Workshop on Software Identification (SWID) Tag Implementation

Co-Hosted by the National Institute of Standards and Technology (NIST)
and the Department of Homeland Security (DHS)

26-27 April 2016, in Rockville, MD
National Cybersecurity Center of Excellence (NCCoE)
9700 Great Seneca Highway, Rockville, MD

Update 4/5 — View the agenda [PDF].

NIST and DHS are pleased to announce a workshop on Software Identification (SWID) Tag Implementation and Use. This event will be held April 26, from 9:00 a.m. to 5:00 p.m., and April 27, from 9:00 a.m. to 12:00 p.m. followed by a Tag Signing Working Group Open Meeting from 1:00 p.m. to 4:30 p.m. The workshop will be held at the National Cybersecurity Center of Excellence (NCCoE), 9700 Great Seneca Highway, Rockville, MD.

Strengthening the security and resilience of United States Government (USG) civilian and military networks and critical infrastructure is a top national priority. If broadly implemented by software providers, SWID tags promise to significantly enhance the ability of USG departments and agencies to rapidly and accurately characterize the software assets discovered to be present within their enterprise networks. In turn, this will facilitate efforts to reduce vulnerabilities in our information technology systems and prevent future attacks. In addition to their value for cybersecurity, SWID tags will also help USG departments and agencies improve their ability to track and manage software licenses, thereby reducing cost and increasing efficiency.

The SWID tag effort aligns with the President's 2016 Federal Cybersecurity Research and Development Strategic Plan, which was released on February 5, 2016. The plan challenges the cybersecurity research and development (R&D) community to provide methods and tools for deterring, protecting, detecting, and adapting to malicious cyber activities. Use of SWID tags in this context helps to provide the information necessary for tools to ensure that software is updated, resulting in fewer exploitable vulnerabilities, and that software integrity can be measured to detect and prevent software tampering.

The goal of the workshop is to assemble a broad audience of SWID tag creators, users, and stakeholders to actively participate in engineering-level discussions on various topics relative to SWID tags, including implementation challenges. The agenda, while still under development, will be comprised of detailed technical topics culled from the guidelines within the NIST Interagency Report (IR) 8060, "Guidelines for the Creation of Interoperable Software Identification (SWID) Tags." We plan to cover some or all of the following topics:

  • SWID tag 101 (general overview of SWID tags)
  • Digital signing of SWID tags
  • Internationalization of SWID tags
  • Provision of payload and evidence elements of SWID tags
  • Distribution mechanisms for SWID tags
  • Implementation of patch and corpus tags

We encourage your feedback regarding the proposed topics and welcome additional topic ideas. Please send your ideas and feedback to us at nistir8060-comments@nist.gov.

It is recommended that participants attending the workshop be familiar with NIST IR 8060. The fourth public draft can be found here: http://csrc.nist.gov/publications/drafts/nistir-8060/nistir_8060_draft_fourth.pdf. The final report is expected to be ready by early March.

Conference registration and attendance will be free of charge, but advanced registration will be required. Please complete and submit the form below to register.

If you have questions about this workshop, or would like to contact someone for more information, please send your request to nistir8060-comments@nist.gov.

Thank you for your interest in this event.

Registration is now closed.

Page last updated: April 26, 2016

Copyright © 2016, The MITRE Corporation. All rights reserved.

MITRE is a registered trademark of The MITRE Corporation. Material on this site may be copied and distributed with permission only.