Common Configuration Enumeration (CCE)
The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.
For example, CCE Identifiers are included for the settings in Microsoft Corporation’s Windows Server 2008 Security Guide and 2007 Microsoft Office Security Guide; are the main identifiers used for the settings in the U.S. Federal Desktop Core Configuration (FDCC) data file downloads; and provide a mapping between the elements in configuration best-practice documents including the Center for Internet Security’s (CIS) CIS Benchmark Documents, National Institute of Standards and Technology’s (NIST) NIST Security Configuration Guides, National Security Agency’s (NSA) NSA Security Configuration Guides, and Defense Information Systems Agency’s (DISA) DISA Security Technical Implementation Guides (STIGS).
When dealing with information from multiple sources, use of consistent identifiers can improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. For example, Common Vulnerabilities and Exposures (CVE®) provides this capability for information security vulnerabilities.
Similar to the CVE effort, CCE assigns a unique, common identifier to a particular security-related configuration issue. CCE identifiers are associated with configuration statements and configuration controls that express the way humans name and discuss their intentions when configuring computer systems. In this way, the use of CCE-IDs as tags provide a bridge between natural language, prose-based configuration guidance documents and machine-readable or executable capabilities such as configuration audit tools.
Each entry on the CCE List contains the following five attributes:
- CCE Identifier Number – "CCE-2715-1"
- Description – a humanly understandable description of the configuration issue
- Conceptual Parameters – parameters that would need to be specified in order to implement a CCE on a system
- Associated Technical Mechanisms – for any given configuration issue there may be one or more ways to implement the desired result
- References – pointers to the specific sections of the documents or tools in which the configuration issue is described in detail
Currently, CCE is focused solely on software-based configurations. Recommendations for hardware and/or physical configurations are not supported. Refer to the CCE List for more information.