CCE Home Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues
CCE Website is in "Archive" status — read the announcement
 

   

Moderation

MITRE and Information Assurance Data Standards

CCE is currently managed by The MITRE Corporation. MITRE is a not-for-profit corporation, chartered to work solely in the public interest.

MITRE operates three U.S. Federally Funded Research and Development Centers (FFRDCs). The FFRDC sponsored by the Department of Defense (DoD) specializes in command, control, communications, and intelligence systems. The FFRDC sponsored by the Federal Aviation Administration focuses on the development of a safe, efficient, worldwide air traffic management system. MITRE’s newest FFRDC, sponsored by the Internal Revenue Service (IRS), provides technical and program management advice to the IRS and other Treasury Department agencies in support of enterprise systems modernization.

It is the FFRDC role that has led MITRE to collaborate with industry and government to create several data standards efforts in the information security or information assurance (IA) industry. Launched in 1999, the Common Vulnerability and Exposure (CVE®) List is the oldest of these standards. Other MITRE-managed IA data standards include the Open Vulnerability and Assessment Language (OVAL®), the Common Weakness Enumeration (CWE™), the Common Platform Enumeration (CPE™), and the Common Attack Pattern Enumeration and Classification (CAPEC™).

An FFRDC is a unique organization that assists the U.S. government with scientific research and analysis, development and acquisition, and/or systems engineering and integration. FFRDCs address long-term problems of considerable complexity, analyze technical questions with a high degree of objectivity, and provide creative and cost-effective solutions to government problems. Working in the public interest, FFRDCs operate as long-term strategic partners with their sponsoring government agencies. In order to ensure the highest levels of objectivity, FFRDCs are organized as independent entities with limitations and restrictions on their activities. This unique standing permits FFRDCs to approach difficult problems while maintaining a long-term perspective. Since FFRDCs are prohibited from manufacturing products, competing with industry, or working for commercial companies, industry and government confidently provide them with sensitive information.

A complete list of MITRE-managed IA data standards along with a list of related government and industry standards can be found on the Making Security Measurable Web site.

BACK TO TOP

Current Management of CCE

In fulfillment of its FFRDC charter, MITRE seeks to employ a standards development and management approach for its data standards that will (1) reflect the long-term strategic needs of our governmental sponsors, and (2) be useful and adopted by industry while remaining non-competitive with industry. It should be emphasized that these goals are not in conflict with each other. It is in the public’s and government’s best interest for CCE (and the other data standards) to develop and mature in a way that provides real value for industry and that fosters widespread adoption within the industry. To meet this goal, MITRE employs a range of different standards development and management practices which are tailored to reflect the different needs of the different sub-industries and the different maturity levels of the standards effort.

As part of its management of CCE, MITRE moderates the CCE Working Group. The Working Group’s membership is made up of interested stakeholders from government, commercial tool vendors, end users of tools, and academics. The Working Group discusses CCE on an email list, on monthly teleconferences, and occasionally at face-to-face meetings. MITRE facilitates discussion of topics on the mail list and moderates the teleconferences, and face-to-face meetings. MITRE seeks and considers the input of all participants in the Working Group and strives to help the group arrive at consensus on decisions. A part of the consensus building process includes informal votes, or straw ballots. When clear consensus is not apparent, MITRE makes decisions on the standard with close consultation with our government sponsors with the goal of ensuring the maximum benefit to the public interest.

BACK TO TOP

Sponsor

CCE is sponsored by the Vulnerability Analysis & Operations Group of the U.S. National Security Agency (NSA).

BACK TO TOP

      

Page Last Updated: February 01, 2012