ISO/IEC 19770 - ISO/IEC 19770-2: Software Identification Tag

ISO/IEC 19770-2: Software Identification Tag

ISO/IEC 19770-2 provides a software asset management (SAM) data standard for software identification (SWID) tags. Software ID tags provide authoritative identifying information for installed software or other licensable item (such as fonts, or copyrighted papers).

This process starts with the software manufacturer/publisher who will use this standard to enable their software to be accurately identified, making the software significantly more manageable from a software asset management perspective. Providing accurate software identification data also improves organizational security, and lowers the cost and increases the capability of many IT processes such as patch management, desktop management, help desk management, software policy compliance, etc. This standard provides much more than just software identification however, by allowing other members of the SAM eco-system to add their own attributes to the software identification process (including who distributed the software, who may have re-packaged the software, if the software is following an ISO 20000 / ITIL release process, etc.).

SWID tags can also be created by software purchasing organizations. Tags can be created for commercial software that is purchased but does not include a SWID tag. SWID Tags can also be utilized to track software built in-house as well.

A draft of this standard was initially developed by a committee of the International Business Software Managers Association (IBSMA). The last version of the draft standard created by the IBSMA committee went out for public review in May 2007.

In October 2007, members of ISO/IEC Working Group 21 (ISO/IEC JTC 1/SC 7/WG 21) met in Montreal and created an "other working group" (OWG) to continue the development of the 19770-2 standard with the goal of finalizing the standard in time for the ISO Plenary meeting to be held in May 2008 in Berlin. At that time, Steve Klos of Agnitio Advisors, was appointed as the convener of the other working group (OWG). In late December 2007, the OWG was allowed to restart work on the standard.

According to the schedule ISO/IEC JTC1/SC7 plenary meeting took place in Berlin May 18 – 23, 2008. The JTC1/SC7 resolutions included appointment of Krzysztof (Chris) Baczkiewicz, IT Standards Support Department Manager for Eracent, as the Editor of both 19770-2 Software Identification Tag and 19770-3 Software Entitlement Tag standards.

This standard was finalized and published in November 2009.

As the document was nearing publication, a non-profit organization called TagVault.org was formed. The organization was formed under IEEE-ISTO with the initial founding members being Symantec, CA Technologies, Microsoft and ModusLinkOCS. The organization will act as a registration and certification authority for ISO/IEC 19770-2 software identifiation tags (SWID Tags) and will provide tools and services allowing all SAM eco-system members to take advantage of SWID tags faster, with a lower cost and with more industry compatibility than would otherwise be possible.

TagVault.org continues to promote the use of the standard by commercial organizations and has been recognized for its service to the software community by ISO/IEC JTC1 SC7 WG21. TagVault.org received the Platinum Contributor award for its efforts today - see http://www.19770.org/news/5/Tagvault_receives_platinum_contributor_award/ for more details.

Some software installation packaging tools utilize SWID tags. These products include:

• Caphyon's Advanced Installer
• Flexera Software's InstallShield
• Flexera Software's InstallAnywere
• Open Source - WiX

Many software discovery tools already utilize SWID tags. These products include: Altiris, Aspera License Management, CA Technologies discovery tools, Eracent's EnterpriseAM, Flexera Software's FlexNet Manager Platform, HP's DDMI and Software Management Suite.

Adobe has released multiple versions of their Creative Suites products with SWID tags. Symantec has also released multiple products that include SWID tags and is committed to helping move the software community to a more consistent and normalized approach to software identification and eventually to a more automated approach to compliance (see http://www.tagvault.org/sites/default/files/SYMC%20ISO-IEC%2019770-2%20Position%20Statement%2012-2-2010.pdf).

The US Federal Government has identified 19770-2 SWID tags as an important aspect of the efforts necessary to manage compliance activities, logistics and security. The 19770-2:2009 standard has been approved to be added to the US DoD Information Standards Registry (DISR) as an emerging standard in September 2012. This means that the DoD can start to specify that SWID tags as a desired requirement for software acquisitions today, and within 12 to 24 months after the DISR approval, the DoD will be able to transition the purchase requirements from desired to mandated.