Rockville, Maryland - NIST and DHS are pleased to host a workshop on Software Identification (SWID) Tag Implementation and Use on April 26, 9:00 a.m. to 5:00 p.m., and on April 27, 9:00 a.m. to 12:00 p.m., with a Tag Signing Working Group Open Meeting from 1:00 p.m. to 4:30 p.m.
This event will be held at the National Cybersecurity Center of Excellence (NCCoE), 9700 Great Seneca Highway, Rockville, MD. As the venue/location host, the NCCoE is excited to support NIST and DHS in this effort.
Strengthening the security and resilience of United States Government (USG) civilian and military networks and critical infrastructure is a top national priority. If broadly implemented by software providers, SWID tags promise to significantly enhance the ability of USG departments and agencies to rapidly and accurately characterize the software assets discovered to be present within their enterprise networks. In turn, this will facilitate efforts to reduce vulnerabilities in our information technology systems and prevent future attacks. In addition to their value for cybersecurity, SWID tags will also help USG departments and agencies improve their ability to track and manage software licenses, thereby reducing cost and increasing efficiency.
The SWID tag effort aligns with the President’s 2016 Federal Cybersecurity Research and Development Strategic Plan, which was released on February 5, 2016. The plan challenges the cybersecurity research and development (R&D) community to provide methods and tools for deterring, protecting, detecting, and adapting to malicious cyber activities. Use of SWID tags in this context helps to provide the information necessary for tools to ensure that software is updated, resulting in fewer exploitable vulnerabilities, and that software integrity can be measured to detect and prevent software tampering.
The goal of the workshop is to assemble a broad audience of SWID tag creators, users, and stakeholders to actively participate in engineering-level discussions on various topics relative to SWID tags, including implementation challenges. The agenda will be comprised of detailed technical topics culled from the guidelines within the NIST Interagency Report (IR) 8060, “Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.” We plan to cover the following topics:
- SWID tag 101 (general overview of SWID tags)
- Provision of payload and evidence elements of SWID tags
- Distribution mechanisms for SWID tags
- Implementation of patch tags
- Internationalization of SWID tags
- Digital signing of SWID tags
Registration and attendance is free of charge, but advance registration is required. Please register online.
It is recommended that participants attending the workshop be familiar with NIST IR 8060. The fourth public draft can be found online.