U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Using Automated Assessments to Protect Information and Software: NIST Releases Draft NISTIR 8011 Volume 3
April 05, 2018

When software programs in a network are unmanaged, or unidentified, they are vulnerable to attacks, and the programs can be used as a persistent platform from which to attack components on a network. To address these vulnerabilities, NIST and DHS researchers have developed an automated process to assess the effectiveness of the security controls that provide the information security capability known as Software Asset Management (SWAM). The focus of the SWAM capability is to manage risk created by unmanaged or unauthorized programs that are on a network.

A newly released draft document, called NIST Interagency Report (NISTIR) 8011 Volume 3, Automation Support for Security Control Assessments, Software Asset Management, provides an operational approach for automating security control assessments to manage software download and installation and/or the execution of unauthorized and/or malicious software (malware). This approach is consistent with the NIST Risk Management Framework as described in NIST SP 800-37 and the guidance in NIST SPs 800-53 and 800-53A in particular.

NISTIR 8011 will ultimately consist of 13 volumes. Volumes 1 and 2 were published in 2017. Volume 3 provides details specific to the software asset management security capability. The remaining 10 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volumes 2 and 3.

Public comment period is open through May 4th 2018.
Please submit public comments to sec-cert@nist.gov. Comments are accepted in any desired format.

Created April 05, 2018, Updated June 22, 2020