U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Computer Security Resource Center

Computer Security Resource Center

This is an archive
(replace .gov by .rip)
    Projects Security Content Automation Protocol SCAP Specifications

Security Content Automation Protocol SCAP

Software Identification (SWID)

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) publishes, ISO/IEC 19770-2, a standard for software identification (SWID) tags that defines a structured metadata format for describing a software product. A SWID tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, the organizations and individuals that had a role in the production and distribution of the product, information about the artifacts that comprise a software product, relationships between software products, and other descriptive metadata. The information in a SWID tag provides software asset management and security tools with valuable information needed to automate the management of a software install across the software's deployment lifecycle. SWID tags support automation of software inventory as part of a software asset management (SAM) process, assessment of software vulnerabilities present on a computing device, detection of missing patches, targeting of configuration checklist assessments, software integrity checking, installation and execution whitelists/blacklists, and other security and operational use cases.

Development of the SWID tag standard is part of the work program of ISO/IEC Joint Technical Committee (JTC) 1, Subcommittee (SC) 7, Working Group (WG) 21. ISO/IEC JTC1, SC7, WG21 focuses on IT Asset Management (ITAM) and SAM standards with WG members from a number of countries.

NIST has produced a set of guidelines for the creation of interoperable SWID tags, published as NISTIR 8060. NIST has also incorporated the use of SWID tags in the SCAP 1.3 revision.

SWID Specification Resources

ISO/IEC 19770-2:2015 Resources

Documents:

ISO/IEC 19770-2:2015 Specification (PDF) - September 2015

NIST Guidelines for the Creation of Interoperable SWID Tags (PDF) - April 2016

XML Schema Files: [what is a schema?]

ISO/IEC 19770-2:2015 Schema (XSD 1.0) - September 2015 - xsd:import statements use absolute URLs

SWID Tag Extensions from NISTIR 8060 (XSD 1.0) - April 2016 - xsd:import statements use relative URLs

SWID Tag Validation Tool:

ISO/IEC 19770-2:2015 and NISTIR 8060 SWID Tag Validation (SWIDVal) Tool Version 0.5.0 (ZIP) (TAR/BZ2) - July 2017

Contacts

SCAP Inquiries
scap@nist.gov

Created December 07, 2016, Updated October 26, 2021