Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8011 Vol. 3 (Initial Public Draft)

Automation Support for Security Control Assessments: Software Asset Management

Date Published: April 2018
Comments Due: May 4, 2018 (public comment period is CLOSED)
Email Questions to:


Kelley Dempsey (NIST), Nedim Goren (NIST), Paul Eavy (DHS), George Moore (APL)


This is the initial public draft release of NIST Internal Report (NISTIR) 8011 Volume 3, Automation Support for Security Control Assessments: Software Asset Management. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.

NISTIR 8011 will ultimately consist of 13 volumes. Volumes 1 and 2 were published in 2017. Volume 3 provides details specific to the software asset management security capability. The remaining 10 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volumes 2 and 3.



actual state; assessment; assessment boundary; assessment method; authorization boundary; automated assessment; automation; capability; continuous diagnostics and mitigation; dashboard; defect; defect check; desired state specification; software asset management; information security continuous monitoring; firmware; ISCM dashboard, inventory management; malware; malicious code; mobile code; mitigation; ongoing assessment; root cause analysis; security automation; security capability; security control; security control assessment; security control item; software executable; SWID tag; software injection; software product; software whitelisting.
Control Families

Assessment, Authorization and Monitoring; Risk Assessment


Draft NISTIR 8011 Vol. 3 (pdf)

Supplemental Material:
None available

Publication Parts:
IR 8011 Vol. 1
IR 8011 Vol. 2

Related NIST Publications:
SP 800-53A Rev. 4
SP 800-53 Rev. 4

Document History:
04/05/18: IR 8011 Vol. 3 (Draft)
12/06/18: IR 8011 Vol. 3 (Final)