# CERG Lite Adoption Pack CERG Lite is the minimum viable adoption path for a small or early security function. It is designed for teams that need a real operating loop without adopting the full CERG library at once. ## 1. Who should use this pack Use CERG Lite if: - The security team has roughly 2 to 8 active participants. - Security ownership exists, even if part time. - Leadership supports documented guardrails, risk decisions, and evidence. - The organization can name its core systems, owners, and regulatory concerns. If there is only one security person, use CERG as a planning reference until there is an executive sponsor and an independent approver for High or Critical risk decisions. ## 2. What to adopt first Adopt only the MVC spine first: 1. [Cybersecurity Policy](../../governance/CERG-POL-001_Cybersecurity_Policy.md) 2. [CERG Framework](../../governance/CERG-GOV-FRM-001_CERG_Framework.md) 3. [Operating Model](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) 4. [Document Catalog](../../governance/CERG-GOV-CAT-001_Document_Catalog_and_Naming_Convention.md) 5. [Risk Management Framework](../../governance/CERG-GOV-RMF-001_Risk_Management_Framework.md) 6. [Risk Register and Exception Process](../../procedures/CERG-PRC-RM-001_Risk_Register_and_Exception_Process.md) 7. [Risk Register Templates](../../templates/CERG-TMPL-RM-001_Risk_Register_Templates_and_Reporting.md) 8. [Exposure Management Procedure](../../procedures/CERG-PRC-VM-001_Exposure_Management_Procedure.md) Use the [Organization Adaptation Profile](../../governance/CERG-GOV-VAR-001_Organization_Adaptation_Profile.md), [Small Team Adoption Path](../../governance/CERG-GOV-IMP-003_Small_Team_Adoption_Path.md), and [Role-Based Implementation Checklists](../../governance/CERG-GOV-IMP-006_Role_Based_Implementation_Checklists.md) as aids, not extra first-week obligations. ## 3. First 48 hours 1. Confirm executive sponsor and security owner. 2. Select CERG Lite and document why. 3. Fill the Organization Adaptation Profile at a draft level. 4. Assign consolidated roles for Engineering, Risk, and Governance accountabilities. 5. Create the first risk register entry. 6. Create the first exposure backlog item. 7. Decide where records will live. 8. Schedule the first monthly risk and exposure review. ## 4. First 30 days | Week | Outcome | |---|---| | Week 1 | Scope, owners, record locations, first risk, first exposure item | | Week 2 | Risk register cadence, exception path, initial asset/source inventory | | Week 3 | First exposure management cycle and remediation ownership | | Week 4 | First evidence review, deferral list, and next adoption decision | ## 5. Safe deferrals These are normally safe to defer during the first 30 days: - Most standards, unless an immediate environment or regulator requires them. - Detailed job descriptions. - Workforce planning, succession, and performance frameworks. - Regulated operational packages unless CMMC, NERC-CIP, SOX, ISO, privacy, OT, or CUI scope applies. - Advanced machine-readable schemas. Do not defer the risk register, exception process, owner assignment, or exposure management loop. ## 6. Files in this pack - `README.md`: human adoption guide. - `document-list.yaml`: structured MVC and helper document list. - `agent-prompt.md`: copy/paste prompt for agent-assisted adoption. ## 7. Success test CERG Lite is working when the team can show: - Named owners for the three pillars, even if consolidated. - A current risk register. - A current exposure backlog. - A documented exception or risk acceptance path. - Evidence that at least one exposure cycle was run. - A deferral list explaining what is not yet adopted and why.