Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8085 (Initial Public Draft)

Forming Common Platform Enumeration (CPE) Names from Software Identification (SWID) Tags

Date Published: December 2015
Comments Due: January 8, 2016 (public comment period is CLOSED)
Email Questions to:


David Waltermire (NIST), Brant Cheikes (MITRE)


This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.

The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.

[Note: The email used for providing public comments is the same as the email used for NISTIR 8060.]



common platform enumeration; software; software asset management; software identification; SWID; CPE; software identification tag
Control Families

Audit and Accountability; Configuration Management; Maintenance; Media Protection; Planning; System and Services Acquisition; System and Communications Protection; System and Information Integrity


Draft NISTIR 8085 (pdf)

Supplemental Material:
None available

Related NIST Publications:
IR 8060
ITL Bulletin

Document History:
12/17/15: IR 8085 (Draft)