Common Configuration Enumeration (CCE) -- About CCE

About CCE

CCE List

References
Editorial Policies
Community

CCE Working Group
Join the CCE Effort
News & Events

Calendar
Contact Us

About CCE

Introduction | Why CCE | Community | Contact Us

Introduction

The CCE List provides unique identifiers to security-related system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.

For example, CCE Identifiers have been used to cross-correlate the configuration statements in configuration best-practice documents from the Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), National Security Agency (NSA), and Defense Information Systems Agency (DISA).

CCE provides a mapping between the elements in these Configuration Best-Practice Documents:

CIS Benchmark Documents

NIST Security Configuration Guides

NSA Security Configuration Guides

DISA Security Technical Implementation Guides (STIGS)

Why CCE

When dealing with information from multiple sources, use of consistent identifiers can improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. For example, Common Vulnerabilities and Exposures (CVE) provides this capability for information security vulnerabilities.

Similar to the CVE and CME efforts, CCE assigns a unique, common identifier to a particular security-related configuration issue. CCE identifiers are associated with configuration statements that express the way humans name and discuss their intentions when configuring computer systems (see CCE Editorial Policies for detailed content decisions). In this way, the use of CCE ids as tags provide a bridge between natural language, prose-based configuration guidance documents and machine-readable or executable capabilities such as configuration audit tools.

Each entry on the CCE List contains the following five attributes:

• CCE Identifier Number – current version is "CCE-2715-1"
• Description – a humanly understandable description of the configuration issue
• Conceptual Parameters – parameters that would need to be specified in order to implement a CCE on a system
• Associated Technical Mechanisms – for any given configuration issue there may be one or more ways to implement the desired result
• Citations – pointers to the specific sections of the documents or tools in which the configuration issue is described in detail

Currently, CCE is focused solely on software-based configurations. Recommendations for hardware and/or physical configurations are not supported. Refer to the CCE List for more information.

Community

CCE is industry-endorsed through the CCE Working Group, which includes members from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions.

We encourage members of the information security community to participate in the CCE effort by offering feedback on the CCE List and Editorial Policies or by joining the Working Group.

Contact Us

Please send any feedback about CCE to cce@mitre.org.