The Common Configuration Enumeration, or CCE, assigns unique entries (also called CCEs) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as theCommon Vulnerability and Exposure (CVE®) List, which assigns identifiers to publicly known system vulnerabilities

A "configuration guidance statement" specifies a preferred or required setting or policy for a computer system. Configuration statements can be found in a variety of repositories such as security guides, benchmarks, vendor guidance and documentation, configuration assessment and management tools, and consolidated reporting systems.

Examples include:

• The required permissions for the directory %SystemRoot%\System32\Setup should be assigned to the "Administrator account" only.
• The "account lockout threshold" setting should be set to 3.
• The startup type of the Remote Shell service should be set to "disabled".

A "configuration control" is a configurable unit of control within the conceptual security model of a computer system.

Examples include:

• The access permissions for files and directories, such as %SystemRoot%\System32\Setup.
• The account policy settings, such as account lockout threshold setting.
• The startup type for network services, such as the Remote Shell service.

Use of CCEs improves configuration management work processes by allowing people to quickly and accurately correlate configuration data across multiple information sources and tools. CCEs are associated with configuration issues that express the way humans name and discuss their intentions when configuring computer systems. In this way, the use of CCEs as tags provide a bridge between natural language, prose-based configuration guidance documents, and machine-readable or executable capabilities such as configuration audit tools.

CCE entries are unique, common identifiers assigned to particular security-related configuration issues. Each entry on the CCE List contains the following five attributes:

• CCE Identifier Number — "CCE-2715-1"
• Description — a humanly understandable description of the configuration issue
• Conceptual Parameters — parameters that would need to be specified in order to implement a CCE on a system
• Associated Technical Mechanisms — for any given configuration issue there may be one or more ways to implement the desired result
• References — pointers to the specific sections of the documents or tools in which the configuration issue is described in detail

Refer to the CCE List for more information.

The format of a CCE Identifier number is "CCE-2715-1":

• CCE = the type of identifier
• 2715 = the identifier, which is random and non-descriptive
• 1 = a check digit produced according to the Luhn Check Digit Algorithm, which can be used to detect common transcription errors

See CCE Creation Process.

A CCE "platform group" roughly identifies the operating system or application to which a CCE entry applies. CCE’s platform groups adhere to the same level of granularity commonly found in security configuration guidance that are written for individual platforms, as well as in the sets of checks and other features found in configuration audit and management tools. For example, Microsoft Windows XP and Sun Solaris 10. See About CCE Entries for a detailed discussion.

Refer to the CCE List page for the full list.

See CCE List References.

CCE List downloads are updated by individual platform group as necessary. The version of the file is the date of the individual downloads files, which are noted for each file on the CCE List page and encoded in the individual download file names.