This section provides orientation on managing the list of Common Control Enumerations (CCEs), available through the Knowledge module.
CCE is a standard that defines unique identifiers for configurations in technology assets, such as operational systems and applications. This makes correlating configurations with various sources of information and tools faster and easier. CCE lists, which are separated by platform, are maintained by NIST (the National Institute of Standards and Technology).
When editing controls from a technology knowledge base, each control can be associated with one or more CCEs. This establishes relationships between a security control and certain IT configurations, which can later be verified through the following types of risk queries: Control, Status of Controls, and Control Status by Threat Source.
Each CCE is composed of the following attributes:
•CCE ID: Identifier for the CCE, displayed in a specific format, for example CCE-XXXXX-X.
•Description: Clear description of the configuration to be made.
•Parameters: Parameters needed for a CCE to be implemented in a system.
•Technical Information: Possible ways of implementing a configuration to obtain the results wanted.
•Platform: Operating system or application to which a CCE applies.