The TagVault.Org Board of Directors includes, Microsoft, IBM, Symantec and the Department of Homeland Security. Organizations interested in joining TagVault.org can download the membership packet from www.tagvault.org.
Executive Director, TagVault.org
+1 732 562-6031
NIST-IR 8060 is final and published!
The NIST-IR 8060 document was published on Friday, April 22, 2016.
NIST, MITRE and the Dept of Homeland Security have worked together to create a set of guidelines that specify the data requirements for SWID tags from commercial software providers that will enable a number of use cases in support of the ongoing work to automate security operations.
As this document was being developed, TagVault.org and a number of large commercial software vendors reviewed the document and provided feedback to ensure that the requirements were realistic and defined in such a way that they can be easily implemented by the publisher, and provide support for additional use cases, such as those around the Software Asset Management set of use cases.
For ISV’s and software purchasing organizations – you are highly encouraged to review this document to understand both what you will be expected to provide if you create software, or what you can reference as a requirement if you purchase software.
The document, a spreadsheet of requirements specified in the document and the XML Schema for the new attributes and types can all be found here:
The abstract for this document doesn’t do the document justice – NIST-IR 8060 has a number of SWID tag examples, use cases on how the data can support IT processes, as well as additional attributes and types that will be integrated into the ISO standard in the near future. The Abstract as presented in the document is:
This report provides an overview of the capabilities and usage of software identification (SWID) tags as part of a comprehensive software lifecycle. As instantiated in the International Organization for Standardization/International Electrotechnical Commission 19770-2 standard, SWID tags support numerous applications for software asset management and information security management. This report introduces SWID tags in an operational context, provides guidelines for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable.
The authors of the document are:
David Waltermir – NIST
Brant A. Cheikes – MITRE
Larry Feldman – G2 Inc.
Greg Witte – G2 Inc.
The following acknowledgements for the document provide an indication of the reviewers and organizations that have an interest in seeing SWID tags benefit the end-user:
The authors would like to thank Harold Booth, Bob Byers, Christopher Johnson, and Alex J. Nelson of the National Institute of Standards and Technology (NIST); Steve Klos of TagVault.org and 1E; Christine Deal and Charles Schmidt of The MITRE Corporation; Piotr Godowski and Brian Turner of IBM; Hopeton Smalling of OQI Cares, Inc.; Sharon Hope of NASA Jet Propulsion Laboratory; and John Richardson of Veritas for their reviews and contributions of feedback to this report. The authors would also like to thank Dr. Peter Fonash and Juan Gonzalez from the U.S. Department of Homeland Security (DHS) for their ongoing support for and contributions to this report. The authors would also like to thank Jessica Fitzgerald-McKay from the National Security Agency (NSA) for supporting the development of this report.
If you have any questions about this document, please feel free to reach out to TagVault.org through the contact us web page – http://tagvault.org/about/contact-us/
Invitation to the Workshop on Software Identification (SWID) Tag Implementation
Hosted by the National Institute of Standards and Technology (NIST) on
26-27 April 2016, in Rockville, MD
The National Institute of Standards and Technology (NIST) is pleased to announce a workshop on Software Identification (SWID) Tag Implementation and Use. This event will be held from 9:00 a.m. to 5:00 p.m. on 26 April and 9:00 a.m. to 3:00 p.m. on 27 April at the National Cybersecurity Center of Excellence (NCCoE), 9700 Great Seneca Highway, Rockville, MD.
Strengthening the security and resilience of United States Government (USG) civilian and military networks and critical infrastructure is a top national priority. If broadly implemented by software providers, SWID tags promise to significantly enhance the ability of USG departments and agencies to rapidly and accurately characterize the software assets discovered to be present within their enterprise networks. In turn, this will facilitate efforts to reduce vulnerabilities in our information technology systems and prevent future attacks. In addition to their value for cybersecurity, SWID tags will also help USG departments and agencies improve their ability to track and manage software licenses, thereby reducing cost and increasing efficiency.
The SWID tag effort aligns with the President’s 2016 Federal Cybersecurity Research and Development Strategic Plan, which was released on February 5, 2016. The plan challenges the cybersecurity research and development (R&D) community to provide methods and tools for deterring, protecting, detecting, and adapting to malicious cyber activities. Use of SWID tags in this context helps to provide the information necessary for tools to ensure that software is updated, resulting in fewer exploitable vulnerabilities, and that software integrity can be measured to detect and prevent software tampering.
The goal of the workshop is to assemble a broad audience of SWID tag creators, users, and stakeholders to actively participate in engineering-level discussions on various topics relative to SWID tags, including implementation challenges. The agenda, while still under development, will be comprised of detailed technical topics culled from the guidelines within the NIST Interagency Report (IR) 8060, “Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.” We plan to cover some or all of the following topics:
- SWID tag 101 (general overview of SWID tags)
- Digital signing of SWID tags
- Internationalization of SWID tags
- Provision of payload and evidence elements of SWID tags
- Distribution mechanisms for SWID tags
- Implementation of patch and corpus tags
We encourage your feedback regarding the proposed topics and welcome additional topic ideas. Please send your ideas and feedback to us at email@example.com.
It is recommended that participants attending the workshop be familiar with NIST IR 8060. The fourth public draft can be found here: http://csrc.nist.gov/publications/drafts/nistir-8060/nistir_8060_draft_fourth.pdf. The final report is expected to be ready by early March.
Conference registration and attendance will be free of charge, but advanced registration will be required. You can register at this URL – https://register.mitre.org/swid/.
If you have questions about this workshop, or would like to contact someone for more information, please send your request to firstname.lastname@example.org.
The Final Draft of the international standard, ISO/IEC 19770-3 was approved by the International Community in February of 2016. This means that the standard moves to an ISO editorial process to ensure it meets all formatting, editorial and other documentation requirements. The standard will be published soon
When published, the front matter of the standard can be found here – https://www.iso.org/obp/ui/#search. Just type in 19770-3 and click on the standard to see the first few sections of the standard.
In the meantime, the following is the introduction to the standard. The following material is from the ISO/IEC 19770-3 standard and is provided for reference only. Some text may change prior to the standard being published, so this is informational only.
Introduction to ISO/IEC 19770-3 From the Standard
This part of ISO/IEC 19770 provides a technical definition of a schema that can encapsulate the details of software entitlements, including usage rights, limitations and metrics.
The primary intentions of this part of ISO/IEC 19770 are
- to provide a basis for common terminology to be used when describing entitlement rights, limitations and metrics, and
- to provide a schema which allows effective description of rights, limitations and metrics attaching to a software license.
The specific information provided by an entitlement schema (Ent) may be used to help ensure compliance with license rights and limits, to optimize license usage and to control costs. Though Ent creators are encouraged to provide the data that allow for the automatic processing, it is not mandated that data be automatically measurable. The data structure is intended to be capable of containing any kind of terms and conditions included in a software license agreement.
This part of ISO/IEC 19770 supports software asset management (SAM) processes as defined in ISO/IEC 19770-1. It is also designed to work together with software identification tags as defined in ISO/IEC 19770-2. Standardization in the field of software entitlements provides uniform, measurable data for both the license compliance, and license optimization, processes of SAM practice.
This part of ISO/IEC 19770 does not provide requirements or recommendations for processes related to software asset management or Ents. The software asset management processes are within the scope of ISO/IEC 19770-1.
This part of ISO/IEC 19770 has been developed with the following practical principles in mind.
- Maximum possible usability with legacy entitlement information. The Ent or software entitlement schema, is intended to provide the maximum possible usability with existing entitlement information, including all historical licensing transactions. While the specifications provide many opportunities for improvement in entitlement processes and practices, they should also able to handle existing licensing transactions without imposing requirements which would prevent such transactions being codified into Ent records.
- Maximum possible alignment with ISO/IEC 19770-2. This part of ISO/IEC 19770 (entitlement schema) is intended to align closely with part ISO/IEC 19770-2 (software identification tags). This should facilitate both understanding and their joint use.
It is intended that this standardized schema will be of benefit to all stakeholders involved in the creation, licensing, distribution, release, installation and ongoing management of software and software entitlements.
- Benefits to software licensors who provide Ents include, but are not limited to:
- immediate software consumer recognition of details of the usage rights derived from their software entitlement;
- ability to specify details to customers that allow software assets to be measured and reported for license compliance purposes;
- increased awareness of software license compliance issues on the part of end-customers;
- improved software consumer relationships through quicker and more effective license compliance audits.
- Benefits to SAM tool providers, deployment tool providers, resellers, resellers, software packagers and release managers include, but are not limited to:
- receipt of consistent and uniform data from software licensors and Ent creators;
- more consistent and structured entitlement information, supporting the use of automatedtechniques to determine the need for remediation of software licensing;
- improved reporting from additional categorization made possible by the use of Ents;
- improved SAM tool entitlement reconciliation capabilities resulting from standardization in location and format of software entitlement data;
- ability to deliver value added functionality for compliance management through the consumption of entitlement data.
- The benefits for software consumers, SAM practitioners, IT support professionals and end-users include, but are not limited to:
- receipt of consistent and uniform data from software licensors, resellers and SAM tools providers;
- more consistent and structured entitlement information supporting the use of automated techniques to determine the need for remediation of software licensing;
- improved reporting from additional categorization made possible by the use of Ents;
- improved SAM and software license compliance capabilities stemming from standardized, software licensor-supplied, ISO/IEC 19770-2 software identification tags to reconcile with these Ents;
- improved ability to avoid software license under-procurement or over-procurement with subsequent cost optimization;
- standardized usage across multiple platforms, rendering heterogeneous computing environments more manageable.
If you’re interested in participating in the SWID tag signing working group, login to your members page and add your name to the working group there. If you need details on how to get to the members area, let Jane, or Steve know and we’ll be happy to provide the information you need. If you don’t have our e-mail addresses, please let us know via the Contact Us page..
The Charter for the Tag Signing Working Group is shown below:
Charter for Tag Signing Working Group
- This charter is for a ‘Working Group’ (‘WG’) which is acting on behalf of TagVault.org and which shall have primary responsibility for developing interoperability guidance and supporting documentation for SWID tag implementers and users that details how tags should be digitally signed and validated.
- The Chairperson of the WG (‘Chair’) shall be Brant Cheikes.
- Participation in the WG shall be open to the following:
- All members of TagVault.org.
- Non-members of TagVault.org who are both (a) working on behalf of a member of TagVault.org, and (b) providing unique technical expertise to the WG’s design and decision-making activities.
- WG membership composition: The Chair of the WG shall agree on the final composition of the WG along with the Executive Director of TagVault.org. All members of the WG will be required to remain active and contribute meaningful content to the WG in order to maintain their membership status.
- Copyright in all work products developed by the WG shall be held by IEEE-ISTO on behalf of TagVault.org, a program of IEEE-ISTO as specified in the TagVault.org membership agreement.
- The process by which the working group operates is defined in Article 8 of the TagVault.org bylaws which are available on the TagVault.org website.
- The names and contact information of all members of the WG shall be openly shared within the WG subject to members’ acknowledgement that such information shall be used for committee purposes only.
- The Chair shall be able to organize work in such ways as considered appropriate, including physical meetings, conference calls, and other forms of virtual collaboration. There shall be no minimum period of notification for calling a meeting of the WG except that reasonable care should be taken to obtain a consensus of WG members when scheduling meetings.
- The main work expected to be completed is the following, although this is subject to revision by the WG:
- Specification of technical procedures for digitally signing and certifying SWID tags
- Specification of technical procedures for validating SWID tag digital signatures
- Preparation of interoperability guidance and supporting documentation for SWID tag implementers and users that details how tags should be digitally signed and validated
- In the event of any problems or omissions in this charter or in the activity of the WG, in the first instance reference shall be made to the Executive Director of TagVault.org. The Board of Directors of Tagvault.org shall have final say.
The US Department of Homeland Security (DHS) recently joined TagVault.org as a board member. This allows the DHS to be engaged with commercial providers such as Microsoft, IBM and Symantec to determine how TagVault.org can best support the wider software community in its efforts to evangelize SWID tags.
The reason the DHS joined the TagVault.org board is to ensure that all organizations in the software market have equal access to the various tools, technology and documentation created by TagVault.org as well as to drive interoperability between software publishers and tool providers around the SWID tagging standard. SWID tags are critical to cybersecurity automation efforts and as a board member, DHS has the ability to ensure that the implementation of SWID tags meets the mutually supportive goals of automation for both software licensing and cybersecurity requirements.
TagVault.org is a non-profit organization and publishes its bylaws for public access so organizations that may be interested in joining TagVault.org as either a regular member, or a board member can understand how the board, the program manager, the executive director and the members interact. For more information on the program and how to join, download the membership packet.
The US National Institute of Standards and Technology (NIST) is working on an internal report (NIST-IR) that lays out the specific guidelines for how the US Government expects to use the data form SWID tags. This publication includes details on how data will be used from an operational perspective and provides a number of use-cases focused on end-user scenarios. The overarching goal is to ensur that software publishers understand end-user requirements to ensure SWID tags can provide the data required to automate IT Administrative processes that, today, are largely manual processes.
The report is focused on both Cybersecurity and Software Asset Management requirements.
The report can be found on the NIST website at this URL: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060.
Be aware that until this NIST-IR is published, the team working on this document would love to receive the public’s feedback on how these requirements meet your operational needs, or if there are requirements or scenarios that are not yet defined and should be added to the document.
To provide feedback, send e-mails to – NISTIR8060email@example.com with the subject, “Comments Draft NISTIR 8060”.