A SCAP specification for measuring the severity of software security configuration issues.
Sources:
NIST SP 800-128
under Common Configuration Scoring System (CCSS)
NIST SP 800-128