A Collection of Information Security Community Standardization Activities and Initiatives
   

Archive

The efforts listed on this page have been transitioned to another organization, or are no longer active and have been retired. They are included here for historical and informational purposes only.

For efforts transitioned to another organization, please follow the links below to their new websites.

Transitioned Efforts

Common Configuration Enumeration (CCE)

CURRENT STATUS: CCE remains active and is now hosted at https://nvd.nist.gov/config/cce.

CCE was developed by MITRE in 2006 as a community effort to provide unique identifiers to information security-related system configuration issues for the purpose of improving workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools. Similar to Common Vulnerabilities and Exposures (CVE®) providing unique identifiers for vulnerabilities, CCE IDs can be used to associate checks in configuration assessment tools with statements in configuration best practices. In 2014, MITRE retired its CCE website and transferred all intellectual property associated with CCE to the U.S. National Institute for Standards and Technology (NIST).

Common Platform Enumeration (CPE)

CURRENT STATUS: CPE remains active with the CPE Specifications hosted at https://csrc.nist.gov/projects/security-content-automation-protocol/scap-specifications/cpe, and the CPE Products Dictionary hosted at https://nvd.nist.gov/products/cpe.

CPE was first developed in 2006 as a specification by MITRE and the National Security Agency (NSA), with follow-on specification releases by MITRE and the National Institute of Standards and Technology. CPE, which is a structured naming scheme for information technology systems, platforms, and packages, is based upon the generic syntax for Uniform Resource Identifiers (URI). CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. The CPE Products Dictionary provides an agreed-upon list of official CPE names. NIST has long held operational responsibility for CPE, and currently hosts both the CPE Specifications and the CPE Products Dictionary. In 2014, MITRE retired its CPE website and transferred all intellectual property associated with CPE to the U.S. National Institute for Standards and Technology (NIST).

Open Vulnerability and Assessment Language (OVAL)

CURRENT STATUS: OVAL remains active and is now hosted at https://oval.cisecurity.org/.

OVAL was launched by MITRE in 2002 as a community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a community-developed language used to encode system details, and sharable content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. MITRE’s OVAL website was retired in 2015, when OVAL was transitioned to the Center for Internet Security (CIS).

Structured Threat Information eXpression (STIX)

CURRENT STATUS: STIX remains active and is now hosted at https://oasis-open.github.io/cti-documentation/.

STIX was developed in 2012 by the Department of Homeland Security and MITRE as a community effort to define and develop a structured language to represent cyber threat information. STIX enables organizations to share cyber threat intelligence with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, etc. In 2015, MITRE, on behalf of the U.S. Government organization that sponsored STIX, transferred all intellectual property associated with STIX to the Organization for the Advancement of Structured Information Standards (OASIS).

Trusted Automated eXchange of Indicator Information (TAXII)

CURRENT STATUS: TAXII remains active and is now hosted at https://oasis-open.github.io/cti-documentation/.

TAXII was developed in 2012 by the Department of Homeland Security and MITRE as a community effort to define a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat intelligence (CTI) across organization and product/service boundaries in a simple and scalable manner. TAXII is an application layer protocol for the exchange of CTI over HTTPS. TAXII enables organizations to share CTI by defining an API that aligns with common sharing models, and is specifically designed to support the exchange of CTI represented in Structured Threat Information eXpression (STIX). In 2015, MITRE, on behalf of the U.S. Government organization that sponsored TAXII, transferred all intellectual property associated with TAXII to the Organization for the Advancement of Structured Information Standards (OASIS).

Retired Efforts

Benchmark Editor, 2008-2011

Developed in 2008, MITRE's Benchmark Editor was a free Java-based tool that enhanced and simplified the creation and editing of computer security benchmark documents written in standardized languages such as Extensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment Language (OVAL). As benchmarks written in the XCCDF and OVAL languages could result in large, complicated XML documents that were difficult to use and edit, Benchmark Editor greatly simplified the authoring process by dividing the benchmarks into logical elements, displaying the information in an easy-to-understand manner, and allowing for authoring and editing without extensive knowledge of XML or the languages. However, due to changing priorities, the U.S. Government organization that sponsored MITRE's work on this effort decided to stop funding Benchmark Editor in 2011 to focus on other priorities.

Benchmark Development Course, 2008-2013

In 2009, MITRE initiated an effort to encourage the information security community to adopt a standards-based approach to creating computer security guidance benchmark documents that would be far more structured than was previously available at that time. The free Benchmark Development Course was developed to foster best practices and encourage the security community to create guidance that was standards-based, structured, and automatable. The course was first presented as a classroom seminar, and eventually as on online course. However, due to changing priorities, the U.S. Government organization that sponsored MITRE's work on the Benchmark Development Course decided to stop funding this effort in 2013 to focus on other priorities.

Cyber Observable eXpression (CybOX), 2011–2017

CybOX was developed by MITRE in 2011 as a community effort to create a structured language for the specification, capture, characterization, and communication of events or stateful properties that are observable in the operational domain. A wide variety of high-level cybersecurity use cases rely on such information including event management/logging, malware characterization, intrusion detection, incident response/management, attack pattern characterization, indicator sharing, etc., and CybOX provided a common structure for representing cyber observables across and among these use cases thereby improving consistency, efficiency, interoperability, and overall situational awareness for the enterprise.

In 2015, on behalf of the U.S. Government organization that sponsored CybOX, MITRE transferred all intellectual property associated with CybOX to the Organization for the Advancement of Structured Information Standards (OASIS), and in July 2017 CybOX was absorbed into Structured Threat Information Expression (STIX) Version 2.0.

Common Event Expression (CEE), 2007-2013

CEE was developed in 2007 to standardize the way computer events are described, logged, and exchanged. By using CEE's common language and syntax, enterprise-wide log management, correlation, aggregation, auditing, and incident handling can be performed more efficiently and produce better results than was possible prior to CEE. However, due to changing priorities the U.S. Government organization that sponsored MITRE's work on CEE decided to stop funding this effort in 2013 to focus on other priorities.

Common Malware Enumeration (CME), 2005-2008

CME was developed in 2005 to address the pandemic model of malware in which single, common CME Identifiers (CME IDs) were assigned to “high-profile threats” in order to reduce public confusion during malware incidents. This community effort was not an attempt to replace the vendor names used for viruses and other forms of malware, but instead to facilitate a shared, neutral indexing capability for malware. However, the changed nature of the malware threat since late 2006 — away from pandemic, widespread threats to more localized, targeted threats — greatly reduced the need for common malware identifiers to mitigate user confusion in the general public.

CME was retired in 2008 and all related work transitioned to the Malware Attribute Enumeration and Characterization (MAEC™) effort. The MAEC website was relocated to https://maecproject.github.io/ in 2016.