How to identify IT assets so you can secure them

 

Connecting state and local government leaders

NIST has released a scheme based on existing industry standards for identifying assets as part of the FISMA-mandated automated approach to security.

Before you can manage an IT asset or secure it, you have to know it’s there, and that isn’t always as easy as it might sound. So the National Institute of Standards and Technology has released an asset identification scheme, based on existing industry standards, to help agencies automating their security to know what they have.

Until now, NIST says in its most recent Interagency Report, “existing security automation specifications either do not consider asset identification or represent identification information differently than other specifications with which they interoperate.”

NIST IR 7693 Specification for Asset Identification 1.1 remedies this lack of a standardized scheme and should allow the reporting, sharing and correlating of information across multiple platforms and organizations.


Related stories:

NIST aids the cause of real-time security

Continuous monitoring has some growing up to do


The new specification uses a number of existing mechanisms for representing asset information, including the Common Platform Enumeration (CPE), a structured naming scheme that is being updated by NIST and Mitre Corp. as part of an effort to automate government IT security processes. The public comment period for two draft Interagency Reports proposing revised CPE specifications has been extended through June 24.

Agencies must have accurate inventories of IT infrastructures to comply with the Federal Information System Management Act, which also requires that assets be monitored and managed to ensure adequate security and manage risks to systems and information.

But systems are notoriously heterogeneous and usually contain a variety of legacy and current products. Standardizing data from various sources in a common format is expensive and unreliable. NIST IR 7693 provides constructs needed to uniquely identify assets based on known identifiers and known information about the assets.

The Asset Identification specification includes a standardized data model using Extensible Markup Language elements, methods for identifying assets, and guidelines on how to use asset identification.

NIST expects that other standards, data formats, tools, processes, and organizations will reference this specification to ensure compatibility in describing how to represent asset identification information.

This specification uses several industry-standard mechanisms for representing information consistently. It leverages the extensible Address Language (xAL) created by the Organization for the Advancement of Structured Information Standards (OASIS), an XML standard format for representing international address information. The extensible Name Language (xNL) by OASIS is an XML standard format for representing the names of people and organizations.

CPE is a naming scheme for IT systems, platforms and packages. It is a component of the Security Content Automation Protocol (SCAP), which helps enable the automated assessment of the security status of IT systems. Based upon the generic syntax for Uniform Resource Identifiers, CPE includes a formal name format. CPE Version 2.3, Well-Formed Names (WFN), are used as software-identifying information by this specification.

The second draft of IR-7695, CPE Naming Specification Version 2.3 was released by NIST in May and defines the logical structure of names for IT product classes and the procedures for binding and unbinding them to and from machine-readable encodings.

Released at the same time, the second draft of IR-7696, CPE Name Matching Specification Version 2.3 provides a method for conducting a one-to-one comparison of a source CPE name to a target CPE name. CPE Name Matching methods can determine if common set relations hold between different platforms.

“For example, CPE Name Matching can determine if the source and target names are equal, if one of the names is a subset of the other, or if the names are disjointed,” the report states.

Both proposed specifications also include requirements for IT products for conformance with the proposed revisions of CPE.

The draft reports describe significant changes in naming specifications from the current CPE Version 2.2 to 2.3. The proposed version would create opportunities for growth and innovation in future versions for the ways that machines exchange product descriptions and also helps to make the new version backward compatible with earlier specifications.

The comment period on the two drafts, which originally ended on May 20, has been extended through June 24. Comments on the reports 7695 and 7696 should be sent to cpe-comments@nist.gov.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.