150 documents across 8 categories · CC BY 4.0

Your security program, already built.

CERG delivers the operating stack a security team actually needs: policy, governance instruments, technical standards, procedures, operational packages, templates, a full workforce architecture with job descriptions, and machine-readable automation schemas. It is organized into three accountable pillars, mapped to seven frameworks, and designed to be forked, adapted, and run.

Explore Controls Read the Docs Download All

Total documents

Control baseline rows

Catalog entries

Regulatory frameworks

Program in a box

Every layer of a mature security program, already written.

Most teams adopt a compliance framework and then spend months writing the operational documents it does not include. CERG skips that gap. The full program layer is here: governance instruments, technical standards, procedures, operational packages, templates, a complete workforce architecture, and automation-friendly schemas.

POLICY · 1 DOCUMENT View →

Cybersecurity Policy

The foundational principles that anchor everything else in the program. Every standard derives from it; nothing contradicts it. Updated rarely and deliberately.

STANDARDS · 15 DOCUMENTS View all →

Technical Standards

What “good” looks like in each security domain. Covers access, configuration, cryptography, CUI, IT and cloud, logging, OT, resilience, secure development, assets, network, endpoint, data governance, AI, and messaging.

Access Control Secure Config Cryptography CUI Handling IT & Cloud Logging & Detection OT / Grid Resilience Secure SDLC Asset Management Network Endpoint Data Governance AI Security Messaging

PROCEDURES · 12 DOCUMENTS View all →

How the Work Gets Done

Step-by-step operational documents that engineers and analysts open during execution. They cover access, architecture review, adversarial validation, risk, vendors, vulnerabilities, audit evidence, change management, incident playbooks, lessons learned, threat intelligence, and threat modeling.

Access Management Architecture Review Adversarial Validation Risk & Exceptions Third-Party Risk Vulnerability Management Audit Evidence Change Management IR Playbooks Lessons Learned Threat Intel Threat Modeling

OPERATIONAL PACKAGES · 7 DOCUMENTS View all →

Regulator-Shaped Packages

Pre-built packages for regulatory, resilience, privacy, and incident response needs. The underlying controls are CERG’s; each package translates them into the operating or assessor view the audience expects.

NERC-CIP CUI / CMMC SOX ITGC Incident Response BC/DR ISO 27001 Privacy

TEMPLATES · 17 DOCUMENTS View all →

Fill-in-the-Blank Artifacts

Ready-to-use templates that keep the program runnable and auditable: intake forms, evidence worksheets, system security plans, POAMs, board and CISO reporting decks, risk registers, exception requests, vendor questionnaires, and stakeholder perception surveys.

Intake Form SSP Template POAM Template Board Deck Risk Register Exception Request Vendor Questionnaire

GOVERNANCE · 42 DOCUMENTS View all →

Governance Instruments & Cross-Cutting Systems

The operational backbone of the program: the control baseline, compliance matrix, risk taxonomy, RMF, metrics dashboard, operating model, maturity self-assessment, Crown Jewel register, consolidated RACI, annual calendar, program improvement register, traceability matrix, effectiveness framework, edge register, service level commitments, and cross-pillar flows. Also includes adoption guides for safe implementation, small-team paths, implementation cards, an organization adaptation profile, and the document authoring style guide.

Control Baseline Compliance Matrix Risk Taxonomy RMF Operating Model Maturity Assessment Edge Register Implementation Cards +34 more

WORKFORCE ARCHITECTURE · 35 DOCUMENTS View all →

People. Roles. Career Paths.

A complete workforce architecture: five job families (Security Engineering, Risk Operations, Governance & Compliance, Executive Leadership, Incident Response) with progressive career levels, NICE Workforce Framework crosswalk, job architecture and grade framework, competency model, performance management, onboarding, training, and succession planning.

Security Engineering (8) Risk Operations (8) Governance & Compliance (7) Executive Leadership (2) Incident Response (2) +.Job Architecture, Competency Model, Performance, NICE Crosswalk

MACHINE-READABLE · SCHEMAS View →

Automation-Friendly YAML Schemas

Machine-readable definitions for the runtime model, evidence structure, metrics, and control automation. Designed to be consumed by CI pipelines, GRC platforms, and tooling without manual translation from prose.

Three pillars · One team

Clear ownership at every level, never “shared.”

Ambiguous ownership is the root cause of most control failures. CERG assigns every control, every document, and every piece of evidence to exactly one accountable pillar. Supporting roles are documented separately. The three pillars operate as one team under one CISO: distinct in discipline, unified in purpose.

PILLAR · ENGINEERING

Cyber Engineering

Builds and operates the controls: identity, access, hardening, encryption, network segmentation, configuration management, and recovery infrastructure. Embedded in delivery teams; security is designed in, not bolted on.

PILLAR · RISK

Cyber Risk

Finds and validates: vulnerability management, threat monitoring, adversarial testing, third-party risk, and supply chain integrity. Produces the findings that Engineering fixes and Governance tracks.

PILLAR · GOVERNANCE

Cyber Governance

Defines and proves: policy, standards, evidence, risk register, IR planning, recovery coordination, and the compliance calendar. Enables the business through risk treatment. The default is “yes, with guardrails,” not reflexive refusal.

Regulatory coverage

One baseline. Eight mapped frameworks. Seven operational packages.

The CERG control baseline is implemented once and evidenced once. Each operational package translates that same evidence into the language the relevant regulator, assessor, executive, or operating team expects. No duplicate libraries, no reconciliation sprints.

PLN-CIP-001

NERC-CIP Package

BES Cyber Systems: categorization, ESP/EAP topology, CIP-007/010/013 procedures, CIP-008 reporting, CIP-009 recovery.

PLN-CUI-001

CUI / CMMC Package

SSP, POA&M, SPRS submissions, FIPS-validated crypto, DFARS flow-down, CMMC L2 assessment readiness.

PLN-SOX-001

SOX ITGC Package

Access, change, operations, backup, interface, and report ITGCs. SOX-Relevant System Register and quarterly SoD review.

PLN-ISO-001

ISO 27001 Package

ISMS operating structure, Annex A mapping, statement of applicability support, audit cadence, and continual improvement loops.

PLN-IR-001

Incident Response Plan

Roles, escalation paths, notification timelines, tabletop cadence, and lessons-learned feedback into the risk register.

PLN-BC-001

BC/DR Plan

Business continuity, disaster recovery, restoration priorities, exercise cadence, evidence, and executive decision points.

PLN-PRIV-001

Privacy Package

Privacy governance, data protection operating routines, evidence expectations, and crosswalks to the broader security program.

Frameworks covered NIST 800-53r5 NIST CSF 2.0 NIST 800-171 NERC-CIP CMMC L2 SOX ITGC NIST RMF ISO 27001

For LLMs and automation

Everything in markdown. Fork it, adapt it, feed it to your tools.

Every document is authored as markdown. The full corpus is available as a single download, as individual files, or via the llms.txt manifest that tools can crawl directly. Drop the zip into a knowledge base, paste llms-full.txt into a long-context window, and ask anything.

.ZIP