SWID Tagging Specifications and Guidelines

Completed Specifications and Guidelines

The SWID Tag format, defined by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) standard ISO/IEC 19770-2, is a structured metadata format for describing a software product. NIST recommends use of the latest version of this standard, ISO/IEC 19770-2:2015. A SWID Tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, identify the organizations and individuals that had a role in the production and distribution of the product, list the artifacts that comprise a software product, establish relationships between software products, and provide other descriptive metadata. The information in a SWID Tag provides software asset management (SAM) and security tools with valuable information needed to automate the management of a software product across the software's deployment lifecycle. The information in a SWID Tag can be collected and exchanged as software inventory data supporting software asset management (SAM) and security processes. Such processes include the assessment of software vulnerabilities present on an inventoried computing device, the detection of missing patches, the targeting of configuration setting assessments, the verification of software integrity, the white or black listing of software installations and executions, and other security and operational use cases.

Development of the SWID Tag standard is part of the work program of ISO/IEC Joint Technical Committee (JTC) 1, Subcommittee (SC) 7, Working Group (WG) 21. ISO/IEC JTC1, SC7, WG21 focuses on IT Asset Management (ITAM) and SAM standards with WG members from many countries.

The National Institute of Standards and Technology (NIST), in cooperation with the Department of Homeland Security (DHS) and the National Security Agency (NSA), has developed NIST Internal Report (NISTIR) 8060: Guidelines for the Creation of Interoperable SWID Tags. As a companion to the ISO/IEC 19770-2:2015 standard, this report, which describes the basic structure of a SWID Tag, provides further guidelines for the creation of interoperable SWID Tags that enable cybersecurity use cases. This report has the following three purposes.

1. Presents a high-level description of SWID Tags to increase familiarity with the standard.
2. Provides tag implementation guidelines that supplement the SWID Tag specification.
3. Describes a set of operational usage scenarios that illustrate how SWID Tags, conforming to these guidelines, can be used to achieve a variety of cybersecurity goals.

By following the guidelines in NISTIR 8060, tag producers can have confidence they are providing all the necessary data, with the requisite data quality, to support the operational goals of tag consumers for each tag usage scenario.

As a companion to NISTIR 8060, NIST has produced a SWID Tag validation tool. Tag producers can use this tool to verify that the Tags they create conform to the requirements of ISO/IEC 19770-2:2015 and the guidelines in NISTIR 8060.

NIST has also worked with TagVault.org, to produce a set of SWID Tag signing guidelines describing the use of XML Digital Signatures inside a SWID Tag. Digital signatures ensure that the source and integrity of a SWID Tag can be verified.

NIST has also incorporated the use of SWID Tags in the Security Content Automation Protocol (SCAP) version 1.3.

Specifications Under Development

NIST is also working within the Internet Engineering Task Force (IETF) to develop multiple specifications that use SWID Tags. This work includes:

• The draft Constrained SWID (CoSWID) specification which defines a concise representation of ISO/IEC 19770-2:2015 SWID Tags using the Concise Binary Object Representation (CBOR) data format. This format supports the creation of SWID Tags for software related to constrained Internet of Things (IoT) devices for use on constrained devices and networks.
• The Resource-Oriented Lightweight Information Exchange (ROLIE) protocol [RFC8322] supports security automation information sharing using a discoverable syndication mechanism. Additionally, the draft ROLIE Software Descriptor Extension specification supports the publication of a repository of SWID Tags using the ROLIE protocol. This extension allows software providers to publish their collections of SWID Tags so that third-parties can retrieve SWID Tag information supporting a range of software-related use cases, including vulnerability identification and management; and software asset, patch, and configuration management practices.
• The draft Software Inventory Message and Attributes (SWIMA) for PA-TNC specification provides a software inventory collection specification that supports the collection of SWID Tag data-based software inventories. This specification also allows an authorized management server to subscribe to alerts of software installation change events on managed devices, providing for automatic notification of when software is installed, upgraded, patched, or uninstalled on a managed device.