CCE Home Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues
CCE Website is in "Archive" status — read the announcement


FAQs — Archive


A1. What is CCE?

The Common Configuration Enumeration, or CCE, assigns unique entries (also called CCEs) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List, which assigns identifiers to publicly known system vulnerabilities.

IMPORTANT: Activity on the CCE effort has been suspended, and the CCE Web site has been moved to "Archive" status. Read the complete message on the homepage.

A2. What is a configuration guidance statement? What is a configuration control?

A "configuration guidance statement" specifies a preferred or required setting or policy for a computer system. Configuration statements can be found in a variety of repositories such as security guides, benchmarks, vendor guidance and documentation, configuration assessment and management tools, and consolidated reporting systems.

Examples include:

  • The required permissions for the directory %SystemRoot%\System32\Setup should be assigned to the "Administrator account" only.
  • The "account lockout threshold" setting should be set to 3.
  • The startup type of the Remote Shell service should be set to "disabled".

A "configuration control" is a configurable unit of control within the conceptual security model of a computer system.

Examples include:

  • The access permissions for files and directories, such as %SystemRoot%\System32\Setup.
  • The account policy settings, such as account lockout threshold setting.
  • The startup type for network services, such as the Remote Shell service.

See About CCE Entries for more information.

A3. Why CCE? How will it benefit me or my organization?

Use of CCEs improves configuration management work processes by allowing people to quickly and accurately correlate configuration data across multiple information sources and tools.

CCEs are associated with configuration issues that express the way humans name and discuss their intentions when configuring computer systems (see CCE Editorial Policies for detailed content decisions). In this way, the use of CCEs as tags provide a bridge between natural language, prose-based configuration guidance documents, and machine-readable or executable capabilities such as configuration audit tools.

A4. What are some examples of CCE in use?

CCEs are included for the settings in Microsoft Corporation’s Windows Server 2008 Security Guide and 2007 Microsoft Office Security Guide.

CCEs are the main identifiers used for the settings in the Federal Desktop Core Configuration (FDCC) data file downloads. In addition, CCE is one of six existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program, which combines "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." Numerous products have been validated by NIST as conforming to the CCE component of SCAP.

A5. What is MITRE’s role?

The MITRE Corporation manages and maintains the creation of the CCE List with assistance from the CCE Working Group, conducts community outreach activities, maintains the CCE Web site, and provides neutral guidance throughout the process to ensure that CCE serves the public interest.


CCE List

B1. What is a CCE entry?

CCE entries are unique, common identifiers assigned to particular security-related configuration issues. Each entry on the CCE List contains the following five attributes:

  • CCE Identifier Number — "CCE-2715-1"
  • Description — a humanly understandable description of the configuration issue
  • Conceptual Parameters — parameters that would need to be specified in order to implement a CCE on a system
  • Associated Technical Mechanisms — for any given configuration issue there may be one or more ways to implement the desired result
  • References — pointers to the specific sections of the documents or tools in which the configuration issue is described in detail

Refer to the CCE List for more information.

B2. What is the format of the CCE Identifier (CCE-ID) number?

The format of a CCE Identifier number is "CCE-2715-1":

  • CCE = the type of identifier
  • 2715 = the identifier, which is random and non-descriptive
  • 1 = a check digit produced according to the Luhn Check Digit Algorithm, which can be used to detect common transcription errors

B3. How are CCEs created?

See CCE Entry Creation Process.

B4. What is a CCE "platform group"?

A CCE "platform group" roughly identifies the operating system or application to which a CCE entry applies. CCE’s platform groups adhere to the same level of granularity commonly found in security configuration guidance that are written for individual platforms, as well as in the sets of checks and other features found in configuration audit and management tools. For example, Microsoft Windows XP and Sun Solaris 10. See About CCE Entries for a detailed discussion.

B5. Which platform groups does CCE cover?

Refer to the CCE List page for a detailed list.

B6. What are the sources that CCE entries reference?

See CCE List References.

B7. How often are there new versions of the CCE List?

CCE List downloads are updated by individual platform group as necessary. The version of the file is the date of the individual downloads files, which are noted for each file on the CCE List page and encoded in the individual download file names.


CCE Community

C1. What is the CCE Working Group?

The CCE Working Group contributes to the ongoing development of the CCE List through an email discussion list and teleconference meetings. The group includes representatives from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions. See the list of participants.

C2. How can I or my organization join the Working Group?

See the CCE Working Group page.

IMPORTANT: Activity on the CCE effort has been suspended, and the CCE Web site has been moved to "Archive" status. Read the complete message on the homepage.



Page Last Updated: March 22, 2013