I’ve see CCEs being incorporated into the DISA STIGs and USGCB XCCDF content. CCEs could
be used to map to other regulatory regimes.
Following is a conceptually mapping of high level regulations to granular technical
settings.
Regulatory – FISMA, HIPAA, NERC etc…
Controls – NIST 800-53, HITEC, CIP
DISA SRG/STIG – Mapping to Controls (CCI) in this case to NIST 800-53 rev.3.
CCE- Granular platform specific configuration.
SCAP repository contains CCE mappings to various content.
http://scaprepo.com
Red Hat CCE for REL5 “/etc/group file…”
http://www.scaprepo.com/view.jsp?id=CCE-3276-3 we can see that this setting impacts
various controls for differing regulatory verticals.
NIST now maintains CCE at:
http://nvd.nist.gov/cce/
CCE mappings to NIST 800-53
http://nvd.nist.gov/cce.cfm
In the end CCEs could be used to attest assertions to compliance in a referenceable manner
for C&A activities.
-ln
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells
Sent: Sunday, March 24, 2013 11:29 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Re: who uses CCE ids for RHEL guidance?
On 3/17/13 1:41 PM, Jeffrey Blank wrote:
A question for the list:
Who uses CCE identifiers (and for what)?
I find them (informally) useful since they provide a unique identifier
for a particular knob. Of course, internal to the project, the XCCDF
Rule id fulfills a similar role, though we'll have both.
(I also have some reservations about CCE implementation and format, but
those are not related to this inquiry, nor am I soliciting for those!)
I'm simply curious about uses of CCE in RHEL security guidance,
particularly that which would be derived from the project.
Personally I never use them, or even talk about them. When going through compliance
processes I've found C&A stakeholders want to know about their requirement, e.g.
OS SRG or NIST 800-53 reference.