Uses CVE-IDs to uniquely identify the vulnerabilities they report.
National Institute of Standards and Technology (NIST) recommends use of CVE by U.S. agencies in two 2002 Special Publications: "800-51: Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme" & "800-40: Procedures for Handling Security Patches."
CVE is one of ten existing standards the U.S. National Institute of Standards and Technology's (NIST) SCAP to enable automated vulnerability management, measurement, and policy compliance evaluation.
CVE-IDs are mapped to the U.S. Defense Information System Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA's public Security Technical Implementation Guides (STIG) Web site.
U.S. Defense Information Systems Agency (DISA) issued Task Order 232 in June 2004 for information assurance applications for the Department of Defense (DoD) that requires the use of products that use CVE-IDs.