The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities

Peter M. Mell; Karen  Scarfone

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities

Published

December 27, 2010

Author(s)

Peter M. Mell, Karen Scarfone

Abstract

The Common Configuration Scoring System (CCSS) is a set of measures of the severity of software security configuration issues. CCSS is derived from the Common Vulnerability Scoring System (CVSS), which was developed to measure the severity of vulnerabilities due to software flaws. CCSS can assist organizations in making sound decisions as to how security configuration issues should be addressed and can provide data to be used in quantitative assessments of the overall security posture of a system. This report defines proposed measures for CCSS and nist-equations to be used to combine the measures into severity scores for each configuration issue. The report also provides several examples of how CCSS measures and scores would be determined for a diverse set of security configuration issues.

Citation

NIST Interagency/Internal Report (NISTIR) - 7502

Report Number

7502

NIST Pub Series

NIST Interagency/Internal Report (NISTIR)

Pub Type

NIST Pubs

Download Paper

DOI Link

Keywords

security configuration, security measurement, vulnerability measurement, vulnerability scoring

Information technology, Cybersecurity and Configuration and vulnerability management

Created December 27, 2010, Updated November 10, 2018