# CERG — Cyber Engineering, Risk & Governance > An open-source cybersecurity framework that unifies NIST 800-53, NIST CSF 2.0, > NIST 800-171, NIST RMF, NERC-CIP v7, CMMC L2, and SOX ITGC into a single > implementation-ready control program. Built once, evidenced once. ## Documents ### Framework & Strategy - [1. Purpose and Scope](markdown/governance/CERG-POL-001_Cybersecurity_Policy.md): This document establishes the foundational cybersecurity policy for the organization. It defines the enduring security principles that govern all information and operational technology, regardless of - [CERG Risk Management Framework](markdown/governance/CERG-GOV-RMF-001_Risk_Management_Framework.md): The six phases map directly to the NIST RMF, with CERG pillar ownership assigned at each step: ### Governance Core - [1. Flow Structure Conventions](markdown/governance/CERG-GOV-FLOW-001_Cross-Pillar_Operational_Flows.md): Every flow in this document follows a consistent structure. When implementing a flow, use these conventions to ensure completeness. - [1. Know what you own: maintain an authoritative asset inventory](markdown/governance/CERG-GOV-CMX-001_Compliance_Matrix.md): Primary Pillar: Engineering Regulations: NERC-CIP · [CMMC](https://dodcio.defense.gov/CMMC/) · · NIST - [22 Control Areas Mapped to Security Risks: All Pillars · All Severity Levels](markdown/governance/CERG-GOV-TAX-001_Risk_Taxonomy.md): Risk prevented: Unknown control failures and compliance drift. Controls degrade. Configurations change. People leave. Periodic self-assessment catches the gap between what the policy says and what is - [ANNUAL SECURITY AND GOVERNANCE CALENDAR](markdown/governance/CERG-GOV-CAL-001_Annual_Security_and_Governance_Calendar.md): The monthly operating review uses a standard agenda: - [CERG OPERATING MODEL](markdown/governance/CERG-GOV-OM-001_CERG_Operating_Model.md): This is not a policy. [CERG-POL-001](CERG-POL-001_Cybersecurity_Policy.md) is the policy. This document is the operating description that every CERG team member, business sponsor, and adjacent functio - [CONSOLIDATED ROLES, RESPONSIBILITIES, AND RACI INSTRUMENT](markdown/governance/CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md): The division of labor is deliberate and must stay clean. - [CONTROL EFFECTIVENESS FRAMEWORK](markdown/governance/CERG-GOV-CEF-001_Control_Effectiveness_Framework.md): CERG's Unified Control Baseline (CB-001) tracks whether each control is Implemented, Partially Implemented, Inherited, Planned, Risk Accepted, or Not Applicable. That answers "is the control in place? - [CONTROL-TO-PROCEDURE TRACEABILITY MATRIX](markdown/governance/CERG-GOV-TRC-001_Control_to_Procedure_Traceability_Matrix.md): A traceability gap exists when any of the following is true: - [DOCUMENT CATALOG AND NAMING CONVENTION](markdown/governance/CERG-GOV-CAT-001_Document_Catalog_and_Naming_Convention.md): It applies to every CERG-owned artifact, policy, standard, procedure, plan, guideline, template, and operational package, regardless of medium (Markdown source, exported Word/PDF, intranet page, or th - [MATURITY SELF-ASSESSMENT AND SCORECARD](markdown/governance/CERG-GOV-MAT-001_Maturity_Self_Assessment_and_Scorecard.md): It is a self-assessment. An organization scores itself against 24 domains, each tied to real CERG artifacts and observable evidence. The output is a tier per domain, a tier per pillar, an overall tier - [METRICS, DASHBOARD, AND CISO / BOARD REPORTING](markdown/governance/CERG-GOV-MTR-001_Metrics_Dashboard_and_Reporting.md): It applies to every CERG-produced metric and every CERG-produced report consumed by the Cyber Oversight Group (CISO's reporting line, operating unit leadership, executives, or board depending on org s - [RECORD CATALOG](markdown/governance/CERG-GOV-CAT-002_Record_Catalog.md): CERG procedures create records. Records become evidence. Evidence supports metrics, oversight, audits, and risk decisions. - [UNIFIED CONTROL BASELINE](markdown/governance/CERG-GOV-CB-001_Unified_Control_Baseline.md): It applies to every in-scope asset and every CERG-owned control. Where a subordinate standard imposes a more specific requirement, the standard controls and is referenced from the relevant entry here. - [CERG Style Compliance Tracker](markdown/governance/CERG-GOV-STY-002_Style_Compliance_Tracker.md): Purpose: Track known STY-001 and governance compliance gaps across the CERG corpus. Owner: Governance Pillar Leader (Document Control) - [DOCUMENT AUTHORING AND STYLE GUIDE](markdown/governance/CERG-GOV-STY-001_Document_Authoring_and_Style_Guide.md): It applies to every new or revised CERG policy, governance instrument, standard, procedure, plan, template, and operational package. ### Implementation & Adoption - [1. Before You Start](markdown/governance/CERG-GOV-IMP-002_Adoption_Safety_Guide.md): CERG is an operating-model and document corpus for standing up a cybersecurity program. It is not a control checklist, a compliance certificate, or a substitute for organizational commitment. - [1. Who This Is For](markdown/governance/CERG-GOV-IMP-003_Small_Team_Adoption_Path.md): This guide is for teams of 8 people or fewer who want to run CERG as their operating model. It assumes you have read the [Adoption Safety Guide](CERG-GOV-IMP-002_Adoption_Safety_Guide.md) and confirme - [ADOPTION DECISION TREE AND DEPENDENCY MATRIX](markdown/governance/CERG-GOV-IMP-005_Adoption_Decision_Tree_and_Dependency_Matrix.md): CERG is modular, but it is not arbitrary. Some artifacts can be deferred safely. Others must travel together because they form an operating loop. - [IMPLEMENTATION AND ADAPTATION GUIDE](markdown/governance/CERG-GOV-IMP-001_Implementation_and_Adaptation_Guide.md): CERG is a cybersecurity operating model starter kit — the spine, artifacts, workflows, and evidence model to run a program. What it has needed is a clear on-ramp: a single document that tells an organ - [IMPLEMENTATION CARDS](markdown/governance/CERG-GOV-IMP-004_Implementation_Cards.md): Intent: Maintain an authoritative asset inventory. [CMX-001 §1](CERG-GOV-CMX-001_Compliance_Matrix.md) - [ORGANIZATION ADAPTATION PROFILE](markdown/governance/CERG-GOV-VAR-001_Organization_Adaptation_Profile.md): This document removes that problem. It defines a token scheme, ships a single values file an organization fills in once, and ships a render tool that produces an organization-specific copy of the enti - [PROGRAM IMPROVEMENT REGISTER](markdown/governance/CERG-GOV-IMPREG-001_Program_Improvement_Register.md): This document applies to every CERG program improvement, regardless of source: lessons learned (PRC-LL-001), intelligence-driven reprioritization, maturity assessment gaps (MAT-001), metric threshold - [ROLE-BASED IMPLEMENTATION CHECKLISTS](markdown/governance/CERG-GOV-IMP-006_Role_Based_Implementation_Checklists.md): CERG adoption fails when everyone agrees with the framework but no one knows what to do next. This document converts the adoption model into role-based action. ### Workforce Governance - [1. About This Document](markdown/governance/CERG-GOV-JD-001_CERG_Job_Descriptions.md): 1. [About This Document](#1-about-this-document) 2. [Job Family Structure](#2-job-family-structure) 3. [Per-Role Document Index](#3-per-role-document-index) 4. [Document Control](#4-document-control) - [COMPETENCY MODEL AND BEHAVIORAL ANCHORS](markdown/governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md): It applies to every CERG SME-track role. Management-track competencies are addressed in Section 7 as an addendum, referencing the leadership dimensions already defined in JA-001 §5. The two Adjacent I - [CONTRACTOR AND NON-EMPLOYEE STAFF INTEGRATION GUIDE](markdown/governance/CERG-GOV-CON-001_Contractor_and_Non-Employee_Staff_Integration_Guide.md): CERG-adopting organizations engage contractors for legitimate reasons: - [JOB ARCHITECTURE AND GRADE FRAMEWORK](markdown/governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md): 1. Two tracks, equal ceiling. The SME track and the Management track carry equivalent organizational weight. A Sr. Advisor and a Senior Manager sit at comparable levels of influence, compensation, and - [ONBOARDING AND INTEGRATION PROGRAM](markdown/governance/CERG-GOV-ONB-001_Onboarding_and_Integration_Program.md): 2. The pillar owns the person; the program owns the first 90 days. The hiring manager is accountable for the new hire's success. The onboarding program provides the structure; the manager executes it. - [PERFORMANCE MANAGEMENT AND PROMOTION FRAMEWORK](markdown/governance/CERG-GOV-PERF-001_Performance_Management_and_Promotion_Framework.md): It applies to every CERG team member, manager, and pillar leader. It does not apply to the CISO, whose performance management is governed by the executive evaluation framework of the organization, or - [SUCCESSION PLANNING AND TALENT REVIEW FRAMEWORK](markdown/governance/CERG-GOV-SUCC-001_Succession_Planning_and_Talent_Review_Framework.md): Cybersecurity teams have a single-point-of-failure problem that is worse than most knowledge-work functions for three reasons: - [TRAINING, DEVELOPMENT, AND CERTIFICATION FRAMEWORK](markdown/governance/CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md): It applies to every CERG team member. Certifications are role-dependent; the training philosophy, cross-training expectation, and budget guidelines are universal. - [WORKFORCE PLANNING AND CAPACITY MODEL](markdown/governance/CERG-GOV-WFP-001_Workforce_Planning_and_Capacity_Model.md): Most corporate functions have stable workload-to-headcount ratios. Accounts payable: X invoices per clerk per month. IT support: Y tickets per technician per day. Cybersecurity does not work this way ### Governance Instruments - [1. Purpose and Scope](markdown/governance/CERG-GOV-AUD-001_Evidence_Quality_Standard.md): Every piece of evidence accepted into the CERG evidence library must answer these questions. If the answer to any required question is "no" or "unknown," the evidence is insufficient for its claimed t - [CALIBRATION CHECKLIST](markdown/governance/CERG-GOV-CAL-002_Calibration_Checklist.md): This document consolidates every preliminary default in the CERG corpus into a single register. It identifies each parameter, its default value, the calibration inputs required, the calibration method - [CERG GLOSSARY](markdown/governance/CERG-GOV-GEN-001_CERG_Glossary.md): CERG uses specific terms with specific meanings. "Finding" is not a vulnerability. "Risk" is not a finding. "Exception" is not an exception to risk acceptance. Confusing these terms produces records t - [CERG SERVICE-LEVEL COMMITMENTS](markdown/governance/CERG-GOV-SLC-001_CERG_Service_Level_Commitments.md): This document corrects the asymmetry. It publishes CERG's reciprocal commitments: for every clock CERG runs against the business, CERG runs a clock against itself. It applies to every CERG engagement - [CROWN JEWEL REGISTER AND LOSS SCENARIO LIBRARY](markdown/governance/CERG-GOV-CJ-001_Crown_Jewel_Register_and_Scenario_Library.md): This document adds the top-down layer. It does two things: - [EDGE REGISTER](markdown/governance/CERG-GOV-EDG-001_Edge_Register.md): For twenty years, "the organizational edge" meant the firewall. You knew what was inside and what was outside, and security's job was to harden the perimeter. - [FRAMEWORK SYSTEM MAP](markdown/governance/CERG-GOV-FRM-002_Framework_System_Map.md): CERG is intentionally complete. That completeness can make the first hour difficult for a new reader. This document is the map. - [ROLE READER PATHS](markdown/governance/CERG-GOV-IMP-007_Role_Reader_Paths.md): CERG is intentionally complete. That completeness can make the first hour difficult for a new reader. This document is the antidote. - [STAKEHOLDER PERCEPTION SURVEY](markdown/templates/CERG-TMPL-GOV-001_Stakeholder_Perception_Survey.md): This is a cultural claim that requires evidence. An assessor cannot verify stakeholder perception without a measurement instrument. This survey template provides the instrument, the administration cad - [The CERG Framework](markdown/governance/CERG-GOV-FRM-001_CERG_Framework.md): Most cybersecurity work, outside of Security Awareness and Incident Response, falls naturally into one of three activities: ### Standards - [ACCESS MANAGEMENT STANDARD](markdown/standards/CERG-STD-AC-001_Access_Management_Standard.md): The organization recognizes the following identity classes. Controls in this standard apply to all classes; specific provisions are noted where they differ. - [ARTIFICIAL INTELLIGENCE SECURITY STANDARD](markdown/standards/CERG-STD-AI-001_Artificial_Intelligence_Security_Standard.md): CERG governs three categories of AI use. The requirements differ by category. - [ASSET MANAGEMENT AND INVENTORY STANDARD](markdown/standards/CERG-STD-AM-001_Asset_Management_and_Inventory_Standard.md): It applies to every in-scope asset across every environment: owned hardware, cloud and hybrid infrastructure, SaaS, operational technology, and the data assets the rest of the estate exists to serve. - [CRYPTOGRAPHY AND KEY MANAGEMENT STANDARD](markdown/standards/CERG-STD-CR-001_Cryptography_and_Key_Management_Standard.md): It applies to every in-scope asset, every credential and secret used by CERG-managed systems, and every cryptographic use case, data at rest, data in transit, signing, integrity, authentication, and k - [CUI HANDLING STANDARD](markdown/standards/CERG-STD-CUI-001_CUI_Handling_Standard.md): The three CERG pillars operate in CUI environments with the same structure as elsewhere, with adaptations for contractual compliance evidence. - [CYBER RESILIENCE AND BACKUP STANDARD](markdown/standards/CERG-STD-RES-001_Cyber_Resilience_and_Backup_Standard.md): This standard closes that gap. It applies to every in-scope asset that has data, configuration, or workload state worth recovering. - [DATA GOVERNANCE AND CLASSIFICATION STANDARD](markdown/standards/CERG-STD-DG-001_Data_Governance_and_Classification_Standard.md): This standard establishes the general data governance framework for CERG: the classification scheme, how data is classified and labeled, the handling requirements each classification carries, the data - [EMAIL AND MESSAGING SECURITY STANDARD](markdown/standards/CERG-STD-MSG-001_Email_and_Messaging_Security_Standard.md): The organization's email domains, including domains that are owned but not used to send mail, are configured with the three standard email authentication mechanisms. - [ENDPOINT AND MOBILE SECURITY STANDARD](markdown/standards/CERG-STD-EP-001_Endpoint_and_Mobile_Security_Standard.md): It applies to every endpoint and mobile device that accesses in-scope resources: owned workstations and laptops, corporate mobile devices, and personally owned devices used under the bring-your-own-de - [GRID & CONTROL SYSTEMS CYBERSECURITY STANDARD](markdown/standards/CERG-STD-OT-001_Grid_Control_Systems_Security_Standard.md): The three CERG pillars operate in grid and control system environments with the same structure as enterprise IT, with operational adaptations that reflect the unique risk profile of OT. - [IT (HOSTED, CLOUD, AND SaaS) SECURITY STANDARD](markdown/standards/CERG-STD-IT-001_IT_Cloud_SaaS_Security_Standard.md): The three CERG pillars operate across all hosted and cloud estates with the same structure as on-premises IT, with adaptations that reflect the operating model of each environment. - [LOGGING, MONITORING, AND DETECTION STANDARD](markdown/standards/CERG-STD-LM-001_Logging_Monitoring_and_Detection_Standard.md): Onboarding follows a fixed checklist. The output is a SIEM Onboarding Record per environment. - [NETWORK SECURITY AND SEGMENTATION STANDARD](markdown/standards/CERG-STD-NET-001_Network_Security_and_Segmentation_Standard.md): The network is where an intruder moves. A foothold on one system becomes a breach of the estate only if the network lets the intruder travel. The IT, OT, and Access standards each impose network-adjac - [SECURE CONFIGURATION BASELINE STANDARD: DISH](markdown/standards/CERG-STD-CFG-001_Secure_Configuration_Baseline_Standard_DISH.md): DISH is the CERG-native, IT-and-OT-spanning hardening scan profile. It is implemented in the vulnerability scanning platform as a custom scan template that aggregates the requirements below. - [SECURE SOFTWARE DEVELOPMENT AND APPLICATION SECURITY STANDARD](markdown/standards/CERG-STD-SDL-001_Secure_Software_Development_and_Application_Security_Standard.md): Six principles govern secure development in CERG. ### Procedures - [ACCESS MANAGEMENT RUNBOOK](markdown/procedures/CERG-PRC-AC-002_Access_Management_Runbook.md): The runbook covers every identity in the environment: human (employee, contractor), machine (system, service, agent), and vendor / third-party. - [ADVERSARIAL VALIDATION PROCEDURE](markdown/procedures/CERG-PRC-AV-001_Adversarial_Validation_Procedure.md): When adversarial validation is conducted by an external firm rather than internal staff, the following requirements apply. - [ARCHITECTURE REVIEW AND PROJECT INTAKE PROCEDURE](markdown/procedures/CERG-PRC-AR-001_Architecture_Review_and_Project_Intake_Procedure.md): CERG engagement with a project follows five phases. Not every project hits every phase, Section 4 names the carve-outs. - [AUDIT AND EVIDENCE MANAGEMENT PROCEDURE](markdown/procedures/CERG-PRC-AUD-001_Audit_and_Evidence_Management_Procedure.md): The Evidence Librarian maintains the evidence library. The exact platform may vary by adopting organization, but the structure is fixed. - [EXPOSURE MANAGEMENT PROCEDURE](markdown/procedures/CERG-PRC-VM-001_Exposure_Management_Procedure.md): This procedure establishes CERG's exposure management program — the discipline of understanding which weaknesses actually threaten the organization, not which ones a scanner reports. - [INCIDENT RESPONSE PLAYBOOK SET](markdown/procedures/CERG-PRC-IR-002_Incident_Response_Playbook_Set.md): This is not a SOC procedure, forensics manual, or replacement Incident Response Plan. It is a support and handoff playbook set for CERG-managed systems and controls. - [LESSONS LEARNED AND PROGRAM IMPROVEMENT PROCEDURE](markdown/procedures/CERG-PRC-LL-001_Lessons_Learned_and_Program_Improvement_Procedure.md): Principle 1 states "Every significant event produces a lesson." A "significant event" is defined as any event that meets one or more of the following criteria: - [RISK REGISTER AND EXCEPTION PROCESS](markdown/procedures/CERG-PRC-RM-001_Risk_Register_and_Exception_Process.md): The organization's risk appetite defines the amount and type of risk the organization is willing to accept in pursuit of its objectives. Without a stated appetite, "accept" decisions lack an objective - [SECURITY CHANGE MANAGEMENT PROCEDURE](markdown/procedures/CERG-PRC-CHG-001_Security_Change_Management_Procedure.md): A change is security-relevant if it creates, removes, weakens, bypasses, or materially alters a security control, trust boundary, privileged access path, sensitive data path, or regulated system. - [THIRD-PARTY AND SUPPLY CHAIN RISK PROCEDURE](markdown/procedures/CERG-PRC-TPRM-001_Third_Party_and_Supply_Chain_Risk_Procedure.md): CERG uses a 5-tier vendor model that maps to the typical enterprise model. Business rating sets the baseline; CERG adjusts only via Section 4. - [THREAT INTELLIGENCE PROCEDURE](markdown/procedures/CERG-PRC-TI-001_Threat_Intelligence_Procedure.md): This procedure applies to all threat intelligence used by CERG to inform exposure management, threat modeling, architecture review, third-party risk, OT risk, detection priorities, and risk-register d - [THREAT MODELING PROCEDURE](markdown/procedures/CERG-PRC-TM-001_Threat_Modeling_Procedure.md): This procedure applies to every project subject to CERG architecture review, every material change to an in-scope system, and every new or materially changed use of AI, cloud, SaaS, OT, identity, regu ### Operational Packages - [BUSINESS CONTINUITY AND DISASTER RECOVERY PLAN](markdown/plans/CERG-PLN-BC-001_Business_Continuity_and_Disaster_Recovery_Plan.md): CERG does not replace Enterprise BCP. CERG supplies the cyber, risk, evidence, and control integrity layer that BCP needs. - [CUI / [CMMC](https://dodcio.defense.gov/CMMC/) OPERATIONAL PACKAGE](markdown/plans/CERG-PLN-CUI-001_CUI_CMMC_Operational_Package.md): It applies to every system, person, and process within the CUI boundary, and to every CUI subcontractor receiving CUI from the organization. - [INCIDENT RESPONSE PLAN](markdown/plans/CERG-PLN-IR-001_Incident_Response_Plan.md): The CISO is the standing Incident Commander. The CISO may delegate IC authority to a named deputy for a specific incident, with notification to executive leadership. Authority transitions are explicit - [ISO/IEC 27001 OPERATIONAL PACKAGE](markdown/plans/CERG-PLN-ISO-001_ISO_IEC_27001_Operational_Package.md): This operational package turns the CERG library into an ISO-operable system. It is designed for organizations seeking formal certification, customer-assurance readiness, or disciplined internal operat - [NERC-CIP OPERATIONAL PACKAGE](markdown/plans/CERG-PLN-CIP-001_NERC_CIP_Operational_Package.md): It applies to every BES Cyber System (Low / Medium / High Impact) and the associated Electronic Access Control / Monitoring Systems (EACMS), Physical Access Control Systems (PACS), and Protected Cyber - [PRIVACY AND DATA PROTECTION OPERATIONAL PACKAGE](markdown/plans/CERG-PLN-PRIV-001_Privacy_and_Data_Protection_Operational_Package.md): This operational package defines how CERG supports privacy and data protection obligations: privacy data inventory, DPIA support, data subject request support, breach-clock facts, vendor privacy evide - [SOX ITGC OPERATIONAL PACKAGE](markdown/plans/CERG-PLN-SOX-001_SOX_ITGC_Operational_Package.md): SOX shows up in the policy, the compliance matrix, the IT and Access standards, the risk procedure, and the operating model, but until this package, there was no SOX ITGC control library, no SOX-relev ### Templates - [AI INTAKE AND SANCTIONING TEMPLATE](markdown/templates/CERG-TMPL-AI-001_AI_Intake_and_Sanctioning_Template.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document C - [AI SYSTEM AND MODEL REGISTER TEMPLATE](markdown/templates/CERG-TMPL-AI-003_AI_System_and_Model_Register_Template.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Register Template](#3-fill-in-register-template) 4. [Review and Maintenance](#4-review-and-mai - [ARCHITECTURE AND PROJECT INTAKE FORM](markdown/templates/CERG-TMPL-AR-001_Architecture_and_Project_Intake_Form.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document C - [BOARD AND CISO REPORTING DECK TEMPLATE](markdown/templates/CERG-TMPL-MTR-001_Board_and_CISO_Reporting_Deck_Template.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document C - [CONTROL EVIDENCE AND TEST WORKSHEET](markdown/templates/CERG-TMPL-AUD-001_Control_Evidence_and_Test_Worksheet.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document C - [PLAN OF ACTION AND MILESTONES TEMPLATE](markdown/templates/CERG-TMPL-CUI-002_POAM_Template.md): This template creates a Plan of Action and Milestones (POA&M) for security gaps, CMMC / CUI findings, assessment observations, audit findings, and planned control implementations. It is designed to be - [RISK ACCEPTANCE MEMO TEMPLATE](markdown/templates/CERG-TMPL-RM-003_Risk_Acceptance_Memo_Template.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document C - [RISK ACCEPTANCE REQUEST FORM](markdown/templates/CERG-TMPL-RM-004_Risk_Acceptance_Request_Form.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document C - [RISK REGISTER TEMPLATES AND REPORTING](markdown/templates/CERG-TMPL-RM-001_Risk_Register_Templates_and_Reporting.md): Every risk register entry has a single sentence, the Risk Statement, in this form: - [SANCTIONED AI TOOLS REGISTER TEMPLATE](markdown/templates/CERG-TMPL-AI-002_Sanctioned_AI_Tools_Register_Template.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Register Template](#3-fill-in-register-template) 4. [Review and Maintenance](#4-review-and-mai - [SBOM Evidence Collection Checklist](markdown/templates/CERG-TMPL-SBOM-001_SBOM_Evidence_Collection_Checklist.md): Standardizes SBOM evidence collection for vendor-delivered software and internally-built artifacts. Supports CIP-013, CMMC SR.L2, EO 14028, and SOX ITGC evidence requirements. - [SECURITY EXCEPTION REQUEST FORM](markdown/templates/CERG-TMPL-RM-002_Security_Exception_Request_Form.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document C - [SYSTEM CONTROL PROFILE TEMPLATE](markdown/templates/CERG-TMPL-SCP-001_System_Control_Profile_Template.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [YAML Structure](#3-yaml-structure) 4. [Fill-In Template](#4-fill-in-template) 5. [Review and Approval] - [SYSTEM SECURITY PLAN TEMPLATE](markdown/templates/CERG-TMPL-CUI-001_System_Security_Plan_Template.md): The SSP explains the system boundary, CUI data flow, implemented security controls, inherited controls, external dependencies, open gaps, and evidence locations. It supports CMMC readiness, federal cu - [SaaS Evidence Collection Checklist](markdown/templates/CERG-TMPL-SAAS-001_SaaS_Evidence_Collection_Checklist.md): This checklist ensures consistent, auditable evidence collection from Tier 1 and Tier 2 SaaS tenants for compliance (SOX, CMMC, ISO 27001) and CERG internal assurance. Evidence is stored in the CERG e - [VENDOR SECURITY QUESTIONNAIRE AND TPRM ASSESSMENT TEMPLATE](markdown/templates/CERG-TMPL-TPRM-001_Vendor_Security_Questionnaire_and_Assessment_Template.md): 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document C ### Workforce Architecture - [1. Family Overview](markdown/roles/jf-adjunct/CERG-GOV-JD-ADJUNCT-000_Incident_Response_Family.md): Incident Response (JF-ADJUNCT) — Respond to and investigate cybersecurity incidents. - [1. Family Overview](markdown/roles/jf-exec/CERG-GOV-JD-EXEC-000_Executive_Leadership_Family.md): Executive Leadership (JF-EXEC) — Set strategy, approve risk, report to board, lead the function. - [1. Family Overview](markdown/roles/jf-govcomp/CERG-GOV-JD-GOVCOMP-000_Governance_Compliance_Family.md): Governance & Compliance (JF-GOVCOMP) — Own policy, compliance posture, risk register, and evidence; translate regulation into action. - [1. Family Overview](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-000_Risk_Operations_Family.md): Risk Operations (JF-RISKOPS) — Maintain continuous visibility into organizational exposure; test controls; drive remediation. - [1. Family Overview](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-000_Security_Engineering_Family.md): Security Engineering (JF-SECENG) — Design and build secure systems, platforms, and infrastructure. - [1. Purpose and Scope](markdown/roles/CERG-GOV-JF-001_Job_Families_Overview.md): Use the workforce documents in this order: - [1. Purpose and Scope](markdown/roles/CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md): This document provides the complete mapping of all 27 canonical CERG roles to NIST NICE Work Roles (NIST SP 800-181r1). It is the authoritative crosswalk for CERG's workforce architecture, enabling: - [Adversarial Testing Lead](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-002_Adversarial_Testing_Lead.md): Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Adversarial Testing Lead ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_M - [Application Security Engineer](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-004_Application_Security_Engineer.md): Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Application Security Engineer ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Opera - [CMMC / Federal Compliance Manager](markdown/roles/jf-govcomp/CERG-GOV-JD-GOVCOMP-002_CMMC_Federal_Compliance_Manager.md): Job Family: JF-GOVCOMP — Governance & Compliance Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: CMMC / Federal Compliance Manager ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001 - [Chief Information Security Officer (CISO)](markdown/roles/jf-exec/CERG-GOV-JD-EXEC-001_Chief_Information_Security_Officer.md): Job Family: JF-EXEC — Executive Leadership Job Level Range: L1-L4 (CERG Grade Executive) CERG Canonical Role: Chief Information Security Officer (CISO) ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM- - [Cloud Security Engineer](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-001_Cloud_Security_Engineer.md): Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Cloud Security Engineer ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_M - [Cryptography Engineer](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-006_Cryptography_Engineer.md): Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Cryptography Engineer ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Mod - [Detection Engineer](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-004_Detection_Engineer.md): Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Detection Engineer ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.m - [Endpoint Engineer](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-005_Endpoint_Engineer.md): Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Endpoint Engineer ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.m - [Engineering Pillar Leader](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-007_Engineering_Pillar_Leader.md): Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Engineering Pillar Leader ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating - [Evidence Librarian](markdown/roles/jf-govcomp/CERG-GOV-JD-GOVCOMP-006_Evidence_Librarian.md): Job Family: JF-GOVCOMP — Governance & Compliance Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Evidence Librarian ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating - [Executive Sponsor](markdown/roles/jf-exec/CERG-GOV-JD-EXEC-002_Executive_Sponsor.md): Job Family: JF-EXEC — Executive Leadership Job Level Range: L1-L4 (CERG Grade Executive) CERG Canonical Role: Executive Sponsor ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model - [Exposure Management Lead](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-001_Exposure_Management_Lead.md): Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Exposure Management Lead ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_M - [Governance Pillar Leader](markdown/roles/jf-govcomp/CERG-GOV-JD-GOVCOMP-007_Governance_Pillar_Leader.md): Job Family: JF-GOVCOMP — Governance & Compliance Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Governance Pillar Leader ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Ope - [Identity Engineer](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-002_Identity_Engineer.md): Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Identity Engineer ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.m - [Identity Risk Analyst](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-006_Identity_Risk_Analyst.md): Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Identity Risk Analyst ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Mode - [Incident Commander](markdown/roles/jf-adjunct/CERG-GOV-JD-ADJUNCT-001_Incident_Commander.md): Job Family: JF-ADJUNCT — Incident Response & Investigation Job Level Range: L1-L4 (CERG Grade S2-S4/M4) CERG Canonical Role: Incident Commander ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG - [Lead Investigator](markdown/roles/jf-adjunct/CERG-GOV-JD-ADJUNCT-002_Lead_Investigator.md): Job Family: JF-ADJUNCT — Incident Response & Investigation Job Level Range: L1-L4 (CERG Grade S2-S4/M4) CERG Canonical Role: Lead Investigator ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_ - [NERC-CIP Compliance Manager](markdown/roles/jf-govcomp/CERG-GOV-JD-GOVCOMP-001_NERC-CIP_Compliance_Manager.md): Job Family: JF-GOVCOMP — Governance & Compliance Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: NERC-CIP Compliance Manager ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_ - [OT Risk Analyst](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-005_OT_Risk_Analyst.md): Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: OT Risk Analyst ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) - [OT Security Engineer](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-003_OT_Security_Engineer.md): Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: OT Security Engineer ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Mode - [Policy & Standards Manager](markdown/roles/jf-govcomp/CERG-GOV-JD-GOVCOMP-004_Policy_and_Standards_Manager.md): Job Family: JF-GOVCOMP — Governance & Compliance Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Policy & Standards Manager ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_O - [Pre-production Reviewer](markdown/roles/jf-seceng/CERG-GOV-JD-SECENG-008_Pre-production_Reviewer.md): Job Family: JF-SECENG — Security Engineering Job Level Range: L1-L4 (CERG Grade S1-S4) CERG Canonical Role: Pre-production Reviewer ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_M - [Risk Pillar Leader](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-008_Risk_Pillar_Leader.md): Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Risk Pillar Leader ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.m - [Risk Register Owner](markdown/roles/jf-govcomp/CERG-GOV-JD-GOVCOMP-005_Risk_Register_Owner.md): Job Family: JF-GOVCOMP — Governance & Compliance Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Risk Register Owner ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operatin - [SOX ITGC Lead](markdown/roles/jf-govcomp/CERG-GOV-JD-GOVCOMP-003_SOX_ITGC_Lead.md): Job Family: JF-GOVCOMP — Governance & Compliance Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: SOX ITGC Lead ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Mode - [Threat Intelligence Analyst](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-003_Threat_Intelligence_Analyst.md): Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Threat Intelligence Analyst ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operatin - [Vendor Risk Analyst](markdown/roles/jf-riskops/CERG-GOV-JD-RISKOPS-007_Vendor_Risk_Analyst.md): Job Family: JF-RISKOPS — Risk Operations Job Level Range: L1-L4 (CERG Grade S1-S4/M3) CERG Canonical Role: Vendor Risk Analyst ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model. ### Machine-Readable - [CERG Machine-Readable Artifacts](markdown/machine-readable/README.md): This directory contains machine-readable YAML specifications generated from the CERG corpus. These files are designed for consumption by LLMs, automation tools, and programmatic validation. ### Other - [.github_ISSUE_TEMPLATE_validation-error](markdown/.github/ISSUE_TEMPLATE/validation-error.md): name: Validation / CI error about: Report a CI validation failure or catalog error title: "[VALIDATION] " labels: bug, validation assignees: '' - [Adopt CERG With an Agent](markdown/ADOPT-WITH-AN-AGENT.md): This guide gives humans and AI assistants a safe way to start CERG adoption without turning the full repository into an overwhelming rewrite project. - [Before you submit](markdown/.github/ISSUE_TEMPLATE/document-improvement.md): name: Document improvement about: Suggest a change to an existing CERG document title: "[IMPROVE] " labels: improvement assignees: '' - [Before you submit](markdown/.github/ISSUE_TEMPLATE/new-document-proposal.md): name: New document proposal about: Propose a new CERG document (standard, procedure, template, etc.) title: "[NEW] " labels: new-document assignees: '' - [Beginner Guide to Using CERG](markdown/BEGINNER-GUIDE.md): This guide is for people who are not GitHub users, do not write code, or just want to use CERG without learning developer workflows first. - [CERG (surge) · Cybersecurity Operating Model](markdown/README.md): An operating model for teams that need security to actually run. - [CERG Example Profiles](markdown/examples/README.md): Sample organization profiles for different sectors and sizes. Use these as starting points for your [Organization Adaptation Profile](../governance/CERG-GOV-VAR-001_Organization_Adaptation_Profile.md) - [CERG Example: Day in the Life Operational Stories](markdown/examples/day-in-the-life/README.md): These examples show how CERG flows, roles, records, and evidence come together during normal operations. They are not new requirements. They are narrative walkthroughs that help a reader see how exist - [CERG Example: Regulated Utility Profile](markdown/examples/regulated-utility-profile/README.md): This is a sample organization profile for a regulated electrical utility adopting CERG. It is provided as a reference example, not the default. - [CERG Lite Adoption Pack](markdown/adoption-packs/cerg-lite/README.md): CERG Lite is the minimum viable adoption path for a small or early security function. It is designed for teams that need a real operating loop without adopting the full CERG library at once. - [CERG Lite Agent Prompt](markdown/adoption-packs/cerg-lite/agent-prompt.md): Copy this prompt into an AI assistant when starting a small-team CERG adoption. - [CERG Role Descriptions](markdown/roles/README.md): This directory contains per-role job description documents extracted from the monolithic JD-001 file. Each role description follows the Enhanced Role Description Template (§7.2 of the NICE alignment s - [CERG — Guide for AI Agents](markdown/AGENTS.md): This file is loaded automatically by AI agents (Claude Code, Copilot, Codex CLI, Cursor, etc.) to understand the CERG cybersecurity operating model repository and work effectively with it. - [Code of Conduct](markdown/CODE_OF_CONDUCT.md): We pledge to act and interact in ways that contribute to an open, welcoming, diverse, and inclusive community. - [Contributing to CERG](markdown/CONTRIBUTING.md): CERG is open source (CC BY 4.0) and contributions are welcome. This document explains how to contribute effectively. - [Policy-as-Code Examples for CERG](markdown/tools/policy-as-code/README.md): This directory contains reference implementations of policy-as-code patterns that map CERG controls to machine-enforceable rules. These examples support the CERG principles described in: - [START HERE · Adopting CERG](markdown/START-HERE.md): You just found CERG. You have a repo full of Markdown. What do you actually do on Monday morning? - [Security](markdown/SECURITY.md): If you find a vulnerability or security concern in the CERG framework itself (not in an organization that uses it), please report it responsibly: - [Story 10: The new CISO's first 90 days](markdown/examples/day-in-the-life/story-10-new-ciso-90-days.md): Priya arrives at 9 a.m. on Monday. Her first meeting is with Jordan at 9:30. By 10 a.m. she has: - [Story 8: CERG Lite - Maria and the Tuesday scanner report](markdown/examples/day-in-the-life/story-8-cerg-lite-maria.md): It is Tuesday at 8:07 a.m. The vulnerability scanner has finished its weekly run against the production subnet, the staging cloud tenant, and the four external IPs. Priya opens the export. There are 4 - [Story 9: F-01 Control Intent - when the regulator changes the rule](markdown/examples/day-in-the-life/story-9-f-01-control-intent.md): The work has to move fast. The CISO's question is: how does CERG absorb a regulatory change without breaking the program?