Statement of CCE Implementation

Common Configuration Enumeration (CCE) Version 5 is used in the SCAP application to assign an identifier and description to known configuration issues. The CCE Version 5 information is extracted from the XCCDF SCAP 1.0 definition XML file (OVAL 5.3 schema) in the SCAP policy selected as input for the scan.

How to view CCE information and mappings

Once the scan is complete, users can view CCE information in SCAP compliance reports. Run the Individual Host Report (this is an interactive report) or the SCAP Scorecard Report and we'll show you CCE IDs in the results. Then click on any CCE ID to get additional information, including mappings to NIST SP 800-53 control identifiers. Please note that CCE IDs will be displayed only if they are specified in the SCAP data stream.

Not sure how to get started with reporting? Simply go to PC > Reports and select New > SCAP Report > Interactive or New > SCAP Report > Scorecard Report.

SCAP Policy XML Report

The SCAP Policy XML Report is an XCCDF result document which adheres to the XCCDF specification. The SCAP Policy XML Report contains the portion of the XCCDF 1.1.4 specification dealing with XCCDF test results. The <impact-metric> element, a child of the <Rule> element associates a rule with a CCE identifier and CVSS information.

Security Patches

The special patches for SCAP scans are reported in the SCAP Individual Host Report when evidence is requested in the report setup. The special rule titled "Security Patches Up-To-Date" lists all patches defined in the "patches" file for the SCAP policy. For each CVE tested, the CVSS base score and the attack vector are displayed.