I’ve see CCEs being incorporated into the DISA STIGs and USGCB XCCDF content. CCEs could be used to map to other regulatory regimes. Following is a conceptually mapping of high level regulations to granular technical settings.

Regulatory – FISMA, HIPAA, NERC etc… Controls – NIST 800-53, HITEC, CIP DISA SRG/STIG – Mapping to Controls (CCI) in this case to NIST 800-53 rev.3. CCE- Granular platform specific configuration.

SCAP repository contains CCE mappings to various content. http://scaprepo.com

Red Hat CCE for REL5 “/etc/group file…” http://www.scaprepo.com/view.jsp?id=CCE-3276-3 we can see that this setting impacts various controls for differing regulatory verticals.

NIST now maintains CCE at: http://nvd.nist.gov/cce/ CCE mappings to NIST 800-53 http://nvd.nist.gov/cce.cfm

In the end CCEs could be used to attest assertions to compliance in a referenceable manner for C&A activities.

-ln

From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Sunday, March 24, 2013 11:29 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: who uses CCE ids for RHEL guidance?

On 3/17/13 1:41 PM, Jeffrey Blank wrote:

A question for the list:

Who uses CCE identifiers (and for what)?

I find them (informally) useful since they provide a unique identifier

for a particular knob. Of course, internal to the project, the XCCDF

Rule id fulfills a similar role, though we'll have both.

(I also have some reservations about CCE implementation and format, but

those are not related to this inquiry, nor am I soliciting for those!)

I'm simply curious about uses of CCE in RHEL security guidance,

particularly that which would be derived from the project.

Personally I never use them, or even talk about them. When going through compliance processes I've found C&A stakeholders want to know about their requirement, e.g. OS SRG or NIST 800-53 reference.