NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Automation Support for Security Control Assessments: Software Asset Management

Published

Author(s)

Kelley L. Dempsey, Nedim S. Goren, Paul Eavy, George Moore

Abstract

The NISTIR 8011 volumes focus on each individual information security capability, adding tangible detail to the more general overview given in NISTIR 8011 Volume 1, and providing a template for transition to a detailed, NIST standards-compliant automated assessment. This document, Volume 3 of NISTIR 8011, addresses the Software Asset Management (SWAM) information security capability. The focus of the SWAM capability is to manage risk created by unmanaged software on a network. Unmanaged software is a target that attackers can use as a platform from which to attack components on the network.
Citation
NIST Interagency/Internal Report (NISTIR) - 8011 Volume 3
Report Number
8011 Volume 3
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.IR.8011-3

Keywords

actual state, assessment, assessment boundary, assessment method, authorization boundary, automated assessment, automation, capability, continuous diagnostics and mitigation, dashboard, defect, defect check, desired state specification, software asset management, information security continuous monitoring, firmware, ISCM dashboard, inventory management, malware, malicious code, mobile code, mitigation, ongoing assessment, root cause analysis, security automation, security capability, security control, security control assessment, security control item, software executable, SWID tag, software injection, software product, software whitelisting
Cybersecurity and privacy

Citation

Dempsey, K. , Goren, N. , Eavy, P. and Moore, G. (2018), Automation Support for Security Control Assessments: Software Asset Management, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8011-3 (Accessed October 18, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created December 6, 2018, Updated January 27, 2020
Was this page helpful?