CCE Home Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues
CCE Website is in "Archive" status — read the announcement
 

   

News and Events - 2008 Archive

December 3, 2008

MITRE Presents Making Security Measurable White Paper at MILCOM 2008 on November 19

MITRE Principal Engineer Robert A. Martin presented a white paper entitled "Making Security Measurable and Manageable" at MILCOM 2008 on November 19, 2008 in San Diego, California, USA. The paper introduces MITRE’s Making Security Measurable effort by explaining in detail how information security data standards such as CCE, CVE, CPE, CAPEC, CWE, OVAL, and others facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CCE Calendar page for information on this and other upcoming events.

CCE Mentioned in MITRE News Release about Recommendation Tracker

CCE was mentioned in a December 1, 2008 MITRE news release entitled "MITRE Releases New Security Software" about its new, open source "Recommendation Tracker" software that "facilitates development of automated security benchmarks." "System administrators use benchmarks-essentially a set of recommendations-to securely configure an operating system or software application and then set up automatic testing to ensure proper configuration."

CCE is mentioned when the release notes that Recommendation Tracker is "just the latest tool developed by MITRE in the last 10 years to help the security community produce automated, standardized benchmarks" and that four MITRE-run information security data standards — CCE, CVE, CPE, and OVAL — are four of the six existing standards used in the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to enable automated vulnerability management, measurement, and policy compliance evaluation.

The release also mentions MITRE’s free one-day Benchmark Development Course that instructs attendees how to use MITRE’s CCE, OVAL, Recommendation Tracker, and Benchmark Editor, as well as other information assurance standards and tools, to help vendors and security content developers produce good benchmarks more efficiently.

BACK TO TOP

October 1, 2008

CCE-Related Workshops and "Making Security Measurable" Table Booth at Security Automation Conference 2008, September 23-25

The CCE Team contributed to CCE-related workshops and MITRE hosted a Making Security Measurable table booth at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2008 on September 23-25, 2008 in Gaithersburg, Maryland, USA.

NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.

CCE and NIST also recently announced a partnership to facilitate community adoption of CCE with two independent but complementary efforts, a "CCE Adoption Program" managed by MITRE and a "Security Content Automation Protocol (SCAP) Validation Program" managed by NIST. Refer to the CCE Adoption Program page for additional information.

Visit the CCE Calendar for information on this and other events.

Free CCE e-Newsletter Now Available

Online sign-up is available for the free CCE e-newsletter. Sent once per-week or less, "CCE-Announce" provides general news about CCE, such as new versions, upcoming conferences, new Web site features, etc., directly to your mailbox.

You may sign-up for by entering your email address (required) and other information (preferred) directly into the online form. View our Privacy Policy.

BACK TO TOP

September 3, 2008

CCE and NIST Partner to Create New CCE Adoption/Validation Programs

CCE has partnered with the U.S. National Institute of Standards and Technology (NIST) to promote adoption of the CCE standard with two independent but complementary efforts, a "CCE Adoption Program" managed by MITRE and the "Security Content Automation Protocol (SCAP) Validation Program" managed by NIST.

NIST will provide additional details about the new programs at its Security Automation Conference & Workshop 2008 on September 23-24, 2008 in Gaithersburg, Maryland, USA.

During the coming months the CCE Web site will be updated to reflect the new program. Products that adopt CCE will be listed in a new CCE Adoption section. Additional information is available on the CCE Adoption Program page.

BACK TO TOP

August 20, 2008

CCE Included as Topic at Security Automation Conference 2008, September 23-25

CCE will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2008 on September 23-25, 2008 in Gaithersburg, Maryland, USA. The CCE Team is also scheduled to contribute to the CCE-related workshops.

NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CCE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.

Visit the CCE Calendar for information on this and other events.

CCE Participates in "Making Security Measurable" Booth at Black Hat Briefings 2008

CCE participated in a Making Security Measurable booth at Black Hat Briefings 2008 on August 6-7, 2008 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.

Visitors to the booth learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CCE Calendar for information on this and other events.

BACK TO TOP

August 1, 2008

CCE Launches Updated Web Site

CCE has upgraded its Web site with new information and new functionality to better serve our users. The updated Web site includes the following enhancements:

CCE List content upgrades — two new download files have been added, one for "All Platform Groups" in a single combined file, and coverage for a new platform group, "Windows Server 2008"; five existing platform group downloads have also been updated (see the article immediately below for details)

About CCE Entries page — a new page focusing on CCE Entries including a description of the CCE Identifier format and detailed discussions of CCE conceptual parameters, technical mechanisms, and platform groups

CCE Entry Creation Process page — a new page describing how CCEs are assigned and encouraging OS vendors to have CCEs assigned to their configuration controls and/or new platforms

Use Cases page — detailed discussions of CCE’s five main use cases: configuration management lifecycle, guide document authoring and system design, configuration tool configuration, audit tool result integration, and regulatory compliance

Moderation page — describes how the CCE project is managed and notes the sponsor of CCE

Documents page — a central location for general and technical documents about CCE

FAQs — answers to questions such as what CCE is, why CCE, examples of CCE in use, explanations of CCE platform groups, how you can participate in this growing community effort, etc.

Free Newsletter — a sign-up page for our "CCE-Announce" email newsletter with a link to our privacy policy

Please send any comment or concerns to cce@mitre.org.

CCE List Content Updated

The following CCE List platform group download files have been updated on the CCE List page as of August 1, 2008: Windows Vista, Windows XP, Windows 2000, Windows Server 2003, and Internet Explorer 7.

Two new download files have also been added: Windows Server 2008, and a combined file of All Platform Groups in a single download.

BACK TO TOP

July 9, 2008

CCE to Participate in "Making Security Measurable" Booth at Black Hat Briefings 2008 on August 6-7

CCE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2008 on August 6-7, 2008 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.

Visit us at Booth A and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CCE Calendar for information on this and other events.

BACK TO TOP

June 26, 2008

MITRE Hosts "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19

MITRE hosted a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.

Visit the CCE Calendar for information on this and other events.

BACK TO TOP

June 4, 2008

MITRE Presents "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4

CVE Compatibility Lead/CWE Program Manager Robert A. Martin presented a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA.

Visit the CCE Calendar for information on this and other events. Contact cce@mitre.org to have CCE present a briefing or participate in a panel discussion about CCE, CVE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Presents "Making Security Measurable" Briefing and a Half-Day Tutorial at AusCERT 2008 on May 18-23

CVE Compatibility Lead/CWE Program Manager Robert A. Martin and CVE Technical Lead/CWE Technical Lead Steven M. Christey presented a Making Security Measurable briefing and hosted a half-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at Royal Pines Resort in Gold Coast, Australia.

Visit the CCE Calendar for information on this and other events.

BACK TO TOP

May 22, 2008

MITRE Scheduled to Present "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4

MITRE Principal Engineer Robert A. Martin is scheduled to present a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA.

Visit the CCE Calendar for information on this and other events. Contact cce@mitre.org to have CCE present a briefing or participate in a panel discussion about CCE, CVE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Scheduled to Host "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19

MITRE is scheduled to host a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008, at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.

Visit the CCE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at 2008 IEEE Conference on the Technologies for Homeland Security on May 12-13

MITRE Principal Engineer Robert A. Martin is scheduled to present a briefing about Making Security Measurable briefing at 2008 IEEE Conference on Technologies for Homeland Security on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA.

Visit the CCE Calendar for information on this and other events.

BACK TO TOP

May 7, 2008

MITRE Scheduled to Present "Making Security Measurable" Briefing at 2008 IEEE Conference on the Technologies for Homeland Security on May 12-13

MITRE Principal Engineer Robert A. Martin is scheduled to present a briefing about Making Security Measurable to the 2008 IEEE Conference on Technologies for Homeland Security on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA.

Visit the CCE Calendar for information on this and other events. Contact cce@mitre.org to have CCE present a briefing or participate in a panel discussion about CCE, CVE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Scheduled to Present "Making Security Measurable" Briefing and Conduct a Full-Day Tutorial at AusCERT 2008 on May 18-23

MITRE Principal Engineer Robert A. Martin and MITRE Principal INFOSEC Engineer Steven M. Christey are scheduled to present a briefing about Making Security Measurable and conduct a full-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at the Crowne Plaza Royal Pines Resort in Gold Coast, Australia.

Visit the CCE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27

MITRE Principal Engineer Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.

Visit the CCE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at GOVSEC on April 24

MITRE Principal Engineer Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.

Visit the CCE Calendar for information on this and other events.

BACK TO TOP

April 16, 2008

MITRE Hosts "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE hosted a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference exposed the CCE, CVE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CCE Calendar for information on this and other events.

BACK TO TOP

March 20, 2008

CCE Mentioned in Government Computer News Article about SCAP

CCE was mentioned in a March 3, 2008 article entitled "SCAP narrows security gap" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) program, which is "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements."

CCE is mentioned as one of the six SCAP includes: "Common Configuration Enumeration from Mitre, standard identifiers and dictionary for system security configuration issues."

The author also notes the other standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; and Common Platform Enumeration (CPE); Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS).

MITRE to Host "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference will expose the CCE, CVE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CCE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at SEPG North America 2008 on March 18

MITRE Principal Engineer Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 18, 2008 at the Tampa Convention Center in Tampa, Florida, USA.

Visit the CCE Calendar for information on this and other events. Contact cce@mitre.org to have CCE present a briefing or participate in a panel discussion about CCE, CVE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2008, March 10-11

MITRE hosted a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference exposed the CCE, CVE, CPE, CWE, CAPEC, CEE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CCE Calendar for information on this and other events.

BACK TO TOP

March 5, 2008

CCE Version 5 Now Available

Version 5 of CEE has been posted on the CCE List page. In Version 5 CCE Identifiers (CCE-IDs) are assigned according to platform groups. Many issues with a single CCE-ID in Version 4.2 are assigned multiple CCE-IDs in Version 5, one for each applicable platform group.

Platform groups for Version 5 include: Windows Vista, Windows XP, Windows 2000, Windows Server 2008, Windows Server 2003, Office 2007, Internet Explorer 7, Red Hat Enterprise Linux 5, and Sun Solaris 10.

Please send feedback on CCE to cce@mitre.org.

BACK TO TOP

February 14, 2008

MITRE Scheduled to Host "Making Security Measurable" Booth at InfoSec World 2008, March 10-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference will expose the CCE, CVE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable efforts to information security professionals from government and industry. Visit the CCE Calendar for information on this and other events.

BACK TO TOP

February 1, 2008

MITRE Hosts "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1

MITRE hosted a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.

The conference exposed the CCE, CVE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable efforts to information security professionals from government and industry. Visit the CCE Calendar for information on this and other events.

BACK TO TOP

January 3, 2008

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2008

MITRE has announced its initial Making Security Measurable calendar of events for the first half of 2008. Details regarding MITRE’s scheduled participation at these events are noted on the CCE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events will be added throughout the year. Visit the CCE Calendar for information or contact cce@mitre.org to have CCE present a briefing or participate in a panel discussion about CCE, CVE, CME, CPE, CWE, CAPEC, CEE, CRF, OVAL, and/or Making Security Measurable at your event.

BACK TO TOP

December 14, 2007

CCE List, Version 4.1 Now Available

Version 4.1 of the CCE List is now available. The updated list contains new CCE Identifiers (CCE-IDs) created primarily for the U.S. National Institute of Standards and Technology’s Security Content Automation Protocol (SCAP) content for the Federal Desktop Core Configuration (FDCC) for Microsoft Vista, and for the 2007 Microsoft Office Security Guide released by Microsoft on November 11, 2007. References for these two sources will be added at a later date.

In addition, Version 5.0 of CCE List is in Draft Stage and posted for review in the Upcoming Version section of the CCE List page. Many of the configuration issues with a single CCE-ID in Version 4 will have multiple CCE-IDs in Version 5, one for each applicable platform group.

Please send feedback on the current and/or upcoming versions of CCE to cce@mitre.org.

BACK TO TOP

December 6, 2007

CCE Version 5.0 in Draft Stage

Version 5.0 of the CCE List is currently in the Draft stage. In Version 5 CCE Identifiers (CCE-IDs) will be assigned according to platform groups, which will allow CCE-IDs to be organized and created more efficiently. Many of the issues that are assigned a single CCE-ID in Version 4 will be assigned multiple CCE-IDs in Version 5, one for each applicable platform group.

The platform groups for Version 5 include "Windows Vista," "Windows XP," "Windows 2000," "Windows Server," "Internet Explorer 7," and "Office 2007."

MITRE will provide a clear migration plan for replacing Version 4.0 CCE-IDs with Version 5.0 CCE-IDs when Version 5 is finalized. Version 4.0 remains the official version of the CCE List.

MITRE to Host "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1

MITRE is scheduled to host a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.

The conference will expose the CCE, CVE, CPE, CME, CAPEC, CWE, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CCE Calendar for information on this and other events.

BACK TO TOP

      

Page Last Updated: January 11, 2012