GSA Working Group Publishes Certified Tag Requirements

The GSA Working Group approved the final version of the certification requirements for software identification tags on August 13, 2010. After going through a final TagVault.org editing process, the document became available on August 30, 2010 for members of TagVault.org to download and reference. TagVault.org will soon announce how non-member organizations can access the certification requirements to ensure all organizations can get the details of certification requirements.

 

Take Away Information

  • Certified software identification (SWID) tags save money, time and provide for significantly more accurate software identification and reporting
  • Certified SWID tags should be a requirement included as part of the purchasing process
  • If publishers do not include certified SWID tags, they should be willing to limit the audit clauses
  • Software publishers can create and include certified SWID tags with very little effort and cost
  • Software publishers also benefit from including SWID tags
  • Many SAM tool providers already support SWID tags
  • The Asset Management level of certification provides consistency in terminology and specifies the data elements required to significantly improve software asset management processes today while not imposing any significant costs on software publishers
  • Authoritative software identification is beneficial to tool providers as well who generally do not have or use publisher approved identification processes
  • Certification documentation is available to TagVault.org members above the adopter level today and will be made available to any user in the very near future

Benefits of Certified SWID Tags

 
Certified software identification tags provide benefits to all members of the software ecosystem including software publishers, software purchasing organizations and tool providers. Each of these ecosystem members have a vested interest in ensuring that software identification procedures can be done in a more accurate and authoritative manner than is possible today. In late 2009, an article for TickIT international outlined a number of reasons why all software titles deserve better identification information and how all members of the software ecosystem benefit from accurate and authoritative software Identification.
Doc Burnham wrote a white paper on how end-user organizations can use Software Identification Tags in their software deployment processes today in order to enhance their Software Asset Management procedures. If end-users follow the details specified in the certification requirements, they will benefit by seeing their reporting systems consistently applied regardless if they are collecting their own SWID tags, or certified SWID tags that have been provided by the publisher.
Certified software identification tags are generally installed along with the software they identify. This means that if software purchasing organizations require certified SWID tags from their publishers, when software is installed on a computing device (regardless of platform or publisher), the purchasing organization will be able to identify exactly what is installed and know that the details provided by different publishers or for different operating systems will be consistent and easily reported and understood.
Finally, for those large, geographically dispersed organizations with decentralized purchasing and reporting, the use of certified software identification tags is even more important. Many organizations use multiple different software discovery and software asset management (SAM) or reporting tools throughout their organization. It is very difficult to consolidate information from these various systems due to the fact that every tool uses its own unique database with its own unique product names and details. By requiring certified software identification tags all data elements provided through every discovery SAM and reporting tool is based on exactly the same information. This allows organizations to consolidate information from across all business/organizational units into one centralized database that can be reviewed and validated. This provides many benefits including the ability to:
  • Cross-reference data from multiple different tools in an automated fashion
  • Have a single point of reference for all software products installed in the organization
  • Lower organizational risk by validating license compliance
  • Lower organizational risk by validating that only approved software is installed on the organizations computing devices
  • Lower help-desk costs by validating installation images and having a more accurate software installation report for all systems in the  organization
Accurate software identification is one of the first data points IT organizations turn to for various reasons – security, help desk, desktop management, desktop compliance, license compliance, etc. Today, accurate software identification is extremely difficult to do well for all software products from all software suppliers on all operating platforms. Requiring certified SWID tags from your software suppliers resolves this issue.

Current Software Identification Procedures

Current software identification procedures are generally done based the use of an archaeological approach. Client agents look at all executable files on the system along with a number of system settings and try to reconstruct the software title that must have been installed on the device. This works reasonably well for some basic software titles, but does not scale since the vendors' databases need to be continually updated as new software titles, patches, updates, etc. are released. Additionally, few vendors focus on the variety of platforms in use within organizations today – and this problem is getting even more complicated by the introduction of smart phones that have the computational power of desktop computers as recently as a few years ago.
Howard Hastings from CA wrote a white paper detailing the complexities of Software Identification procedures. If you're looking for more details on why this issue is so difficult to manage without certified software identification tags, have a look at his whitepaper.
Steve Klos also wrote a white paper detailing a number of issues regarding the current "state of the art" regarding software identification and how certified software identification tags can resolve many issues the market has today. This too is worth a review to gain more insights on the problems of software asset and security management today and how certified software identification tags can help your organization.

Announcement of the Certification Requirements

The TagVault.org press release on the certification requirements availability was distributed on August 30, 2010.   The certification requirements are available to TagVault.org members above the adopter level – look in the members-only area under Member Exclusive Content to get access. Further details on how non-members or adopter members can access the certification requirements will be provided the week of August 30.

Development Team

TagVault.org would like to thank the following for their efforts to create the certification requirements document:

Document Version
Authors
Organization
1.0 – Initial release
 
Steve Klos
TagVault.org
2.0 - Developed by the GSA Certified SWID Tag Requirements Working Group
 
Alan Vander Mallie
U.S. General Services Administration
 
Howard Hastings
CA Technologies, Inc.
 
Jim Cecil
Cowan & Associates, Inc.
 
John Bordwine
Symantec Corporation
 
John Richardson
Symantec Corporation
 
Michel Avenel
CA Technologies, Inc.
 
Rene Kolga
Symantec Corporation
 
Roger Cummings
Symantec Corporation
 
Steve Klos
TagVault.org
 
Unlisted
Department of Defense

Individuals or organizations who wish to participate in other TagVault.org working groups need to be members of the organization above the adopter level. You can get information on how to join TagVault.org as well as get access to the bylaws that are used to manage the organization from the Join TagVault.org link under the About Us menu.