C CERG Cyber Engineering, Risk & Governance
Markdown GitHub

CONTROL-TO-PROCEDURE TRACEABILITY MATRIX

Control Baseline · Operational Procedure · Evidence · Gap Detection · Audit Routing
Document ID CERG-GOV-TRC-001
Version 1.2
Status Approved
Classification Public
Owner Governance Pillar Leader (Control Baseline)
Parent Policy CERG-POL-001 - Cybersecurity Policy
Supporting Documents CERG-GOV-CB-001 · CERG-PRC-AUD-001 · CERG-TMPL-AUD-001 · CERG-GOV-CAT-001
Review Cycle Annual / On control baseline, standard, procedure, or evidence model change
Frameworks NIST 800-53r5 · NIST 800-171r3 · NIST CSF 2.0 GOVERN · ISO/IEC 27001
Regulations Cross-cutting; CMMC, NERC-CIP, SOX ITGC, privacy, customer assurance where applicable
Environments All in-scope CERG controls and evidence-producing processes

Table of Contents

  1. Purpose and Scope
  2. How to Read the Matrix
  3. Traceability Rules
  4. Baseline Control Traceability Matrix
  5. Overlay Traceability
  6. Gap Detection Rules
  7. Maintenance Workflow
  8. Document Control

1. Purpose and Scope

CERG-GOV-CB-001 defines the unified control baseline and names evidence for each control. This matrix adds the missing operating layer: for each baseline control, it identifies the standard or procedure that operationalizes the control, the template or evidence package that proves operation, and the gap signal that should be raised when traceability is incomplete.

This document complements the Unified Control Baseline. It does not replace it. The baseline remains the authoritative source for the control statement, owning pillar, evidence name, frequency, and regulatory crosswalk. This matrix is the operational routing map that tells a control owner, auditor, or AI agent where to go to run, test, or fix the control.

Every Control Needs a Runbook or a Reason

A control baseline says what must be true. A procedure says how the organization makes it true. Evidence proves it happened. If a control has no procedure, no standard, and no evidence path, it is not really operational. This matrix is the gap detector.

2. How to Read the Matrix

Column Meaning
Baseline Control Control identifier and title from CERG-GOV-CB-001 Section 6.
Control Intent Short operational purpose. The full statement remains in CERG-GOV-CB-001.
Governing Standard The standard that sets requirements or parameters.
Operating Procedure / Plan The procedure or plan that runs the control or review cycle.
Evidence Template / Record The canonical record type, template, or structured artifact expected for evidence production.
Evidence Produced The proof package, worksheet, register, or evidence output that supports testing.
Primary Accountable Role Canonical role accountable for traceability and operation.
Gap Signal What indicates that the control lacks operational coverage.

3. Traceability Rules

  1. Every baseline control must map to at least one governing standard or procedure.
  2. Every baseline control must map to a canonical evidence template, record type, or structured artifact.
  3. Every baseline control must map to named evidence.
  4. Evidence must be testable through CERG-PRC-AUD-001 or an approved regulated-scope audit procedure.
  5. If a control is inherited, the inheritance evidence package from CERG-GOV-CB-001 Section 5 must be linked.
  6. If a control is partially implemented or planned, the POA&M and risk linkage must be present.
  7. If no CERG procedure owns an operating step, the row is flagged as a gap for the Governance Pillar Leader.
  8. This matrix is updated whenever a new standard, procedure, plan, template, or control baseline revision changes ownership or evidence flow.

4. Baseline Control Traceability Matrix

Baseline Control Control Intent Governing Standard Operating Procedure / Plan Evidence Template / Record Evidence Produced Primary Accountable Role Gap Signal
AC-2 Account Management Approved, owned, reviewed accounts. CERG-STD-AC-001 JML and access review execution through CERG-PRC-AC-002; audit testing through CERG-PRC-AUD-001. Access Review Record; Evidence Index Entry; TMPL-AUD-001; System Control Profile Record where system-specific JML log, access review evidence package, quarterly recertification report, CERG-TMPL-AUD-001. Engineering Pillar Leader Accounts without owner, recertification, reviewer authority, or JML evidence.
AC-3 Access Enforcement Approved authentication and authorization. CERG-STD-AC-001 Architecture review through CERG-PRC-AR-001. Project Security Review Record; System Control Profile Record where system-specific IdP / PAM policy export, architecture intake record. Engineering Pillar Leader Local, shared, hard-coded, or bypass access path.
AC-6 Least Privilege Role-bound and time-bound access. CERG-STD-AC-001 Privileged access review and removal validation through CERG-PRC-AC-002; exception workflow through CERG-PRC-RM-001. Access Review Record; Security Exception Record where needed; TMPL-AUD-001; System Control Profile Record Privileged access review evidence package, PAM session logs, role inventory, exception register. Engineering Pillar Leader Privileged access without role basis, reviewer authority, expiration, removal validation, or review evidence.
AC-7 Unsuccessful Logon Attempts Identity attack resistance. CERG-STD-AC-001, CERG-STD-LM-001 Detection coverage review through metrics and audit. Detection Coverage Record; Reporting Metric Record; TMPL-AUD-001 IdP policy export, detection rule, coverage report. Risk Pillar Leader Failed-login thresholds or detection rules missing.
AC-17 Remote Access Governed and logged remote access. CERG-STD-AC-001, CERG-STD-NET-001 Architecture review, risk exception process for nonstandard paths. Project Security Review Record; Security Exception Record; TMPL-RM-002; System Control Profile Record Gateway logs, MFA policy export, exception request form. Engineering Pillar Leader Direct or undocumented remote access path.
AC-19 Mobile / BYOD Conditional-access controlled mobile access. CERG-STD-EP-001 Device posture review and exception workflow. Endpoint / Mobile Compliance Record; Security Exception Record; TMPL-AUD-001 MDM compliance report, exception register. Engineering Pillar Leader Mobile access without enrollment or compliance signal.
AU-2 Event Logging Required events reach logging platform. CERG-STD-LM-001 Logging coverage review and audit evidence process. Detection Coverage Record; Evidence Index Entry; System Control Profile Record where system-specific SIEM source inventory, gap report. Risk Pillar Leader Required source missing or unmonitored.
AU-6 Audit Review Alerts are reviewed and acted on. CERG-STD-LM-001 Metrics reporting through CERG-GOV-MTR-001. Reporting Metric Record; Detection Coverage Record; TMPL-AUD-001 Detection coverage report, triage queue metrics. Risk Pillar Leader Alert queue lacks review, ownership, or tuning record.
AU-9 Protection of Audit Information Logs protected from alteration. CERG-STD-LM-001, CERG-STD-DG-001 Audit test worksheet and evidence review. Evidence Index Entry; TMPL-AUD-001 Storage policy, admin-action review. Risk Pillar Leader Logging admins can alter or delete evidence without oversight.
AU-11 Audit Record Retention Logs retained and retrievable. CERG-STD-LM-001, CERG-PRC-AUD-001 Evidence retrieval sampling. Evidence Index Entry; TMPL-AUD-001 Retention policy, sample retrieval evidence. Evidence Librarian Required logs stale, unretrievable, or outside retention period.
CM-2 Baseline Configuration Secure baseline applied. CERG-STD-CFG-001 Security change management and audit testing. Configuration Baseline Record; System Control Profile Record; TMPL-AUD-001 DISH baseline catalog, scan report. Engineering Pillar Leader System lacks applicable baseline or scan evidence.
CM-3 Change Control Security-relevant changes governed. CERG-STD-IT-001, CERG-STD-OT-001 CERG-PRC-CHG-001. Security Change Review Record; System Control Profile Record where system-specific CAB minutes, change records, control-impact review. Engineering Pillar Leader Production change lacks approval or security review.
CM-6 Configuration Settings Drift detected and routed. CERG-STD-CFG-001 Exception workflow through CERG-PRC-RM-001. Configuration Baseline Record; Security Exception Record; System Control Profile Record Drift report, exception register. Engineering Pillar Leader Drift exists without exception or remediation.
CM-7 Least Functionality Unneeded services disabled. CERG-STD-CFG-001, CERG-STD-EP-001 Vulnerability and configuration review. Configuration Baseline Record; System Control Profile Record; TMPL-SCP-001 Application allowlist, port-scan report. Engineering Pillar Leader Unauthorized service, port, or software persists.
CM-8 System Component Inventory Complete authoritative inventory. CERG-STD-AM-001 Monthly inventory reconciliation. Asset Inventory Record; Asset Coverage Record; System Control Profile Record Asset inventory export, reconciliation log. Engineering Pillar Leader Asset has no owner, class, lifecycle state, or source-of-truth record.
CP-2 Contingency Plan Current recovery plan exists. CERG-STD-RES-001 CERG-PLN-BC-001. Business Continuity Exercise Record or system recovery profile; System Control Profile Record Plan document, BCP interface record. Governance Pillar Leader System lacks tiered recovery plan or BCP interface.
CP-4 Contingency Plan Testing Recovery plan tested. CERG-STD-RES-001 DR exercise under CERG-PLN-BC-001. Business Continuity Exercise Record; Lessons Learned Record; TMPL-AUD-001 Test report, lessons learned, risk-register update. Governance Pillar Leader Recovery test overdue or lessons not tracked.
CP-9 System Backup Backups isolated and restorable. CERG-STD-RES-001 Backup assurance and DR testing. Backup and Recovery Test Record; System Control Profile Record Backup report, immutability evidence. Engineering Pillar Leader Backup lacks immutability, isolation, or restore evidence.
CP-10 Information System Recovery RTO/RPO proven. CERG-STD-RES-001 DR exercise and recovery validation. Backup and Recovery Test Record; Business Continuity Exercise Record; System Control Profile Record Restoration test evidence. Engineering Pillar Leader Restore test cannot meet RTO or RPO.
IA-2 Identification and Authentication Phishing-resistant human identity. CERG-STD-AC-001 Access review and exception workflow. Access Review Record; Security Exception Record where needed; System Control Profile Record IdP policy, exception register. Engineering Pillar Leader Legacy authentication or missing MFA exception.
IA-3 Device Identification and Authentication Device identity recognized. CERG-STD-AC-001, CERG-STD-NET-001 Architecture and network review. Asset Coverage Record; Project Security Review Record; System Control Profile Record NAC / conditional-access policy. Engineering Pillar Leader Unknown device can access protected environment.
IA-5 Authenticator Management Secrets, keys, certificates governed. CERG-STD-CR-001, CERG-STD-AC-001 Security change management and audit test. Configuration Baseline Record or certificate/secrets inventory record; System Control Profile Record Secrets manager export, certificate inventory. Engineering Pillar Leader Secret or certificate exists outside approved lifecycle.
RA-3 Risk Assessment Risks identified, scored, treated. CERG-GOV-CB-001 CERG-PRC-RM-001. Risk Register Entry; Risk Acceptance Record; TMPL-RM-001; TMPL-RM-004 Risk register, acceptance memo, exception request. Risk Pillar Leader Material issue exists outside risk register.
RA-5 Vulnerability Monitoring and Scanning Vulnerabilities assessed and prioritized. CERG-STD-CFG-001 CERG-PRC-VM-001. Finding Record; Exposure Backlog Item; TMPL-RM-001 Scan reports, SLA dashboard. Risk Pillar Leader Asset missing scanner coverage or alternative method.
SI-2 Flaw Remediation Findings remediated or accepted. CERG-STD-CFG-001 CERG-PRC-VM-001, CERG-PRC-RM-001. Finding Record; Security Exception Record; Risk Acceptance Record; TMPL-RM-002; TMPL-RM-004 SLA report, exception register, POA&M. Risk Pillar Leader Critical or High finding past SLA without approved treatment.
SI-4 System Monitoring Required monitoring covers system. CERG-STD-LM-001 Detection coverage and metrics reporting. Detection Coverage Record; Reporting Metric Record; System Control Profile Record Coverage report, dashboard metric. Risk Pillar Leader Tool, source, or detection coverage gap not recorded.
SR-2 Supply Chain Risk Management Plan Vendors tiered and governed. CERG-PRC-TPRM-001 CERG-PRC-TPRM-001. Vendor Risk Assessment Record; TMPL-TPRM-001 TPRM register, SCCT roster, questionnaire template. Vendor Risk Analyst Vendor lacks tier, evidence, contract requirement, or owner.
SR-3 Supply Chain Controls and Processes Country and supply-chain controls enforced. CERG-PRC-TPRM-001 CERG-PRC-TPRM-001, CERG-PRC-RM-001. Vendor Risk Assessment Record; Security Exception Record; TMPL-TPRM-001; TMPL-RM-002 Country-risk register, exception register. Vendor Risk Analyst International access or supply-chain exception lacks approval.

5. Overlay Traceability

Overlay Operational Package / Standard Evidence Route Gap Signal
High-Impact CERG-STD-CFG-001, CERG-STD-LM-001 Baseline scan, monitoring coverage, vulnerability SLA report. High-impact system lacks tightened parameters or evidence.
CUI CERG-STD-CUI-001, CERG-PLN-CUI-001 SSP, POA&M, CUI evidence package, SPRS / CMMC readiness records. CUI system lacks SSP, POA&M, or control implementation evidence.
BES CERG-STD-OT-001, CERG-PLN-CIP-001 CIP evidence package, ESP/EAP topology, recovery exercise, log retention evidence. BES control lacks CIP-mapped evidence or review cadence.
SOX ITGC CERG-STD-IT-001, CERG-PLN-SOX-001 Access, change, operations, backup, interface, and report-control evidence. SOX system lacks quarterly access review, change record, or operations evidence.
OT Safety CERG-STD-OT-001 Engineering review, change window record, passive assessment evidence. Safety-impacting OT change lacks engineering review or approved scan method.
Privacy CERG-STD-DG-001, CERG-PLN-PRIV-001 DPIA support record, data inventory, deletion evidence, breach clock support record. Personal data processing lacks inventory, DPIA, or retention evidence.
ISO/IEC 27001 CERG-PLN-ISO-001 ISMS scope, SoA, internal audit, management review. ISO-scoped control lacks SoA rationale or audit evidence.

5.1 Composite Trace: Regulated Architecture Review

Regulated architecture review is a composite evidence path, not a single-control test. Use this trace when a new or materially changed system touches CUI, BES Cyber Systems, SOX-relevant financial systems, personal data at material scale, AI with regulated data, or another regulated scope.

Trace element Required routing Canonical records / evidence Controls covered
Intake and scope CERG-PRC-AR-001 identifies business owner, system owner, environment, data classification, regulatory scope, go-live target, and review tier. Project Security Review Record; intake form; scope statement; data classification decision. AC-2, AC-3, AC-6, CM-3, CM-8, RA-3
Architecture and control design Engineering reviews identity, network, logging, resilience, data handling, integration, and change path against applicable standards. Architecture decision, design diagram, control conformance checklist, approved-pattern reference if used. AC-3, AC-17, AU-2, AU-9, CM-2, CM-6, CP-9, SI-4
Threat and risk analysis Risk performs threat model where required and opens risk entries for deferred or residual issues. Threat Model Record; Risk Register Entry; Finding Record where pre-go-live issue is discovered. RA-3, RA-5, SI-2, SR-2/SR-3 where vendor/integration exists
Regulated overlay Governance maps CUI, BES, SOX, privacy, or ISO obligations and required evidence package. SSP / POA&M where CUI applies; CIP evidence reference where BES applies; SOX ITGC control mapping; Privacy Security Support Record where privacy applies. Overlay-specific controls plus AC/AU/CM/CP/IA/RA/SI/SR baseline controls
Pre-production closure Required pre-go-live issues are remediated, exceptioned, or risk-accepted under RMF authority before release. Closure checklist, remediation evidence, Security Exception Record, Risk Acceptance Record, go-live disposition. CM-3, RA-3, SI-2
Handoff and evidence index Evidence Librarian indexes the complete review package and links it to control, system, owner, period, and regulatory scope. Evidence Index Entry; Project Security Review Record closure package; Reporting Metric Record where tracked. AUD evidence path for all mapped controls

A regulated architecture review is incomplete if any required overlay has no named owner, no evidence location, or no disposition for deferred issues. Deferred issues that remain after go-live must appear as a Risk Register Entry, Security Exception Record, Risk Acceptance Record, or POA&M item as applicable.

6. Gap Detection Rules

A traceability gap exists when any of the following is true:

  1. the baseline names a control but no standard or procedure operationalizes it;
  2. a control maps to evidence but no evidence owner is named;
  3. a control maps to a procedure that is out of scope, retired, or missing from the catalog;
  4. a control depends on inherited control evidence but the inheritance package is missing;
  5. a control is partially implemented but has no POA&M item;
  6. a control is risk accepted but lacks a Risk Register Entry, Risk Acceptance Record, or linked Security Exception Record where a control deviation exists;
  7. a control has evidence, but the evidence cannot be retrieved within the audit retrieval window;
  8. the catalog changes but this matrix is not reviewed.

Traceability gaps are routed as follows:

Gap Type Route To Required Action
Missing standard or procedure Governance Pillar Leader Create planned artifact entry or amend artifact.
Missing evidence owner Evidence Librarian Assign owner and evidence location.
Missing risk or exception link Risk Register Owner Create or update risk, exception, or acceptance record.
Missing implementation evidence Responsible control owner Produce evidence or open POA&M.
Catalog mismatch Governance Pillar Leader (Document Control) Amend catalog or matrix.

7. Maintenance Workflow

This matrix is maintained annually and whenever one of these changes occurs:

  • CERG-GOV-CB-001 adds, removes, or changes a control;
  • a standard, procedure, plan, or template is added or retired;
  • audit testing finds a control without an operational procedure;
  • evidence ownership changes;
  • regulatory scope changes;
  • CISO directs a traceability review.

Maintenance steps:

  1. compare the baseline control list to Section 4;
  2. confirm each control still has a governing standard or procedure;
  3. confirm each control has named evidence or inheritance package;
  4. confirm each evidence path is testable through audit or assessment workflow;
  5. update gap signals and routing where the operating model changed;
  6. amend the catalog if this artifact or referenced artifacts changed status.

8. Document Control

Field Value
Document ID CERG-GOV-TRC-001
Version 1.2
Status Approved
Effective Date 2026-05-22
Classification Public
Owner Governance Pillar Leader (Control Baseline)
Approved By CISO
Parent Policy CERG-POL-001 - Cybersecurity Policy
Review Cycle Annual; and on control baseline, standard, procedure, or evidence model change
Next Scheduled Review 2027-05-22
Frameworks NIST 800-53r5; NIST 800-171r3; NIST CSF 2.0 GOVERN; ISO/IEC 27001
Regulations Cross-cutting; CMMC, NERC-CIP, SOX ITGC, privacy, customer assurance where applicable
Environments All in-scope CERG controls and evidence-producing processes

Revision History

Version Date Author Change Summary
1.2 2026-06-20 Governance Pillar Leader Added Evidence Template / Record routing column and mapped baseline controls to canonical evidence records, templates, and System Control Profile records where system-specific proof is expected.
1.1 2026-06-18 Governance Pillar Leader Added PRC-AC-002 to AC-2 and AC-6 traces, added regulated architecture review composite trace, and aligned risk-acceptance evidence names to CAT-002.
1.0 Draft 2026-05-22 Cyber Governance Initial release. Establishes the control-to-procedure traceability matrix, overlay traceability, gap detection rules, and maintenance workflow.

Review Triggers

  • Control baseline changes
  • Standard, procedure, plan, or template added or retired
  • Audit finding related to control ownership or evidence traceability
  • Evidence model or owner changes
  • Regulatory scope change
  • Direction from the CISO
Document ID Relationship
Unified Control Baseline CERG-GOV-CB-001 Source of baseline controls and evidence names
Audit and Evidence Management Procedure CERG-PRC-AUD-001 Evidence and audit testing workflow
Control Evidence and Test Worksheet CERG-TMPL-AUD-001 Test worksheet for controls in this matrix
Document Catalog and Naming Convention CERG-GOV-CAT-001 Authoritative artifact inventory

Source: governance/CERG-GOV-TRC-001_Control_to_Procedure_Traceability_Matrix.md · Download .md · View on GitHub