Date Published: December 2015
Comments Due: January 8, 2016 (public comment period is CLOSED)
Email Questions to: firstname.lastname@example.org
David Waltermire (NIST), Brant Cheikes (MITRE)
This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.
The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.
[Note: The email used for providing public comments is the same as the email used for NISTIR 8060.]
Keywords common platform enumeration; software; software asset management; software identification; SWID; CPE; software identification tag
Audit and Accountability;
System and Communications Protection;
System and Information Integrity;
System and Services Acquisition;