The SWID Tag format, defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard ISO/IEC 19770-2, is a structured metadata format for describing a software product. NIST recommends use of the latest version of this standard, ISO/IEC 19770-2:2015. A SWID Tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, identify the organizations and individuals that had a role in the production and distribution of the product, list the artifacts that comprise a software product, establish relationships between software products, and provide other descriptive metadata. The information in a SWID Tag provides software asset management (SAM) and security tools with valuable information needed to automate the management of a software product across the software's deployment lifecycle. The information in a SWID Tag can be collected and exchanged as software inventory data supporting software asset management (SAM) and security processes. Such processes include the assessment of software vulnerabilities present on an inventoried computing device, the detection of missing patches, the targeting of configuration setting assessments, the verification of software integrity, the white or black listing of software installations and executions, and other security and operational use cases.
Development of the SWID Tag standard is part of the work program of ISO/IEC Joint Technical Committee (JTC) 1, Subcommittee (SC) 7, Working Group (WG) 21. ISO/IEC JTC1, SC7, WG21 focuses on IT Asset Management (ITAM) and SAM standards with WG members from many countries.
The National Institute of Standards and Technology (NIST), in cooperation with the Department of Homeland Security (DHS) and the National Security Agency (NSA), has developed NIST Internal Report (NISTIR) 8060: Guidelines for the Creation of Interoperable SWID Tags. As a companion to the ISO/IEC 19770-2:2015 standard, this report, which describes the basic structure of a SWID Tag, provides further guidelines for the creation of interoperable SWID Tags that enable cybersecurity use cases. This report has the following three purposes.
By following the guidelines in NISTIR 8060, tag producers can have confidence they are providing all the necessary data, with the requisite data quality, to support the operational goals of tag consumers for each tag usage scenario.
As a companion to NISTIR 8060, NIST has produced a SWID Tag validation tool. Tag producers can use this tool to verify that the Tags they create conform to the requirements of ISO/IEC 19770-2:2015 and the guidelines in NISTIR 8060.
NIST has also worked with TagVault.org, to produce a set of SWID Tag signing guidelines describing the use of XML Digital Signatures inside a SWID Tag. Digital signatures ensure that the source and integrity of a SWID Tag can be verified.
NIST has also incorporated the use of SWID Tags in the Security Content Automation Protocol (SCAP) version 1.3.
NIST is also working within the Internet Engineering Task Force (IETF) to develop multiple specifications that use SWID Tags. This work includes:
Security and Privacy: asset management, patch management, security automation
Technologies: operating systems
Applications: Internet of Things