Date Published: December 2015
Comments Due:
Email Questions to:
Author(s)
David Waltermire (NIST), Brant Cheikes (MITRE)
Announcement
This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.
The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.
[Note: The email used for providing public comments is the same as the email used for NISTIR 8060.]
This report describes the association between the use of Software Identification (SWID) Tags and the Common Platform Enumeration (CPE) specifications. The publication is intended as a supplement to NIST Internal Report 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. Both SWID and CPE support automated and accurate software asset management. Such automation, in turn, helps organizations to: minimize exposure to publicly disclosed software vulnerabilities; enforce organizational policies regarding authorized software; and, control network resource access from potentially vulnerable endpoints. NISTIR 8085 provides guidance to support CPE naming using information from a SWID tag based on the International Organization for Standardization/International Electrotechnical Commission 19770-2:2015 standard.
This report describes the association between the use of Software Identification (SWID) Tags and the Common Platform Enumeration (CPE) specifications. The publication is intended as a supplement to NIST Internal Report 8060, Guidelines for the Creation of Interoperable Software Identification (SWID)...
See full abstract
This report describes the association between the use of Software Identification (SWID) Tags and the Common Platform Enumeration (CPE) specifications. The publication is intended as a supplement to NIST Internal Report 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. Both SWID and CPE support automated and accurate software asset management. Such automation, in turn, helps organizations to: minimize exposure to publicly disclosed software vulnerabilities; enforce organizational policies regarding authorized software; and, control network resource access from potentially vulnerable endpoints. NISTIR 8085 provides guidance to support CPE naming using information from a SWID tag based on the International Organization for Standardization/International Electrotechnical Commission 19770-2:2015 standard.
Hide full abstract
Keywords
common platform enumeration; software; software asset management; software identification; SWID; CPE; software identification tag
Control Families
Audit and Accountability; Configuration Management; Maintenance; Media Protection; Planning; System and Communications Protection; System and Information Integrity; System and Services Acquisition
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
