Common Platform Enumeration 3.0 (CPE 3.0)
CPE 3.0 is the next major revision of Common Platform Enumeration (CPE), now in early development at NIST. This page tracks the effort and how to take part. For the current published version, see Common Platform Enumeration (CPE).
About the CPE 3.0 effort
CPE 2.3 has been in wide use for more than a decade. Implementation experience over that period, together with current security automation needs, has surfaced a set of issues worth addressing in a future version.
The CPE 3.0 effort will evaluate how platforms and products are identified for current security automation use cases, including vulnerability management, configuration management, and software inventory. It will draw on documented implementation experience with CPE 2.3, a list of known CPE 2.3 issues, analysis of how CPE is used in practice, and feedback from the community. Improving how hardware devices are represented is one area of focus.
This work is at an early stage. No CPE 3.0 specification text exists yet, and no technical changes are final. NIST will post draft material for public review as the effort develops. Community input, including input gathered at the workshop below, will shape the requirements before any specification is drafted.
June 22, 2026: NIST Workshop on Hardware CPE and CVSS Updates
NIST will host the NIST Workshop on Hardware CPE and CVSS Updates on June 22, 2026. The workshop is hybrid: attendees may take part in person at the NCCoE or join virtually.
The workshop will gather community input on potential changes to CPE, with a focus on the hardware-capable CPE model, and on related updates to the Common Vulnerability Scoring System (CVSS). NIST will present its current thinking, including a list of CPE 2.3 issues and an early architecture concept, as a starting point for discussion. The goal is to collect structured feedback on planned changes, not to present finished specifications.
The workshop is intended for CPE implementers, security tool vendors, government users, researchers, and others who work with platform identification and vulnerability data.
Registration details are available on the NIST Workshop on Hardware CPE and CVSS Updates registration page. Agenda details will be posted here when available.
How to Participate
NIST develops CPE in the open. Anyone who works with CPE is welcome to take part in the CPE 3.0 effort.
Join the CPE mailing list
The CPE development and discussion list, [email protected], is the main channel for the CPE 3.0 effort and the standing channel for the CPE community. It is public: anyone with a Google account can join, read the archive, and take part by email. Use it to comment on CPE specification development, ask questions, and follow the work, before and after the June 22, 2026 workshop.
To join, send a subscribe request to [email protected].
Other ways to take part
- Attend the June 22, 2026 NIST Workshop on Hardware CPE and CVSS Updates, in person or virtually.
- Review and comment on draft CPE 3.0 material when it is posted for public comment.
- Watch this page and CSRC News & Updates for draft materials and announcements.
- For workshop registration and logistics questions, email the workshop administration list, [email protected].
