NIST Internal Report (IR) 8500A ipd (initial public draft), Blockchain-Based Secure Software Assets Management (BloSS@M), outlines a modernized conceptual approach for transforming how software assets are acquired, tracked, and secured across an interagency ecosystem.
The conceptual approach for BloSS@M was developed in consideration of federal asset inventory and management requirements—including OMB Circular A-130 and OMB M-13-13—as well as NIST SP 800-37 and SP 800-53 guidelines. BloSS@M establishes a shared infrastructure for software acquisition that promotes asset reuse, eliminates duplicative procurement, and strengthens supply chain security at scale. Its key capabilities include:
- Federal purchasing power: A consolidated model that reduces redundant spending and increases collective leverage with vendors through government-wide aggregation
- Immutable life cycle tracking: Utilizes blockchain’s tamper-resistance to provide a verifiable, continuous record of asset provenance from acquisition to retirement
- Automated vulnerability management: Real-time integration with the National Vulnerability Database (NVD) to continuously surface newly disclosed vulnerabilities associated with deployed assets
- Machine-processable compliance: Leverages the Open Security Controls Assessment Language (OSCAL) to enable automated risk assessments, continuous monitoring, and scalable life cycle management across heterogeneous environments
While BloSS@M is optimized for software, where end-to-end automation is most achievable, the approach is architected to support hardware assets when integrated with appropriate physical delivery and retrieval mechanisms.
Submit Your Comments:
NIST invites input from federal agencies, industry partners, researchers, and the broader cybersecurity community. The public comment period is open through June 26, 2026.
How to Participate:
Email your completed template to [email protected] using the Subject line: "NIST.IR.8500A Comments" in your email.
