Security Content Automation Protocol SCAP

Common Platform Enumeration (CPE)

Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. CPE names product classes rather than specific installed instances, which lets security tools make consistent, automated decisions for asset management, vulnerability management, and configuration management.

This page is the entry point for the CPE specification. It gives a high-level overview of the CPE versions and the work now under way on the next major revision. Each version has its own page with the full detail.

CPE versions

CPE has a current published version, CPE 2.3, and a next major revision now in early development, CPE 3.0. Follow the links for the full detail on each.

The CPE 3.x effort

NIST is beginning work on the next major revision of CPE. The first release of that work is being developed as CPE 3.0. The effort addresses implementation experience accumulated with CPE 2.3 over more than a decade, together with current security automation needs – including how hardware devices are represented.

The effort will evaluate how platforms and products are identified for current security automation use cases, such as vulnerability management, configuration management, and software inventory. It draws on documented implementation experience with CPE 2.3, analysis of how CPE is used in practice, and feedback from the community.

This work is at an early stage. No CPE 3.0 specification text exists yet, and no technical changes are final. NIST will post draft material for public review as the effort develops, and community input will shape the requirements before any specification is drafted. Information on this page describes planned and potential changes, not finished work.

See CPE 3.0 for the full status, the June 22, 2026 workshop, and how to get involved, including the public CPE mailing list.