National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

SWID Tags - Software Identification (SWID) Tags

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) publishes, ISO/IEC 19770-2, a standard for software identification (SWID) tags that defines a structured metadata format for describing a software product. A SWID tag document is composed of a structured set of data elements that identify the software product, characterize the product's version, the organizations and individuals that had a role in the production and distribution of the product, information about the artifacts that comprise a software product, relationships between software products, and other descriptive metadata. The information in a SWID tag provides software asset management and security tools with valuable information needed to automate the management of a software install across the software's deployment lifecycle. SWID tags support automation of software inventory as part of a software asset management (SAM) process, assessment of software vulnerabilities present on a computing device, detection of missing patches, targeting of configuration checklist assessments, software integrity checking, installation and execution whitelists/blacklists, and other security and operational use cases.

Development of the SWID tag standard is part of the work program of ISO/IEC Joint Technical Committee (JTC) 1, Subcommittee (SC) 7, Working Group (WG) 21. ISO/IEC JTC1, SC7, WG21 focuses on IT Asset Management (ITAM) and SAM standards with WG members from a number of countries.

NIST has produced a set of guidelines for the creation of interoperable SWID tags, published as NISTIR 8060. NIST has also incorporated the use of SWID tags in the SCAP 1.3 revision.

SWID Specification Resources

ISO/IEC 19770-2:2015 Resources

Documents:
ISO/IEC 19770-2:2015 Specification (PDF) - September 2015
NIST Guidelines for the Creation of Interoperable SWID Tags (PDF) - April 2016
XML Schema Files: [what is a schema?]
ISO/IEC 19770-2:2015 Schema (XSD 1.0) - September 2015 - xsd:import statements use absolute URLs
SWID Tag Extensions from NISTIR 8060 (XSD 1.0) - April 2016 - xsd:import statements use relative URLs
SWID Tag Validation Tool:
ISO/IEC 19770-2:2015 and NISTIR 8060 SWID Tag Validation (SWIDVal) Tool Version 0.5.0 (ZIP) (TAR/BZ2) - July 2017