CISA Seeks Comments on Software Identifier Ecosystem White Paper

The Cybersecurity and Infrastructure Security Agency is soliciting comments on its white paper exploring the creation of a software identifier ecosystem that would enable all organizations to enhance user support, inventory administration and vulnerability management.

According to the white paper titled “Software Identification Ecosystem Option Analysis,” an effective software identification ecosystem requires software identifiers that are present in all software items and support both precision and grouping. However, no existing software identifier meets both requirements, CISA said.

Software identifiers serve as labels for specific versions of software that conform to a defined format. According to the agency, current identification solutions are unharmonized, causing the same software products and their versions to have inconsistent identifiers across the ecosystem. 

Sandy Radesky, associate director for vulnerability management at CISA, said an improved identification solution will enable greater automation and inventory visibility and the adoption of software bills of materials.

Comments on the white paper are due Dec. 11.