Obviously CVE's are used extensively for referring to specific vulnerabilities. However, I don't see CCE's referenced very much in regards to configurations. I understand that configuration settings are pretty static, but the CCE page hasn't been updated since 2013. Having said that:
Are CCE's still used at all?
Has NIST abandoned this initiative as it hasn't been touched since 2013?
Are there similar initiatives out there?
Configuration settings maybe static but new platforms are introduced time and again and you'll need configuration settings specific to those. Sadly CCEs aren't expanding at the same pace as CVEs.
1) Are CCE's still used at all?
Yes, the CIS benchmarks still use CCEs for reference. Several government and related organizations depend on CIS benchmarks for their configuration monitoring so I would say that CCEs are still used.
2) Has NIST abandoned this initiative as it hasn't been touched since 2013?
As you can see on this website there was some activity that happened regarding CCEs. But generation of new CCEids hasn't happened in a while.
3) Are there similar initiatives out there?
If you are looking for something specific in the Configuration enumeration then I am not aware of but there are several different configuration standards in the market which you can look at. Speaking of enumeration systems, CVE (Common Vulnerability Enumeration), CPE(Common Platform Enumeration) etc come to my mind.
CIS-CAT is commercial, but it's really the primary game in town for most Linux and Unix configurations and services. It supports CCE.
For Windows, especially endpoint workstations, see -- https://adsecurity.org/?p=3299 -- however, Microsoft does not use CCEs but their own taxonomy. Another partially-free (with commercial add-ons and functionality) tool is LunarLine AirLock, which based on the DISA STIGs.
