U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

IR 8500A ipd, Blockchain-Based Secure Software Assets Management (BloSS@M), Available for Public Comment

NIST Internal Report (IR) 8500A ipd (initial public draft), Blockchain-Based Secure Software Assets Management (BloSS@M), outlines a modernized conceptual approach for transforming how software assets are acquired, tracked, and secured across an interage

Share

NIST Internal Report (IR) 8500A ipd (initial public draft), Blockchain-Based Secure Software Assets Management (BloSS@M), outlines a modernized conceptual approach for transforming how software assets are acquired, tracked, and secured across an interagency ecosystem.

The conceptual approach for BloSS@M was developed in consideration of federal asset inventory and management requirements—including OMB Circular A-130 and OMB M-13-13—as well as NIST SP 800-37 and SP 800-53 guidelines.  BloSS@M establishes a shared infrastructure for software acquisition that promotes asset reuse, eliminates duplicative procurement, and strengthens supply chain security at scale. Its key capabilities include:

  • Federal purchasing power: A consolidated model that reduces redundant spending and increases collective leverage with vendors through government-wide aggregation
  • Immutable life cycle tracking: Utilizes blockchain’s tamper-resistance to provide a verifiable, continuous record of asset provenance from acquisition to retirement
  • Automated vulnerability management: Real-time integration with the National Vulnerability Database (NVD) to continuously surface newly disclosed vulnerabilities associated with deployed assets
  • Machine-processable compliance: Leverages the Open Security Controls Assessment Language (OSCAL) to enable automated risk assessments, continuous monitoring, and scalable life cycle management across heterogeneous environments

While BloSS@M is optimized for software, where end-to-end automation is most achievable, the approach is architected to support hardware assets when integrated with appropriate physical delivery and retrieval mechanisms.

Submit Your Comments:

NIST invites input from federal agencies, industry partners, researchers, and the broader cybersecurity community. The public comment period is open through June 26, 2026.

    How to Participate:

    Email your completed template to blossom [at] nist.gov (blossom[at]nist[dot]gov) using the Subject line: "NIST.IR.8500A Comments" in your email.

    Released May 19, 2026
    Was this page helpful?