Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by:

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 1 - 23 of 23

Transitioning to the Security Content Automation Protocol (SCAP) Version 2

September 10, 2018
Author(s)
David A. Waltermire, Jessica Fitzgerald-McKay
The Security Content Automation Protocol (SCAP) version 2 (v2) automates endpoint posture information collection and the incorporation of that information into network defense capabilities using standardized protocols. SCAP v2 expands the endpoint types

The Technical Specification for the Security Content Automation Protocol (SCAP) Version 1.3

February 14, 2018
Author(s)
David A. Waltermire, Stephen D. Quinn, Harold Booth, Karen Scarfone, Dragos Prisaca
The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This publication, along

Guide to Cyber Threat Information Sharing

October 4, 2016
Author(s)
Christopher S. Johnson, Mark L. Badger, David A. Waltermire, Julie Snyder, Clem Skorupka
Cyber threat information is any information that can help an organization identify, assess, monitor, and respond to cyber threats. Cyber threat information includes indicators of compromise; tactics, techniques, and procedures used by threat actors

Improving Security and Software Management through the use of SWID Tags

July 13, 2016
Author(s)
David A. Waltermire, Larry Feldman, Gregory A. Witte
This bulletin summarized the information presented in NISTIR 8060, "Guidelines for the Creation of Interoperable Software Identification (SWID) Tags". The publication provides an overview of the capabilities and usage of SWID tags as part of a

Guidelines for the Creation of Interoperable Software Identification (SWID) Tags

April 22, 2016
Author(s)
David A. Waltermire, Brant Cheikes, Larry Feldman, Gregory A. Witte
This report provides an overview of the capabilities and usage of software identification (SWID) tags as part of a comprehensive software lifecycle. As instantiated in the International Organization for Standardization/International Electrotechnical

NIST and Computer Security

April 4, 2014
Author(s)
William E. Burr, Hildegard Ferraiolo, David A. Waltermire
The US National Institute of Standards and Technology's highly visible work in four key areas--cryptographic standards, role-based access control, identification card standards, and security automation--has and continues to shape computer and information

Common Platform Enumeration: Applicability Language Specification Version 2.3

August 19, 2011
Author(s)
David A. Waltermire, Paul R. Cichonski, Karen Scarfone
This report defines the Common Platform Enumeration (CPE) Applicability Language version 2.3 specification. The CPE Applicability Language specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product

Common Platform Enumeration: Dictionary Specification Version 2.3

August 19, 2011
Author(s)
Paul R. Cichonski, David A. Waltermire, Karen Scarfone
This report defines the Common Platform Enumeration (CPE) Dictionary version 2.3 specification. The CPE Dictionary Specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming

Common Platform Enumeration: Name Matching Specification Version 2.3

August 19, 2011
Author(s)
Mary Parmelee, Harold Booth, David A. Waltermire, Karen Scarfone
This report defines the Common Platform Enumeration (CPE) Name Matching version 2.3 specification. The CPE Name Matching specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product description and

Common Platform Enumeration: Naming Specification Version 2.3

August 19, 2011
Author(s)
Brant Cheikes, David A. Waltermire, Karen Scarfone
This report defines the Common Platform Enumeration (CPE) Naming version 2.3 specification. The CPE Naming specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. The CPE

Specification for the Asset Reporting Format 1.1

June 21, 2011
Author(s)
David A. Waltermire, Adam Halbardier, Mark Johnson
This specification describes the Asset Reporting Format (ARF), a data model for expressing the transport format of information about assets and the relationships between assets and reports. The standardized data model facilitates the reporting, correlating

Specification for Asset Identification 1.1

June 17, 2011
Author(s)
David A. Waltermire, John Wunder, Adam Halbardier
Asset identification plays an important role in an organization‟s ability to quickly correlate different sets of information about assets. This specification provides the necessary constructs to uniquely identify assets based on known identifiers and/or

Specification for the Open Checklist Interactive Language (OCIL) Version 2.0

April 7, 2011
Author(s)
David A. Waltermire, Karen Scarfone, Maria Casipe
This report defines version 2.0 of the Open Checklist Interactive Language (OCIL). The intent of OCIL is to provide a standardized basis for expressing questionnaires and related information, such as answers to questions and final questionnaire results, so

Guide to Using Vulnerability Naming Schemes

February 25, 2011
Author(s)
David A. Waltermire, Karen Scarfone
This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE). Draft SP 800-51 Revision 1 gives an introduction to both naming schemes and makes