How is CWE related to the National Vulnerability Database (NVD)?
NVD is the U.S. government repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA). NVD integrates CWE into the scoring of CVE vulnerabilities by providing a cross section of the overall CWE structure. NVD analysts score CVEs using CWEs from different levels of the hierarchical structure. This cross section of CWEs allows analysts to score CVEs at both a fine and coarse granularity, which is necessary due to the varying levels of specificity possessed by different CVEs. For a better understanding of how the standards link together please visit MITRE – Making Security Measurable. CWE is not currently part of the Security Content Automation Protocol (SCAP), yet CVE is part of SCAP. NVD is using CWE as a classification mechanism that differentiates CVEs by the type of vulnerability they represent.
