C CERG Cyber Engineering, Risk & Governance
Markdown GitHub

FRAMEWORK SYSTEM MAP

Front Door · Document Relationships · Adoption Navigation
Document ID CERG-GOV-FRM-002
Version 1.2
Status Approved
Classification Public
Owner Governance Pillar Leader
Parent Policy CERG-POL-001 - Cybersecurity Policy
Review Cycle Quarterly / Upon significant library structure change
Frameworks NIST CSF 2.0 (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER)
Regulations Cross-cutting
Environments All CERG adoption paths

Table of Contents

  1. Purpose and Scope
  2. The CERG Spine
  3. How the Library Fits Together
  4. How Work Moves Through CERG - 4.1 How the three pillars interact during a single event - 4.2 When the three pillars collapse onto fewer people
  5. Navigation by User Need
  6. Navigation by Adoption Path
  7. Navigation by Pillar
  8. Document Control

1. Purpose and Scope

CERG is intentionally complete. That completeness can make the first hour difficult for a new reader. This document is the map.

It explains how the policy, framework, operating model, risk model, controls, standards, procedures, templates, records, evidence, metrics, and improvement loops relate to one another. It does not replace those documents. It tells the reader which document to open next and why.

Use this document when:

  • A leader asks, “What is CERG?”
  • A new adopter asks, “Where do I start?”
  • A practitioner asks, “Which artifact owns this activity?”
  • A contributor asks, “Where does a proposed document belong?”
  • An auditor asks, “How do policy statements become evidence?”

2. The CERG Spine

The CERG spine is the minimum chain that turns security intent into operating work.

Cybersecurity Policy
  -> CERG Framework
  -> CERG Operating Model
  -> Risk Management Framework
  -> Unified Control Baseline
  -> Standards
  -> Procedures and Plans
  -> Templates and Records
  -> Evidence
  -> Metrics and Oversight
  -> Program Improvement
Layer Primary artifact What it answers
Policy CERG-POL-001 What is always true?
Framework CERG-GOV-FRM-001 How is the program conceptually organized?
Operating model CERG-GOV-OM-001 Who owns the work and how do the pillars interact?
Risk model CERG-GOV-RMF-001 How is risk categorized, scored, treated, accepted, and monitored?
Control model CERG-GOV-CB-001 Which control expectations exist and what evidence supports them?
Operating flows CERG-GOV-FLOW-001 How does work move across Engineering, Risk, and Governance?
Requirements Standards in ../standards/ What requirements apply by domain?
Execution Procedures in ../procedures/ How is the work performed?
Records CERG-GOV-CAT-002 What records prove work happened?
Evidence quality CERG-GOV-AUD-001 What makes evidence reliable?
Metrics CERG-GOV-MTR-001 How is posture reported and governed?
Improvement CERG-GOV-IMPREG-001 How does the program learn and change?

3. How the Library Fits Together

3.1 Authority hierarchy

Level Artifact type Authority Example
1 Policy Executive / CISO Cybersecurity Policy
2 Governance instruments CISO / Pillar Leaders Framework, Operating Model, RMF, Control Baseline
3 Standards Governance Pillar Leader Access, Cloud, OT, CUI, Logging, Endpoint
4 Procedures Pillar Owner Exposure Management, TPRM, Architecture Review
5 Plans and packages Pillar Owner IR Plan, CUI package, NERC-CIP package, SOX package
6 Templates and records Process Owner Risk register, exception form, evidence worksheet

3.2 Execution chain

Policy principle
  -> control objective
  -> standard requirement
  -> procedure step
  -> assigned role
  -> record created
  -> evidence stored
  -> metric updated
  -> oversight decision

If any link is missing, the program can still have activity, but it will not have an auditable operating loop.

3.3 Three-pillar accountability

Pillar Primary question Typical output
Cyber Engineering How do we build and operate this securely? Architecture decisions, baselines, secure patterns, remediations
Cyber Risk What exposure remains and what treatment is required? Findings, risk records, vendor assessments, threat validation
Cyber Governance What rule, evidence, decision, or report governs this? Standards, evidence records, metrics, audit packages, improvement actions

4. How Work Moves Through CERG

CERG work should not move by informal chat alone. It should move through one of the canonical flows in FLOW-001.

Flow Use when Primary output
F-01 Control Intent to Implementation A policy, regulation, audit result, or risk decision needs implementation Control implementation record
F-02 Project Intake, Architecture Review, and Threat Modeling A project, platform, application, SaaS, cloud workload, or OT change needs review Project security review record
F-03 Asset Registration and Coverage Validation A new or changed asset enters scope Asset coverage record
F-04 Finding to Remediation, Exception, or Residual Risk A vulnerability, audit finding, test result, or gap is found Finding record, remediation record, exception, or risk acceptance
F-05 Change and Release Security Routing A change could alter security posture Security change review record
F-06 Incident to Recovery to Standards Feedback An incident or exercise produces learning Lessons learned record and improvement action
F-07 Metrics, Oversight, and Improvement Routing Metrics, maturity results, or oversight decisions require action Program improvement record

4.1 How the three pillars interact during a single event

The three pillars are not three teams that vote on everything. They are three accountability lines that each own a distinct question. During a single event, each pillar does one thing and only one thing.

Pillar Owns this question Does this during an event
Cyber Engineering How do we build and operate this securely? Builds the remediation, runs the change, captures implementation evidence
Cyber Risk What exposure remains and what treatment is required? Triages the finding, sets severity, runs the SLA clock, files the risk record or exception
Cyber Governance What rule, evidence, decision, or report governs this? Confirms the SLA, indexes the evidence, updates the dashboard, routes to the right authority

A worked example: a critical vulnerability hits an internet-facing application server on a Tuesday morning.

  1. Risk validates reachability, sets severity, opens the Finding Record, and starts the SLA clock.
  2. Engineering owns the remediation: patch, configuration change, WAF rule, or service isolation. Engineering captures implementation evidence.
  3. Governance confirms the SLA clock is correct, the evidence quality is acceptable, the dashboard reflects status, and any required escalation reaches the right authority. Governance does not run the patch.

The handoffs are explicit. The records are explicit. The clock is explicit. No pillar holds the work hostage waiting for consensus.

For canonical worked examples, read the Day in the Life stories. They are the canonical reference for what each pillar does during a real event. Stories 2, 4, 5, 6, and 8 walk a single event from detection through closure and show the three-pillar handoff in motion. Stories 9 and 10 show how the pillars work together across time.

4.2 When the three pillars collapse onto fewer people

In small teams (CERG Lite, 2-8 people), the three pillars collapse onto fewer heads. The collapse is intentional, documented in the Decision Log per IMP-002 §4, and follows the role consolidation map in IMP-003 §4. The questions do not collapse, only the heads. Risk still triages. Engineering still builds. Governance still routes. One person may answer all three questions in a single hour, but the questions remain distinct.

Story 8 (CERG Lite - Maria and the Tuesday scanner report) is the canonical worked example of the collapse pattern.

5. Navigation by User Need

If you need to… Start with Then use
Explain CERG to executives This document and FRM-001 MTR-001 board reporting sections
Act as a Business Owner / System Sponsor IMP-007 §6 PRC-AR-001, RMF-001, TMPL-RM-004
Adopt CERG for the first time START-HERE IMP-001, IMP-005
Run a small-team version IMP-003 IMP-006
Decide which documents apply IMP-005 VAR-001
Know what records to create CAT-002 Procedure-specific templates
Prepare for audit AUD-001 PRC-AUD-001, operational package for the regulator
Stand up risk management RMF-001 PRC-RM-001, TMPL-RM-001
Start exposure management PRC-VM-001 RMF-001, CAT-002
Defer an OT/BES patch or exposure treatment PRC-VM-001 §7.4 STD-OT-001 §11, RMF-001, PRC-RM-001
Review a new system or SaaS PRC-AR-001 TMPL-AR-001, PRC-TPRM-001
Show how CERG runs in practice Day in the Life examples FLOW-001, OM-001
Onboard a new team member Day in the Life examples, ONB-001 RAC-001
Take on a CERG role for the first time Role Reader Paths IMP-006 (action list, after reading)
Look up a CERG term or record type CERG Glossary FLOW-001 §2 (origin of record type definitions)

6. Navigation by Adoption Path

6.1 CERG Lite

Use when the organization has a small security team or first security hire. The goal is to create a real operating spine without adopting every document.

Start with:

  1. Policy
  2. Framework
  3. Operating Model
  4. Document Catalog
  5. RMF
  6. Risk Register and Exception Process
  7. Risk Register Templates
  8. Exposure Management Procedure
  9. Record Catalog
  10. Role-Based Implementation Checklists

To see what this looks like in practice on a 2-8 person team, read the CERG Lite day-in-the-life story.

6.2 CERG Standard

Use when the organization has an existing security function and needs consistent operation.

Add:

  • Core standards for access, assets, configuration, IT/cloud/SaaS, logging, endpoint, network, and resilience.
  • Architecture review and project intake.
  • Third-party and supply-chain risk.
  • Metrics and reporting.
  • Evidence quality and audit procedure.

For worked examples of how the three pillars produce outcomes together, see the Day in the Life examples — Stories 1, 2, 3, 5, and 7 cover the most common Standard-team situations.

6.3 CERG Regulated

Use when the organization has explicit regulatory obligations.

Add the applicable package:

Obligation Add
CUI / CMMC CUI standard, CUI operational package, SSP, POA&M, evidence matrix
NERC-CIP / OT OT standard, NERC-CIP operational package, segmentation, logging, access, recovery
SOX SOX ITGC operational package, access/change/evidence controls
ISO 27001 ISO operational package, control baseline, SoA support
Privacy Privacy and data protection operational package, data governance standard

For regulator-facing walkthroughs, see the Day in the Life examples — Story 3 (audit request) and Story 6 (third-party incident notification) are written so a regulated audience can map them straight to their own audit and notification obligations.

7. Navigation by Pillar

Pillar First documents to read Operating artifacts to run
Engineering OM-001, FLOW-001, relevant standards Architecture intake, asset coverage, configuration baseline, remediation records
Risk RMF-001, TAX-001, FLOW-001 Risk register, finding records, vendor assessments, threat validation records
Governance POL-001, CAT-001, CB-001, AUD-001 Evidence index, control implementation records, metrics dashboard, improvement register
All three pillars working together Day in the Life examples FLOW-001, OM-001

8. Document Control
Document ID CERG-GOV-FRM-002
Version 1.2
Status Approved
Approved By CISO
Owner Governance Pillar Leader
Next Review Quarterly / Upon significant library structure change

Revision History

Version Date Author Change
1.2 2026-06-18 Governance Pillar Leader Added navigation for Business Owner / System Sponsor reader path and decision artifacts.
1.1 2026-06-18 Governance Pillar Leader Added direct practitioner navigation for OT/BES patch and exposure-treatment deferral routing.
1.0 2026-06-13 Governance Pillar Leader Initial publication. Adds a front-door system map for CERG navigation, adoption, and document relationships.

Review Triggers

  • New top-level governance artifact.
  • Change to adoption paths.
  • Change to canonical cross-pillar flows.
  • New regulated operational package.
  • User feedback indicating navigation confusion.

Source: governance/CERG-GOV-FRM-002_Framework_System_Map.md · Download .md · View on GitHub