Software asset management (SAM) is a key part of continuous monitoring. The approach described here is intended to support the automation of security functions such as risk-based decision making, collection of software inventory data, and inventory-based network access control. SAM, as envisioned in this project, uses a standardized approach providing a comprehensive, integrated view of software on the endpoint to support the following capabilities:

• publication of installed software inventory
• authorization and verification of software installation media
• software execution whitelisting
• software inventory-based network access control.

At the core of this solution is the software identification (SWID) tag, an XML-based data format containing information describing a unit of software. A collection of SWID tags provides timely and accurate information about the current state of computing devices, also called endpoints. Organizations need to utilize this state information to measure the level of assurance of the software used to access organizational resources and to support critical business functions.

Automating SAM requires timely collection of software inventory data in the form of SWID tags and depends crucially on the trustworthiness of the SAM processes implemented for each endpoint. Secure transport protocols are required to enable SWID tag data to be exchanged. Trusted Network Connect (TNC) specifications provide the standards-based mechanisms to support the secure exchange of SWID tag information from and between computing devices.

Capabilities supporting this approach will be developed using existing commercial and open-source software with additional functional development as needed. As each capability is completed, it will be assessed against the original objective and this document will be revised to reflect relevant changes to the original approach.