Jerome,
As always, thanks for sharing timely references to "our thing". We need to leverage these standards wherever possible/practical.
Question
"CRE enables automation and enhanced correlation of enterprise remediation activities."
I'm not seeing where CRE provides the machine readable specification (or reference to same) required to perform the very specific remediation action(s) to achieve, measure, or validate the remediation objectives/outcomes.
It would seem that the reference to the OVRL specification or some other reference that leads one to the specific OVRL The only specific external reference I see is the CPE (Common Platform Enumeration)?
...What am I missing?
@All: (1) I like the Use Case formats of the NIST documents. It would be great if we could adopt same or something similar to map to these existing body of work. (2) Why reinvent taxonomies, descriptions, etc. where substantive instantiations of same
(i.e., CCE, CVE, CPE) already exist?