REVISED NOV. 15, 2013: The comment period has been extended to January 17, 2014. Comments should be submitted to conmon-nccoe [at] nist.gov (conmon-nccoe[at]nist[dot]gov)
According to one of the fundamentals of cybersecurity, you can't secure what you don't know you have. The National Cybersecurity Center of Excellence (NCCoE) at NIST has proposed a new "building block" that will help organizations inventory and assess the state of installed software across their IT systems, contributing to enhanced security. The NCCoE invites the public to comment on the draft building block document. The comment period is open until October 14, 2013.
The NCCoE works with industry, academic and government experts to find practical solutions for businesses' most pressing cybersecurity needs. The NCCoE collaborates to build open, standards-based, modular, end-to-end solutions that are broadly applicable and help businesses more easily comply with standards and regulations.
Building blocks are example cybersecurity implementations that apply to multiple industry sectors and are expected to be incorporated into many of the center's sector specific use cases. This exploration of software asset management capabilities is the first building block related to continuous monitoring. It is a collaboration among NCCoE, NIST's Information Technology Lab, and the Department of Homeland Security, General Services Administration, and National Security Agency.
This building block proposes a standardized approach to software asset management so that an organization has an integrated view of software throughout its lifecycle. The building block will support:
The NCCoE's work to develop building blocks and resolve use cases results in solution sets, publicly available descriptions of the practical steps needed to implement a cybersecurity solution.
The document "Continuous Monitoring: Software Asset Management" can be viewed at http://nccoe.nist.gov/?q=content/continuous-monitoring. Comments should be submitted to conmon-nccoe [at] nist.gov (conmon-nccoe[at]nist[dot]gov) by October 14, 2013.