Automation Support for Security Control Assessments: Software Asset Management—NIST Publishes NISTIR 8011 Vol. 3

NIST has published NIST Interagency Report (NISTIR) 8011 Volume 3, Automation Support for Security Control Assessments: Software Asset Management. 

This volume features the software asset management (SWAM) information security capability. The focus of the SWAM capability is to manage risk created by unmanaged or unauthorized software on a network.  Such software is a target that may be used by attackers as a platform from which to attack components on the network. A well-designed SWAM program helps to: prevent compromised software from being installed or staying deployed on the network; prevent attackers from gaining a foothold; prevent attacks from becoming persistent; and restore required and authorized software as needed.

NISTIR 8011 is planned to ultimately consist of 13 volumes. It represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall, and with the guidance in NIST SPs 800-53 and 800-53A in particular.