NIST CCE

The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.

For example, CCE Identifiers are included for the settings in Microsoft Corporation’s Windows Server 2008 Security Guide and 2007 Microsoft Office Security Guide; are the main identifiers used for the settings in the U.S. Federal Desktop Core Configuration (FDCC) data file downloads; and provide a mapping between the elements in configuration best-practice documents including the Center for Internet Security’s (CIS) CIS Benchmark Documents, National Institute of Standards and Technology’s (NIST) NIST Security Configuration Guides, National Security Agency’s (NSA) NSA Security Configuration Guides, and Defense Information Systems Agency’s (DISA) DISA Security Technical Implementation Guides (STIGS).

In addition, CCE is also one of six existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program, which combines "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." Numerous products have been validated by NIST as conforming to the CCE component of SCAP.

-- MITRE