Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Automation Support for Security Control Assessments: Software Asset Management



Kelley L. Dempsey, Nedim S. Goren, Paul Eavy, George Moore


The NISTIR 8011 volumes focus on each individual information security capability, adding tangible detail to the more general overview given in NISTIR 8011 Volume 1, and providing a template for transition to a detailed, NIST standards-compliant automated assessment. This document, Volume 3 of NISTIR 8011, addresses the Software Asset Management (SWAM) information security capability. The focus of the SWAM capability is to manage risk created by unmanaged software on a network. Unmanaged software is a target that attackers can use as a platform from which to attack components on the network.
NIST Interagency/Internal Report (NISTIR) - 8011 Volume 3
Report Number
8011 Volume 3


actual state, assessment, assessment boundary, assessment method, authorization boundary, automated assessment, automation, capability, continuous diagnostics and mitigation, dashboard, defect, defect check, desired state specification, software asset management, information security continuous monitoring, firmware, ISCM dashboard, inventory management, malware, malicious code, mobile code, mitigation, ongoing assessment, root cause analysis, security automation, security capability, security control, security control assessment, security control item, software executable, SWID tag, software injection, software product, software whitelisting
Created December 6, 2018, Updated January 27, 2020