Uses CVE-IDs to uniquely identify the vulnerabilities they report.
CVE-IDs are mapped to the U.S. Defense Information System Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA's public Security Technical Implementation Guides (STIG) Web site.
CVE is one of ten existing standards the U.S. National Institute of Standards and Technology's (NIST) SCAP to enable automated vulnerability management, measurement, and policy compliance evaluation.
National Institute of Standards and Technology (NIST) recommends use of CVE by U.S. agencies in two 2002 Special Publications: "800-51: Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" & "800-40: Procedures for Handling Security Patches."
U.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use CVE-IDs.