Date Published: December 2015
Comments Due: January 8, 2016 (public comment period is CLOSED)
Email Questions to: nistir8060-comments@nist.gov
,
This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.
The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.
[Note: The email used for providing public comments is the same as the email used for NISTIR 8060.]
Audit and Accountability; Configuration Management; Maintenance; Media Protection; Planning; System and Communications Protection; System and Information Integrity; System and Services Acquisition
Publication:
Draft NISTIR 8085
Supplemental Material:
None available
Related NIST Publications:
Document History:
12/17/15: NISTIR 8085 (Draft)
Security and Privacy
asset management; audit & accountability; planning; security automation
Technologies
software & firmware
Laws and Regulations
Federal Information Security Modernization Act