Intent → controls → implementation guidance.

Start with the broad security intent, then drill into the actual CERG baseline controls that implement it. Each row joins the regulator view, threat rationale, baseline control statement, evidence expectation, cadence, owner, and subordinate implementation guidance.