Uses CVE-IDs to uniquely identify the vulnerabilities they report.
CVE-IDs are mapped to the U.S. Defense Information System Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA's public Security Technical Implementation Guides (STIG)
CVE is one of the existing standards the U.S. National Institute of Standards and Technology's (NIST) SCAP to enable automated vulnerability management, measurement, and policy compliance evaluation.
National Institute of Standards and Technology (NIST) recommends use of CVE by U.S. agencies in two Special Publications: "800-51: Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme"
in 2002 & "800-40: Procedures for Handling Security Patches,"
which was initially released in 2002 and updated 2011.
U.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use CVE-IDs.