Federal Government uses CPE

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Federal Government uses CPE

Peter M. Mell

CPE participants,


NIST has identified CPE as a key technology in the U.S. Federal government’s efforts to automate and standardize vulnerability management, security measurement, and compliance reporting (e.g., FISMA). As a result, CPE has been included within the Security Content Automation Protocol (SCAP, see http://nvd.nist.gov/scap.cfm). It is also being incorporated within the new version of the National Vulnerability Database (NVD, http://nvd.nist.gov). The full NVD announcement is attached which provides more background.


Vendors adopting CPE may participate in this U.S. government effort by declaring their products compatible with SCAP and having information on their products publicly posted on http://nvd.nist.gov/tools.cfm. It is expected that Federal agencies (including the DOD) will take advantage of this “compatible tools” listing when acquiring vulnerability management products. Please contact [hidden email] to participate.


On a related note, September 19 and 20 NIST is hosting the 3rd Annual Security Automation Conference and Workshop where CPE and the five other SCAP standards will be discussed in detail. SCAP compatible vendors are welcome and encouraged to set up displays at no additional cost. See http://nvd.nist.gov/events.cfm for upcoming registration information.


Peter Mell

National Vulnerability Database Program Manager

NIST Computer Security Division


[hidden email]



NVDv2.rtf (28K) Download Attachment