CPE Home Common Platform Enumeration: A structured naming scheme for IT systems, platforms, and packages
CPE Website is in "Archive" status — read the announcement
 

   

IMPORTANT:

MITRE is pleased to announce that all intellectual property associated with CPE has been transferred to the U.S. National Institute for Standards and Technology (NIST). NIST holds operational responsibility for CPE, and has hosted both the Official CPE Dictionary and the CPE Specifications for several years. MITRE will support NIST in an advisory role to ensure a smooth transfer and support their ongoing operation of CPE as needed. MITRE has assigned the copyright on all CPE material to NIST, and will no longer be enforcing the unregistered trademarks on CPE. This website will be maintained as an archive for the CPE Community, but will no longer be updated.

We thank all members of the CPE Community for your work in developing and refining CPE throughout the years. Please send any comments or concerns to cpe@mitre.org.

News & Events — 2012 Archive

September 12, 2012

CPE/Making Security Measurable Booth at IT Security Automation Conference 2012

CPE/Making Security Measurable booth at IT Security Automation Conference 2012 on October 3-5, 2012 at Baltimore Convention Center in Baltimore Inner Harbor, Maryland, USA.

Visit the CPE Calendar for information on this and other events.

CPE/Making Security Measurable Booth at 2012 Information Assurance Expo

MITRE hosted a CPE/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CPE Calendar for information on this and other events.

BACK TO TOP

August 15, 2012

CPE Referenced in Tagvault.org Article about Microsoft Announcing Support for SWIDs

MITRE was mentioned in reference to CPE in an April 2012 article on the TagVault.org Web site entitled "Announcements Usher in a New Era of Software Management: Microsoft announced support for SWID Tags". The main focus of the article was Microsoft Corporation’s announcement that it is "collaborating with national standards bodies and industry leading groups to further the development of the ISO/IEC 19770-2:2009 standard for software identification tags. We are folding ISO/IEC 19770-2:2009 support into our product planning cycles, and will begin to include these tags in future product releases."

CPE is referenced via a link that explains the relationship between CPE and SWIDs in the following statement about community collaboration: "TagVault.org is working with many other organizations including MITRE to improve the software identification capabilities for the security content automation protocol (SCAP) processes that are in use today and are designed to lower vulnerabilities and risk levels."

More detailed information about the relationship between CPE and SWIDs is available at http://tagvault.org/Automating_CPE_name_creation.

CPE/Making Security Measurable Booth at 2012 Information Assurance Expo, August 27-30

MITRE will host a CPE/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Please visit us at Booth 217 and say hello!

Visit the CPE Calendar for information on this and other events.

BACK TO TOP

July 27, 2012

MITRE Hosts CPE/Making Security Measurable Booth at Black Hat Briefings 2012

MITRE hosted a CPE/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CPE Calendar for information on this and other events.

CPE Briefing Slides from Security Automation Developer Days 2012 Now Available

2 briefing presentations from the CPE-focused sessions at the Security Automation Developer Days 2012 conference on July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA are now available for download on the Developer Days page on the CPE Web site. Briefing slides from the 20 other presentations at the event are also included.

BACK TO TOP

July 2, 2012

MITRE to Host CPE/Making Security Measurable Booth at Black Hat Briefings 2012

MITRE will host a CPE/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 216 and say hello!

Visit the CPE Calendar for information on this and other events.

BACK TO TOP

June 19, 2012

Registration Now Closed for MITRE’s Security Automation Developer Days 2012 on July 9-13

Registration is now closed for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA. For the event agenda, lodging, and other conference details please visit the conference details page.

BACK TO TOP

June 1, 2012

Agenda Now Available for MITRE’s Security Automation Developer Days 2012 on July 9-13

The agenda for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA is now available at https://register.mitre.org/devdays/agenda.pdf.

For registration, lodging, and other conference details visit the conference registration page. Please note that registration will close on June 15.

BACK TO TOP

May 11, 2012

Registration Now Open for Security Automation Developer Days 2012 on July 9-13

MITRE Corporation will host the fourth Security Automation Developer Days conference on July 9-13, 2012, at MITRE in Bedford, Massachusetts, USA. This five-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Common Platform Enumeration (CPE™), Common Configuration Enumeration (CCE™), Open Vulnerability and Assessment Language (OVAL®), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop.

MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community.

An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/.

BACK TO TOP

May 7, 2012

CPE Launches New Web Site

CPE has upgraded its Web site with new information and features to better serve our users. The updated Web site includes the following enhancements: consolidating all information about the CPE Dictionary and CPE Specifications onto single, easy to use pages; a consolidated CPE Archive for previous versions of the specifications, dictionary, schema, and other materials; a new CPE in Use page highlighting how CPE is currently in use across the community; a CPE Documents page; and a News & Events section to help keep the community better informed about CPE and related topics such as SCAP, SWIDs, Making Security Measurable, etc.

Please send any comment or concerns to cpe@mitre.org.

CPE Mentioned in Article about Updates to Guidelines for Adopting and Using Security Content Automation Protocol (SCAP) on GCN

CPE is mentioned in a January 9, 2012 article entitled "Getting the most out of automated IT security management" on Government Computer News.com. The main topic of the article is the National Institute of Standards and Technology (NIST) updating its guidelines for using Security Content Automation Protocol (SCAP) "for checking and validating security settings on IT systems" by releasing "Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol Version 1.2, Revision 1."

CPE is mentioned when the author explains how SCAP combines several existing community standards created and maintained by several different organizations "including MITRE Corp., the National Security Agency, and the Forum for Incident Response and Security Teams", and that the "specifications making up SCAP are divided into languages, reporting formats, enumerations, measurement and scoring systems, and integrity protection." The author then lists the 11 SCAP components, with CPE included under Enumerations. The other MITRE initiatives listed are Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE), also under Enumerations, and under Languages, Open Vulnerability and Assessment Language (OVAL). The article concludes with a summary of the updates to the guidelines.

TagVault.org Issues Report Focused on Integrating SWIDs with CPEs

TagVault.org issued a report in January 6, 2012 entitled "Certified SWID Tag Integration with Common Platform Enumeration names" that describes how its Software Identification Tags (SWIDs) "enable software publishers to automatically create a CPE name for each released product as part of the process of creating a SWID tag, and to do so without requiring additional resources." In the report, TagVault.org proposes adding "extended elements to the current version of the ISO/IEC 19770-2:2009 standard, and to define a SWID tag creation process that would be used in order to provide authoritative CPE names that come directly from the software publisher. The expectation is that any new elements added to the TagVault.org certification process will also be incorporated back into the ISO/IEC 19770–2:2009 standard through standard ISO procedures."

TagVault.org also posted an article on its website entitled "Automation of CPE Names Using Certified SWID Tags" that provides a summary of the report.

The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) document, "ISO/IEC 19770-2:2009 Information technology — Software asset management — Part 2: Software identification tag," is available for purchase from http://www.iso.org and http://www.ansi.org.

MITRE Hosts CPE/Making Security Measurable Booth at InfoSec World 2012

MITRE hosted a CPE/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees learned how information security data standards such as CPE, CCE, CVE, CybOX, CAPEC, MAEC, CWE, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CCE Calendar for information on this and other events.

BACK TO TOP

      

Page Last Updated: March 12, 2013