Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NCCoE Seeks Comments on Revised Software Asset Management Building Block

The National Cybersecurity Center of Excellence (NCCoE) at NIST has revised the draft white paper describing a "building block" that will help organizations inventory and assess the state of installed software across their IT systems, contributing to enhanced security. Version 2 of the white paper has been posted for an additional 30-day comment period, which runs through October 16, 2015.

Building blocks are cybersecurity solutions that are applicable across multiple industry sectors.

This building block proposes a standardized approach to software asset management so that an organization has an integrated view of software throughout its lifecycle.

The building block will support:

  • Authorization and verification of software installation media – Verifies that the media is from a trusted software publisher and that the installation media has not been tampered with
  • Software execution whitelisting – Verifies that the software is authorized to run and has not been tampered with
  • Publication of installed software inventory – A device securely communicates what software is installed to an organization-wide database
  • Software inventory-based network access control – A device's level of access to a network is determined by what software is or is not present on the device and whether its patches are up to date

The NCCoE, the U.S. national lab for cybersecurity, works with industry, academic and government experts to find practical solutions for businesses' most pressing cybersecurity needs. The NCCoE collaborates to build open, standards-based, modular, end-to-end solutions that are broadly applicable and easily adoptable.

Building blocks are example cybersecurity implementations that apply to multiple industry sectors and are expected to be incorporated into many of the center's sector-specific use cases. This exploration of software asset management capabilities is the center's first building block related to continuous monitoring.

The NCCoE's work to develop building blocks and resolve use cases results in NIST Cybersecurity Practice Guides, Special Publication series 1800, which contain all the information and instruction organizations need to implement a cybersecurity solution for themselves.

The document "Continuous Monitoring: Software Asset Management V.2" can be viewed at Comments should be submitted to conmon-nccoe [at] (conmon-nccoe[at]nist[dot]gov) by October 16, 2015.

Released September 16, 2015, Updated January 19, 2023