Automation Support for Security Control Assessments: Software Asset Management

Dempsey, Kelley; Goren, Nedim; Eavy, Paul; Moore, George

doi:https://doi.org/10.6028/NIST.IR.8011-3

NISTIR 8011 Vol. 3

Automation Support for Security Control Assessments: Software Asset Management

Documentation Topics

Date Published: December 2018

Planning Note (2/22/2023):

The NIST Risk Management Framework (RMF) team seeks feedback on our NIST IR 8011 series publications and their use.

See the Call for Feedback to learn more details about what we would like to know. Feedback can be sent to 8011comments@list.nist.gov; there is no closing date.

Author(s)

Kelley Dempsey (NIST), Nedim Goren (NIST), Paul Eavy (DHS), George Moore (APL)

Abstract

The NISTIR 8011 volumes each focus on an individual information security capability, adding tangible detail to the more general overview given in NISTIR 8011 Volume 1, and providing a template for transition to a detailed, NIST guidance-based automated assessment. This document, Volume 3 of NISTIR 8011, addresses the Software Asset Management (SWAM) information security capability. The focus of the SWAM capability is to manage risk created by unmanaged or unauthorized software on a network. Unmanaged or unauthorized software is a target that attackers can use as a platform from which to attack components on the network.

Keywords

actual state; assessment; authorization boundary; automation; capability; continuous diagnostics and mitigation; dashboard; defect; desired state specification; firmware; information security continuous monitoring; ISCM; inventory management; malicious code; malware; mitigation; mobile code; ongoing assessment; root cause analysis; security capability; security control; security control item; software; software asset management; software file; SWID tag; whitelisting

Control Families

Assessment, Authorization and Monitoring; Risk Assessment

Documentation

Publication:
NISTIR 8011 Vol. 3 (DOI)
Local Download

Supplemental Material:
None available

Other Parts of this Publication:
NISTIR 8011 Vol. 1
NISTIR 8011 Vol. 2
NISTIR 8011 Vol. 4

Related NIST Publications:
SP 800-53A Rev. 4
SP 800-53 Rev. 4

Document History:
04/05/18: NISTIR 8011 Vol. 3 (Draft)
12/06/18: NISTIR 8011 Vol. 3 (Final)

Topics

Security and Privacy
asset management; assurance; continuous monitoring; controls assessment; risk assessment; security automation; security controls; system authorization; testing & validation

Technologies
software & firmware

Laws and Regulations
E-Government Act; Federal Information Security Modernization Act; OMB Circular A-130