(THIRD Draft) NISTIR 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
August 31, 2015

NIST is pleased to announce the third public comment release of NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting. 
This document represents a third discussion draft of this report. The authors are conducting a number of iterations of this report to further develop the concepts and guidelines contained herein based on public feedback. A typical cycle of revision will consist of a two-week public comment period followed by a two to three week revision period resulting in an updated discussion draft. The authors plan to conduct a total of four to six iterations of this cycle before finalizing this report. While this is a slight departure from the normal development cycle for a NISTIR, the authors believe that this collaborative approach will result in a better set of usable guidance for SWID tag creators. 
For this draft iteration, review should cover the overall report, noting three areas of particular interest: 
  • The clarity and feasibility of the guidelines in Sections 3 and 4 
  • Section 5, which has been reorganized and largely rewritten 
  • Appendix A, which has been completely rewritten 
Specific attention should be given to any inline questions in the report. These questions represent areas where feedback is needed to complete this report. 
Please send comments to nistir8060-comments@nist.gov with “Comments Third Draft NISTIR 8060” in the subject line. The comment period closed September 24, 2015.

Created December 21, 2016, Updated June 22, 2020