CPE Home Common Platform Enumeration: A structured naming scheme for IT systems, platforms, and packages
CPE Website is in "Archive" status — read the announcement


About CPE — Archive


Secure information systems depend on reliable, cost-effective Software Asset Management practices that support security assessment. IT managers need highly reliable and automatable software inventory processes that provide accurate, up-to-the-minute details about the operating systems, software applications and hardware devices that are installed and available for use. Once armed with this data, IT managers can identify risks and vulnerabilities, and make timely decisions about what to install, patch or disable.

Specification languages exist such as Common Vulnerabilities and Exposures (CVE®) for describing vulnerabilities, Open Vulnerability and Assessment Language (OVAL®) for testing system state, and Extensible Configuration Checklist Description Format (XCCDF) for expressing security checklists.

What these languages all have in common is a need to refer to IT products and platforms in a standardized way that is suitable for machine interpretation and processing.


Common Platform Enumeration (CPE™) was developed to satisfy that need.

CPE provides:

  • A standard machine-readable format for encoding names of IT products and platforms.
  • A set of procedures for comparing names.
  • A language for constructing "applicability statements" that combine CPE names with simple logical operators.
  • A standard notion of a CPE Dictionary.

CPE in the Enterprise

An authoritative CPE Dictionary is currently maintained by the National Institute of Standards and Technology (NIST) as part of its U.S. National Vulnerability Database (NVD). NIST also hosts the current official version of the CPE Specification documents.

In addition, CPE is one of the existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program, which combines "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." Numerous products have been validated by NIST as conforming to the CPE component of SCAP.



About CPE


Use Cases

Additional Information

Terms of Use

Page Last Updated: March 22, 2013