CCE Home Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues
CCE Website is in "Archive" status — read the announcement


About CCE — Archive


The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.

For example, CCE Identifiers are included for the settings in Microsoft Corporation’s Windows Server 2008 Security Guide and 2007 Microsoft Office Security Guide; are the main identifiers used for the settings in the U.S. Federal Desktop Core Configuration (FDCC) data file downloads; and provide a mapping between the elements in configuration best-practice documents including the Center for Internet Security’s (CIS) CIS Benchmark Documents, National Institute of Standards and Technology’s (NIST) NIST Security Configuration Guides, National Security Agency’s (NSA) NSA Security Configuration Guides, and Defense Information Systems Agency’s (DISA) DISA Security Technical Implementation Guides (STIGS).

In addition, CCE is also one of six existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program, which combines "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." Numerous products have been validated by NIST as conforming to the CCE component of SCAP.


When dealing with information from multiple sources, use of consistent identifiers can improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. For example, Common Vulnerabilities and Exposures (CVE®) provides this capability for information security vulnerabilities.

Similar to the CVE effort, CCE assigns a unique, common identifier to a particular security-related configuration issue. CCE identifiers are associated with configuration statements and configuration controls that express the way humans name and discuss their intentions when configuring computer systems (see CCE Editorial Policies for detailed content decisions). In this way, the use of CCE-IDs as tags provide a bridge between natural language, prose-based configuration guidance documents and machine-readable or executable capabilities such as configuration audit tools.

Each entry on the CCE List contains the following five attributes:

  • CCE Identifier Number – "CCE-2715-1"
  • Description – a humanly understandable description of the configuration issue
  • Conceptual Parameters – parameters that would need to be specified in order to implement a CCE on a system
  • Associated Technical Mechanisms – for any given configuration issue there may be one or more ways to implement the desired result
  • References – pointers to the specific sections of the documents or tools in which the configuration issue is described in detail

Currently, CCE is focused solely on software-based configurations. Recommendations for hardware and/or physical configurations are not supported. Refer to the CCE List for more information.



CCE is industry-endorsed through the CCE Working Group, which includes members from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions.

IMPORTANT: Activity on the CCE effort has been suspended, and the CCE Web site has been moved to "Archive" status. Read the complete message on the homepage.

Contact Us

Please send any feedback about CCE to



Page Last Updated: March 22, 2013