I’ve see CCEs being incorporated into the DISA STIGs and USGCB XCCDF content. CCEs could be used to map to other regulatory regimes. Following is a conceptually mapping of high level regulations to granular technical settings. Regulatory – FISMA, HIPAA, NERC etc… Controls – NIST 800-53, HITEC, CIP DISA SRG/STIG – Mapping to Controls (CCI) in this case to NIST 800-53 rev.3. CCE- Granular platform specific configuration. SCAP repository contains CCE mappings to various content. http://scaprepo.com Red Hat CCE for REL5 “/etc/group file…” http://www.scaprepo.com/view.jsp?id=CCE-3276-3 we can see that this setting impacts various controls for differing regulatory verticals. NIST now maintains CCE at: http://nvd.nist.gov/cce/ CCE mappings to NIST 800-53 http://nvd.nist.gov/cce.cfm In the end CCEs could be used to attest assertions to compliance in a referenceable manner for C&A activities. -ln From: scap-security-guide-bounces(a)lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Sunday, March 24, 2013 11:29 PM To: scap-security-guide(a)lists.fedorahosted.org Subject: Re: who uses CCE ids for RHEL guidance? On 3/17/13 1:41 PM, Jeffrey Blank wrote: A question for the list: Who uses CCE identifiers (and for what)? I find them (informally) useful since they provide a unique identifier for a particular knob. Of course, internal to the project, the XCCDF Rule id fulfills a similar role, though we'll have both. (I also have some reservations about CCE implementation and format, but those are not related to this inquiry, nor am I soliciting for those!) I'm simply curious about uses of CCE in RHEL security guidance, particularly that which would be derived from the project. Personally I never use them, or even talk about them. When going through compliance processes I've found C&A stakeholders want to know about their requirement, e.g. OS SRG or NIST 800-53 reference.