NIST has identified CPE as a key technology in the U.S. Federal
government’s efforts to automate and standardize vulnerability
management, security measurement, and compliance reporting (e.g., FISMA). As a
result, CPE has been included within the Security Content Automation Protocol (SCAP,
It is also being incorporated within the new version of the National
Vulnerability Database (NVD, http://nvd.nist.gov).
The full NVD announcement is attached which provides more background.
Vendors adopting CPE may participate in this U.S. government effort by declaring
their products compatible with SCAP and having information on their products
publicly posted on http://nvd.nist.gov/tools.cfm.
It is expected that Federal agencies (including the DOD) will take advantage of
this “compatible tools” listing when acquiring vulnerability
management products. Please contact [hidden email]
On a related note, September 19 and 20 NIST is hosting the 3rd Annual Security
Automation Conference and Workshop where CPE and the five other SCAP standards
will be discussed in detail. SCAP compatible vendors are welcome and encouraged
to set up displays at no additional cost. See http://nvd.nist.gov/events.cfm for upcoming