NCCoE Launches New Software Asset Management Building Block

REVISED NOV. 15, 2013: The comment period has been extended to January 17, 2014. Comments should be submitted to conmon-nccoe [at] nist.gov (conmon-nccoe[at]nist[dot]gov)

According to one of the fundamentals of cybersecurity, you can't secure what you don't know you have. The National Cybersecurity Center of Excellence (NCCoE) at NIST has proposed a new "building block" that will help organizations inventory and assess the state of installed software across their IT systems, contributing to enhanced security. The NCCoE invites the public to comment on the draft building block document. The comment period is open until October 14, 2013.

The NCCoE works with industry, academic and government experts to find practical solutions for businesses' most pressing cybersecurity needs. The NCCoE collaborates to build open, standards-based, modular, end-to-end solutions that are broadly applicable and help businesses more easily comply with standards and regulations.

Building blocks are example cybersecurity implementations that apply to multiple industry sectors and are expected to be incorporated into many of the center's sector specific use cases. This exploration of software asset management capabilities is the first building block related to continuous monitoring. It is a collaboration among NCCoE, NIST's Information Technology Lab, and the Department of Homeland Security, General Services Administration, and National Security Agency.

This building block proposes a standardized approach to software asset management so that an organization has an integrated view of software throughout its lifecycle. The building block will support:

• Authorization and verification of software installation media – Verifies that the media is from a trusted software publisher and that the installation media has not been tampered with
• Software execution whitelisting – Verifies that the software is authorized to run and has not been tampered with
• Publication of installed software inventory – A device securely communicates what software is installed to an organization-wide database
• Software inventory-based network access control – A device's level of access to a network is determined by what software is or is not present on the device and whether its patches are up to date

The NCCoE's work to develop building blocks and resolve use cases results in solution sets, publicly available descriptions of the practical steps needed to implement a cybersecurity solution.

The document "Continuous Monitoring: Software Asset Management" can be viewed at http://nccoe.nist.gov/?q=content/continuous-monitoring. Comments should be submitted to conmon-nccoe [at] nist.gov (conmon-nccoe[at]nist[dot]gov) by October 14, 2013.