|
|||||
 |
 |
||||
| CCE Website is in "Archive" status — read the announcement | |||||
FAQs — ArchiveA2. What is a configuration statement? What is a configuration control? A3. Why CCE? How will it benefit me or my organization? A4. What are some examples of CCE in use? B2. What are the attributes of the CCE Identifier (CCE-ID) number? B4. What is a CCE "platform group"? B5. Which platform groups does CCE cover? B6. What are the sources that CCE entries reference? B7. How often are there new versions of the CCE List? IntroductionThe Common Configuration Enumeration, or CCE, assigns unique entries (also called CCEs) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List, which assigns identifiers to publicly known system vulnerabilities. IMPORTANT: Activity on the CCE effort has been suspended, and the CCE Web site has been moved to "Archive" status. Read the complete message on the homepage. A2. What is a configuration guidance statement? What is a configuration control? A "configuration guidance statement" specifies a preferred or required setting or policy for a computer system. Configuration statements can be found in a variety of repositories such as security guides, benchmarks, vendor guidance and documentation, configuration assessment and management tools, and consolidated reporting systems. Examples include:
A "configuration control" is a configurable unit of control within the conceptual security model of a computer system. Examples include:
See About CCE Entries for more information. A3. Why CCE? How will it benefit me or my organization? Use of CCEs improves configuration management work processes by allowing people to quickly and accurately correlate configuration data across multiple information sources and tools. CCEs are associated with configuration issues that express the way humans name and discuss their intentions when configuring computer systems (see CCE Editorial Policies for detailed content decisions). In this way, the use of CCEs as tags provide a bridge between natural language, prose-based configuration guidance documents, and machine-readable or executable capabilities such as configuration audit tools. A4. What are some examples of CCE in use? CCEs are included for the settings in Microsoft Corporation’s Windows Server 2008 Security Guide and 2007 Microsoft Office Security Guide. CCEs are the main identifiers used for the settings in the Federal Desktop Core Configuration (FDCC) data file downloads. In addition, CCE is one of six existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program, which combines "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." Numerous products have been validated by NIST as conforming to the CCE component of SCAP. The MITRE Corporation manages and maintains the creation of the CCE List with assistance from the CCE Working Group, conducts community outreach activities, maintains the CCE Web site, and provides neutral guidance throughout the process to ensure that CCE serves the public interest. CCE ListCCE entries are unique, common identifiers assigned to particular security-related configuration issues. Each entry on the CCE List contains the following five attributes:
Refer to the CCE List for more information. B2. What is the format of the CCE Identifier (CCE-ID) number? The format of a CCE Identifier number is "CCE-2715-1":
See CCE Entry Creation Process. B4. What is a CCE "platform group"? A CCE "platform group" roughly identifies the operating system or application to which a CCE entry applies. CCE’s platform groups adhere to the same level of granularity commonly found in security configuration guidance that are written for individual platforms, as well as in the sets of checks and other features found in configuration audit and management tools. For example, Microsoft Windows XP and Sun Solaris 10. See About CCE Entries for a detailed discussion. B5. Which platform groups does CCE cover? Refer to the CCE List page for a detailed list. B6. What are the sources that CCE entries reference? See CCE List References. B7. How often are there new versions of the CCE List? CCE List downloads are updated by individual platform group as necessary. The version of the file is the date of the individual downloads files, which are noted for each file on the CCE List page and encoded in the individual download file names. CCE CommunityC1. What is the CCE Working Group? The CCE Working Group contributes to the ongoing development of the CCE List through an email discussion list and teleconference meetings. The group includes representatives from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions. See the list of participants. C2. How can I or my organization join the Working Group? See the CCE Working Group page. IMPORTANT: Activity on the CCE effort has been suspended, and the CCE Web site has been moved to "Archive" status. Read the complete message on the homepage. |
