(1) DRAFT NISTIR 8060
NIST is pleased to announce the fourth and final public comment release of NIST interagency Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.
This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting.
This document represents a final discussion draft of this report. The authors have conducted a number of iterations of this report to further develop the concepts and guidelines contained herein based on public feedback. This is the final iteration of public review before finalizing this initial revision of the report. For this final draft, reviewers should focus their reviews on the overall report. Detailed review of all the guidelines in Sections 5 and 6 is also requested to ensure that the guidelines appropriately balance the needs of tag providers and consumers.
Email comments to: nistir8060-comments@nist.gov.
The public comment period closes on January 8, 2016.
(2) DRAFT NISTIR 8085
NIST is pleased to announce the first public comment release of NIST Interagency Report (NISTIR) 8085, Forming Common Platform Enumeration (CPE) Names from Software Identification (SWID) Tags.
This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.
The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.
Please send comments to nistir8060-comments@nist.gov with “Comments NISTIR 8085” in the subject line. Note: The email used for providing public comments is the same as the email used for NISTIR 8060. Comments will be accepted through January 8, 2016.