The National Institute of Standards and Technology is releasing Draft NIST Interagency Report (NISTIR) 8011 Volume 3, Automation Support for Security Control Assessments: Software Asset Management. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments to facilitate information security continuous monitoring, ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework as described in NIST Special Publication (SP) 800-37 and the guidance in SP 800-53 and SP 800-53A, in particular.
NISTIR 8011 Volume 3 provides an operational approach for automating security control assessments to manage software download and installation and the execution of unauthorized and/or malicious software, known as malware).
When software programs in a network are unmanaged or unidentified, they are vulnerable to attacks, and the programs can be used as a persistent platform from which to attack components on a network, NIST said in a release. To address these vulnerabilities, NIST and DHS researchers have developed an automated process to assess the effectiveness of the security controls that provide the information security capability known as Software Asset Management (SWAM). The focus of the SWAM capability is to manage risk created by unmanaged or unauthorized programs that are on a network.
NISTIR 8011 will ultimately consist of 13 volumes. Volumes 1 and 2 were published in 2017. Volume 3 provides details specific to the software asset management security capability. The remaining 10 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volumes 2 and 3.
Public comment period is open through May 4, 2018. Please submit public comments to email@example.com. Comments are accepted in any desired format.