## PERFORMANCE MANAGEMENT AND PROMOTION FRAMEWORK
### Evaluation Cadence · Calibration · Promotion Process · Documentation Standards

---

| | |
|---|---|
| **Document ID** | CERG-GOV-PERF-001 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader (Policy & Standards) |
| **Parent Policy** | [`CERG-POL-001`](CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Supporting Documents** | [`CERG-GOV-JA-001`](CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) · [`CERG-GOV-CMP-001`](CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) · [`CERG-GOV-JD-001`](CERG-GOV-JD-001_CERG_Job_Descriptions.md) · [`CERG-GOV-OM-001`](CERG-GOV-OM-001_CERG_Operating_Model.md) · [`CERG-GOV-SUCC-001`](CERG-GOV-SUCC-001_Succession_Planning_and_Talent_Review_Framework.md) · [`CERG-GOV-TRN-001`](CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md) |
| **Review Cycle** | Annual / On any change to grade definitions or organizational structure |
| **Frameworks** | [NIST CSF 2.0](https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final) (GOVERN) · ISO/IEC 27001 A.7.2 |
| **Regulations** | Cross-cutting |
| **Environments** | Program-wide |

---

## Table of Contents

1. [Purpose and Scope](#1-purpose-and-scope)
2. [Design Principles](#2-design-principles)
3. [Performance Management Cadence](#3-performance-management-cadence)
4. [Evaluation Dimensions](#4-evaluation-dimensions)
5. [The Performance Conversation](#5-the-performance-conversation)
6. [Calibration Process](#6-calibration-process)
7. [Promotion Process](#7-promotion-process)
8. [Performance Improvement Process](#8-performance-improvement-process)
9. [Documentation Standards](#9-documentation-standards)
10. [Integration with Other CERG Instruments](#10-integration-with-other-cerg-instruments)
11. [Document Control](#11-document-control)

---

## 1. Purpose and Scope

The Job Architecture and Grade Framework (CERG-GOV-JA-001) defines the grade structure. The Competency Model (CERG-GOV-CMP-001) defines what good looks like at each grade. What neither defines is the mechanism: how a manager evaluates performance, how often, with what documentation, and how that evaluation leads to a promotion decision that is consistent across pillars.

This document defines that mechanism. It establishes the performance management cadence, the evaluation dimensions, the calibration process that prevents pillar-to-pillar inconsistency, the promotion process from initiation through approval, and the documentation standard that makes every decision defensible. It is designed to be lightweight enough for a 5-person CERG team and rigorous enough for a 60-person organization facing a regulatory audit of its personnel practices.

It applies to every CERG team member, manager, and pillar leader. It does not apply to the CISO, whose performance management is governed by the executive evaluation framework of the organization, or to Adjacent Incident Response roles, which belong to the standing IR team.

> **A Grade Framework Without a Performance Framework Is a Parking Lot**
>
> JA-001 says "progression is earned, not tenured." That sentence is aspirational until there is a defined mechanism for evaluating whether it has been earned, a consistent process for making the judgment, and documentation that survives the departure of the manager who made it. This document is that mechanism.

---

## 2. Design Principles

1. **Evaluate against defined expectations, not against peers.** A person's performance is measured against the grade-level expectations in JA-001 §4-5 and the competency anchors in CMP-001. It is not measured against the highest-performing person at the same grade.

2. **Calibration prevents drift.** Two managers evaluating the same person against the same criteria should reach similar conclusions. The calibration process exists to make that true.

3. **Promotion is a decision, not an event.** A promotion is the conclusion of a sustained demonstration of capability at the next level. It is not a reward for tenure, a retention counter-offer, or a response to an external offer.

4. **Documentation is evidence, not bureaucracy.** The performance record exists so that a decision can be explained to the person, to a calibration panel, to HR, and to a regulator or auditor if challenged. It should be thorough enough to survive those audiences and no longer.

5. **Scales without breaking.** A 5-person CERG with no Managers and a 60-person CERG with a full management hierarchy both use the same framework. The forms are the same; the number of people in the calibration room changes.

---

## 3. Performance Management Cadence

### 3.1 The Annual Cycle

CERG performance management runs on a semi-annual cycle aligned to the CERG operating rhythm. This is twice as frequent as typical corporate annual review cycles because cybersecurity team members operate in a field where six months is a material span: a Detection Engineer can demonstrate a full cycle of rule authorship, tuning, and measurement in that time; a Cloud Security Engineer can take several projects from intake to go-live.

| Event | Timing | Participants | Output |
|---|---|---|---|
| **Mid-Year Review** | June (aligns with Q2 CISO Risk & Posture Review) | Manager + team member | Mid-year performance summary; development plan update |
| **Year-End Review** | December (aligns with Q4 CISO Risk & Posture Review) | Manager + team member | Annual performance summary; promotion nomination if applicable |
| **Calibration Session** | Within 2 weeks of year-end reviews | Pillar leaders + CISO | Calibrated performance ratings; approved promotion slate |
| **Promotion Decisions** | Within 4 weeks of calibration | CISO (final approval) | Promotion announcements effective Q1 |

> **Align to the Existing Cadence, Do Not Add Meetings**
>
> The mid-year and year-end reviews use the existing CISO Risk & Posture Review as an anchor point. The CERG Leadership Sync (weekly) is the forum for raising performance concerns between cycles. Do not create a new standing meeting for performance management; integrate it into the meetings that already exist.

### 3.2 Quarterly Check-Ins

Between formal reviews, managers conduct quarterly check-ins with each direct report. These are 30-minute conversations, not formal evaluations. The agenda:

1. What has gone well since the last check-in?
2. What is blocked or unclear?
3. What development activity has been completed?
4. Is there anything the person wants to flag that has not come up in regular 1:1s?

The manager records one to three sentences per check-in in the performance record. The purpose is continuity: the year-end review should summarize a year of documented observations, not reconstruct a year from memory.

### 3.3 Ongoing Feedback

Performance feedback should never be a surprise at review time. A manager who waits six months to tell someone their work is not meeting expectations has failed at the most basic responsibility of people leadership. Significant feedback, positive or corrective, should be delivered within days of the observation and documented in the performance record.

> **The "No Surprises" Rule**
>
> If a person reads something in their year-end review that they have not heard before, the performance management system has failed regardless of whether the review is accurate. The review is a summary of a year of documented conversations, not the first conversation.

---

## 4. Evaluation Dimensions


> **Per-Role Evaluation Criteria**: Each role's evaluation criteria are now embedded in its per-role JD document under `roles/`. The dimensions below define the evaluation framework; the per-role documents define the role-specific expectations at each grade. See [JD-001](CERG-GOV-JD-001_CERG_Job_Descriptions.md) for the complete per-role index.

### 4.1 SME Track Dimensions

SME performance is evaluated along six dimensions. The first five align to the grade-level definitions in JA-001 §4 and §6. The sixth (Outcomes) grounds the evaluation in what the person actually delivered.

| Dimension | What It Measures | Source |
|---|---|---|
| **Craft Mastery** | Depth and breadth of technical or domain expertise relative to grade expectations | CMP-001 §4-6, Technical Depth domains |
| **Scope and Autonomy** | Breadth of owned work and degree of self-direction | JA-001 §4 grade definitions |
| **Influence and Mentorship** | Impact on others without formal authority | CMP-001 §4-6, Influence and Mentorship domains |
| **Cross-Pillar Fluency** | Understanding of and collaboration with other pillars | CMP-001 §4-6, Cross-Pillar Fluency domains |
| **Operational Discipline** | Consistency, documentation, SLA adherence, evidence quality | CMP-001 §4-6, Operational Discipline domains |
| **Outcomes** | What the person delivered against their objectives in the review period | JD-001 success profiles; role-specific objectives |

### 4.2 Management Track Dimensions

Management performance adds three dimensions to the SME evaluation. A Manager is evaluated on their SME-family competencies at S2 or above plus the management dimensions below.

| Dimension | What It Measures | Source |
|---|---|---|
| **People Leadership** | Quality of hiring, development, feedback, and retention | CMP-001 §7.1; JA-001 §5 grade definitions |
| **Team Delivery** | The team's output against objectives, not the manager's personal output | JA-001 §5 operational accountability definitions |
| **Strategic Contribution** | Quality of strategy, resource planning, and stakeholder management | CMP-001 §7.2-7.5 |

### 4.3 Rating Scale

CERG uses a four-point rating scale. The scale is deliberately simple: more gradations create more arguments about the difference between a 3 and a 4 than insight about the person.

| Rating | Definition | Promotion Implication |
|---|---|---|
| **Exceeds Expectations** | Consistently demonstrates capabilities at the next grade in multiple dimensions. Delivers outcomes that materially exceed the role's stated objectives. | Strong promotion candidate. Next-grade behavior is observable and documented. |
| **Meets Expectations** | Consistently demonstrates at-grade capabilities. Delivers against role objectives. Most team members in good standing receive this rating. | Not a promotion candidate this cycle. May be developing toward promotion with targeted growth in specific dimensions. |
| **Developing** | Demonstrates most at-grade capabilities but has material gaps in one or more dimensions. New-to-role team members typically receive this rating for their first cycle. | Not a promotion candidate. Development plan should target the gap dimensions. |
| **Below Expectations** | Does not meet at-grade expectations in multiple dimensions despite feedback and support. | Performance improvement process initiated (see §8). Not eligible for promotion. |

> **Most People Are "Meets Expectations"**
>
> "Meets Expectations" is not a consolation prize. A Cloud Security Engineer who consistently delivers secure architectures, meets their SLAs, mentors junior engineers, and contributes to cross-pillar working groups is meeting expectations at a high bar. "Exceeds" is reserved for people who are observably operating at the next grade. If everyone is "Exceeds," the rating scale has collapsed and the calibration session needs to reset it.

---

## 5. The Performance Conversation

### 5.1 Preparation

Before the review conversation, the manager prepares a written performance summary using the documentation standard in §9. The summary addresses each evaluation dimension with specific, dated examples. It does not rely on adjectives ("great communicator") without evidence ("presented the cloud security posture review to the CIO in October; the CIO followed up with a specific question answered in the deck, indicating understanding").

The team member prepares a self-assessment using the same dimensions. The manager reads the self-assessment before the conversation. Disagreements between the self-assessment and the manager's assessment are not problems to be resolved in the room; they are signals that evidence needs to be examined together.

### 5.2 The Conversation

The performance conversation follows a structured agenda:

1. **Review the period.** What were the person's stated objectives? What changed?
2. **Walk through each dimension.** For each: the manager's assessment with evidence, the team member's perspective, discussion of any gap between the two.
3. **Discuss the overall rating.** Explain the rationale. If it is not what the person expected, spend the time to ensure they understand why before moving on.
4. **Look forward.** Development priorities for the next period. If promotion is a goal, what specific demonstrations are needed? By when?
5. **The person speaks last.** After the manager has presented the assessment and the forward plan, the person has uninterrupted time to respond, ask questions, or raise concerns.

### 5.3 After the Conversation

The manager finalizes the written summary, incorporating any adjustments from the conversation (a fact the person raised that the manager had not considered, a disagreement the manager committed to investigate). The final summary is shared with the team member and stored in the performance record. Both the manager and the team member acknowledge receipt; acknowledgment is not necessarily agreement.

---

## 6. Calibration Process

Calibration is the mechanism that prevents the single biggest failure mode of any performance system: two managers applying different standards, producing ratings that reflect the manager's leniency rather than the person's performance.

### 6.1 Calibration Session

Within two weeks of year-end reviews, pillar leaders convene a calibration session with the CISO. In a small CERG (fewer than 10 people), the session is all-hands with the CISO facilitating. In a larger CERG, it is pillar leaders plus the CISO, with Managers presenting their teams' ratings.

The session proceeds role by role, not person by person. For each role (e.g., Cloud Security Engineer, Vendor Risk Analyst):

1. Every person in that role is listed by pillar, grade, and proposed rating.
2. The managers present the evidence for any "Exceeds" or "Below Expectations" rating.
3. The group discusses: does the evidence support the rating relative to the other people in the same role at the same grade?
4. Ratings may be adjusted by consensus. A rating adjusted downward is not a failure of the manager; it is the calibration process working as designed.

> **Calibrate Against the Standard, Not the Curve**
>
> The goal is not to produce a bell curve. If every Cloud Security Engineer is demonstrably exceeding expectations, the standard may be too low for the grade, or the team may be genuinely exceptional. Either conclusion is more honest than forcing a distribution. The test is: can the manager point to specific behaviors at the next-grade level for every "Exceeds" rating?

### 6.2 Calibration Principles

1. **Evidence rules.** A rating without dated, specific evidence is not a rating; it is an opinion. Opinions are not calibrated.
2. **Cross-pillar perspective matters.** An Engineering manager who has never seen a Governance person's work cannot calibrate an Engineering rating. The calibration session brings cross-pillar visibility: a Risk pillar leader may recognize that an Engineer's "Exceeds" rating in Cross-Pillar Fluency is actually standard behavior for the grade.
3. **The CISO is the tiebreaker.** If the calibration group cannot reach consensus on a rating, the CISO decides. The CISO's decision is final and documented with rationale.
4. **Calibration is about ratings, not compensation.** Compensation decisions follow after ratings are calibrated, not during calibration. Mixing the two conversations produces ratings that are negotiated to fit within budget rather than honest assessments of performance.

---

## 7. Promotion Process


> **Level Progression Gates**: The job-family-specific level progression gates (L1→L2, L2→L3, L3→L4) are defined in [JF-001 §8](../roles/CERG-GOV-JF-001_Job_Families_Overview.md). Promotion cases should demonstrate satisfaction of the relevant gate conditions in addition to the grade criteria defined in JA-001.

### 7.1 Initiation

A promotion case may be initiated by:

1. **The manager**, who has observed sustained next-grade performance and documented it over at least one review cycle.
2. **The team member**, who may request that their manager initiate a promotion review. The manager is not obligated to agree but must provide a written rationale if they decline, identifying the specific dimensions where next-grade performance is not yet demonstrated.
3. **A pillar leader or the CISO**, who may direct a manager to evaluate a team member for promotion based on their own observation.

### 7.2 The Promotion Case

The manager prepares a promotion case document addressing:

1. **Current grade and target grade.**
2. **Evidence by dimension.** For each of the six SME dimensions (or nine management dimensions): specific examples of next-grade behavior with dates and context. The evidence should span at least six months and include both routine excellence (consistent at-grade performance) and stretch demonstrations (next-grade behavior).
3. **Cross-pillar input.** At least one person from a different pillar who has worked with the candidate provides a written perspective. This is not a reference check; it is a specific observation of the candidate's cross-pillar engagement.
4. **Development plan for remaining gaps.** Honest acknowledgment of dimensions where the candidate is not yet demonstrating next-grade behavior and how they will develop those capabilities in the new grade.

### 7.3 Approval

The promotion case is presented at the calibration session following the year-end review. The approval sequence:

1. **Manager presents** the promotion case to the calibration group.
2. **Calibration group discusses** whether the evidence supports the case. The discussion follows the same calibration principles as ratings: evidence, cross-pillar perspective, and the standard for the target grade.
3. **Pillar leader concurs or defers.** If the pillar leader concurs, the case proceeds to the CISO. If the pillar leader defers, the case is returned with specific feedback on what additional evidence is needed.
4. **CISO approves or defers.** The CISO makes the final decision. A deferral includes written rationale that the manager and the candidate can act on for the next cycle.

> **The Promotion Standard**
>
> The question is not "is this person ready to try the next grade?" It is "has this person already demonstrated sustained performance at the next grade?" The first question promotes people into roles they grow into, sometimes successfully, sometimes at the team's expense. The second question promotes people who have already proven they can do the work. CERG uses the second question.

### 7.4 Time-in-Grade Expectations

JA-001 defines "typical experience" ranges for each grade. These are inputs to placement, not guarantees of progression. That said, the following minimum time-in-grade guidelines ensure that a promotion case has sufficient evidence:

| Current Grade | Minimum Time Before Promotion Eligibility | Rationale |
|---|---|---|
| S1 / Specialist | 18 months | A full performance cycle plus a development cycle to demonstrate growth |
| S2 / Sr. Specialist | 24 months | Next-grade behavior at S3 requires cross-pillar demonstration, which takes time to develop |
| S3 / Advisor | 30 months | S4 is the narrowest gate in the SME track; requires organizational-level impact |
| M1 / Manager | 24 months | Requires demonstrated team development and function-level outcomes |
| M2 / Senior Manager | 30 months | Requires multi-team leadership and strategic contribution |
| M3 / Principal Manager | 30 months | Director is the narrowest gate in the management track |

Exceptional candidates with extraordinary demonstrated capability may be considered before the minimum. "My last company promoted me faster" is not extraordinary capability. "This person rebuilt our cloud security architecture, mentored three engineers to promotion, and is recognized by our regulators as an authority" may be.

---

### 7.5 Promotion Panel Composition

Every promotion case is reviewed by a cross-pillar promotion panel that ensures fairness, consistency, and breadth of perspective.

| **Panel Role** | **Who** | **Purpose** |
|---|---|---|
| **Panel Chair** | Pillar leader of the candidate's pillar | Chairs the session; ensures process fairness; presents the promotion case |
| **Cross-Pillar Reviewer** | A pillar leader from a different pillar than the candidate's | Provides independent perspective on cross-pillar competency and organizational impact |
| **Subject Matter Expert** | A senior practitioner (S3+) in the candidate's discipline, from any pillar | Assesses craft-mastery evidence against the target grade's CMP-001 behavioral anchors |
| **HR Business Partner** | HR representative | Ensures process compliance, equity, and documentation standards |
| **CISO** | Chief Information Security Officer | Final approval authority; attends or receives written recommendation for decisions at S3+ |

The panel must include at least three voting members. The cross-pillar reviewer and the SME must not be the same person. No panel member may evaluate a candidate they directly manage (to prevent conflict of interest), except the panel chair whose role is to present, not to evaluate in isolation.

### 7.6 Promotion Timeline and Communication

The promotion cycle follows a defined calendar aligned to the performance management cadence:

| **Date** | **Activity** | **Owner** |
|---|---|---|
| 6 weeks before calibration | Manager initiates promotion case; begins evidence collection | Manager |
| 4 weeks before calibration | Cross-pillar input solicited and received | Manager |
| 2 weeks before calibration | Promotion case document finalized; submitted to panel chair | Manager |
| Calibration session (per §6) | Promotion case presented and evaluated at calibration | Panel Chair |
| Within 1 week of calibration | CISO approves or defers; written rationale provided for deferrals | CISO |
| Within 2 weeks of approval | Promotion announced to candidate; new grade effective date set | Manager + HR |
| Within 1 week of announcement | Team/squad notified by manager; broader team notified by pillar leader | Manager / Pillar Leader |

**Communication principles:**

1. **The candidate hears first, before any other team member.** No one learns of a promotion from a colleague before the candidate hears it from their manager.
2. **Deferred promotions include a development plan.** A deferral is not a denial. It identifies specific competency gaps and the timeline and resources to close them. The candidate and manager agree on a development plan within 2 weeks of the deferral.
3. **Communicated promotions are celebrated.** The promotion is announced at the next CERG All-Hands or pillar meeting. The announcement includes what the candidate accomplished to earn the promotion, reinforcing the standard for others.
4. **External communication is coordinated.** If the promotion is part of a broader organizational announcement (e.g., pillar leader hire), coordinate with HR and Communications per organizational policy.

## 8. Performance Improvement Process

A "Below Expectations" rating triggers the performance improvement process. This is not punitive; it is a structured attempt to close the gap. It is also a documentation trail that supports a separation decision if the gap does not close.

### 8.1 Performance Improvement Plan (PIP)

Within two weeks of a "Below Expectations" rating, the manager and the team member agree on a Performance Improvement Plan:

1. **Specific dimensions** where performance does not meet expectations, with examples.
2. **Specific, measurable improvement targets** for each dimension, with a timeline (typically 60-90 days).
3. **Support the organization will provide**: training, mentoring, reduced scope, or other resources.
4. **Check-in cadence**: typically weekly, with written progress notes.
5. **Outcomes**: success (rating moves to "Meets Expectations" or "Developing"), extension (progress but targets not met; PIP extended by 30-60 days), or separation (targets not met and no credible path to meeting them).

### 8.2 PIP Principles

1. **The PIP is not a surprise.** A person who receives a "Below Expectations" rating should have received feedback on the performance gap throughout the review period. The PIP is a formalization of an ongoing conversation, not the start of one.
2. **The PIP is written, not verbal.** Both parties sign it. It is stored in the performance record.
3. **HR is informed at initiation, not at separation.** HR should know a PIP exists from day one, not day ninety.
4. **Success is celebrated, not held against the person.** A person who completes a PIP successfully and sustains the improvement is not "the person who was on a PIP." The PIP closes and the record reflects the improved performance.

---

## 9. Documentation Standards

### 9.1 The Performance Record

Every CERG team member has a performance record maintained by their manager. The record contains:

| Document | Frequency | Content |
|---|---|---|
| **Performance Summary** | Semi-annual | Evaluation per §5 dimensions, overall rating, forward development priorities |
| **Quarterly Check-In Notes** | Quarterly | 1-3 sentences capturing the check-in discussion |
| **Significant Feedback Notes** | As needed | Dated notes on significant positive or corrective feedback |
| **Self-Assessments** | Semi-annual | Team member's self-evaluation against the same dimensions |
| **Development Plan** | Annual (updated semi-annually) | Development priorities, actions, and timeline |
| **Promotion Case** | As applicable | Full promotion case document per §7.2 |
| **PIP Documents** | As applicable | PIP, weekly check-in notes, outcome determination |

### 9.2 The Performance Summary Format

The semi-annual performance summary follows a consistent structure designed to be thorough and concise:

**Team Member:** [Name]
**Role:** [Canonical role from OM-001 §6.1]
**Grade:** [Current grade]
**Review Period:** [Mid-Year YYYY / Year-End YYYY]
**Manager:** [Name]

**Outcomes Delivered:**
[Bulleted list of 3-7 significant outcomes delivered in the period. Each outcome is specific: what was delivered, on what timeline, with what impact. "Improved cloud security posture" is not an outcome. "Reduced CSPM critical alerts from 47 to 3 across 120 AWS accounts through policy-as-code and engineering-team enablement (March-October)" is an outcome.]

**Dimension Assessment:**

- **Craft Mastery:** [Evidence-based assessment with examples]
- **Scope and Autonomy:** [Evidence-based assessment with examples]
- **Influence and Mentorship:** [Evidence-based assessment with examples]
- **Cross-Pillar Fluency:** [Evidence-based assessment with examples]
- **Operational Discipline:** [Evidence-based assessment with examples]

*For management-track roles, add:*
- **People Leadership:** [Evidence-based assessment with examples]
- **Team Delivery:** [Evidence-based assessment with examples]
- **Strategic Contribution:** [Evidence-based assessment with examples]

**Overall Rating:** [Exceeds / Meets / Developing / Below Expectations]

**Forward Development Priorities:**
[2-4 specific development actions for the next period. Each action has a target dimension, a concrete activity, and a timeline.]

### 9.3 Storage and Access

Performance records are stored in the organization's HR system of record. If the organization does not have an HR system that supports structured performance documentation, records are maintained as documents in a controlled access location (e.g., a restricted SharePoint folder, a secure HR drive). Access is limited to:

- The team member (their own record)
- Their manager
- Their manager's manager (pillar leader or above)
- The CISO
- HR business partner
- Legal, when relevant to employment actions

Performance records are retained per the organization's record retention policy, typically for the duration of employment plus a defined post-employment period.

---

## 10. Integration with Other CERG Instruments

### 10.1 Competency Model (CMP-001)

The performance review dimensions map directly to CMP-001 competency domains. The CMP-001 behavioral anchors provide the "what good looks like" reference for each dimension at each grade. A manager evaluating a Detection Engineer at S2 should have CMP-001 §5 open and reference specific anchors.

### 10.2 Job Architecture (JA-001)

The JA-001 grade definitions (§4-5) and leveling dimensions (§6) are the authoritative source for what each grade expects. This document operationalizes those expectations into a recurring process. Where this document and JA-001 conflict, JA-001 governs.

### 10.3 Succession Planning (SUCC-001)

The talent review process in CERG-GOV-SUCC-001 consumes calibrated performance ratings and promotion decisions as its primary input. Succession planning cannot begin until at least one performance cycle has produced calibrated ratings.

### 10.4 Training and Certification (TRN-001)

Development plans produced through this process inform individual training needs. The CERG-GOV-TRN-001 training curriculum is the primary resource for closing competency gaps identified in performance reviews.

---

## 11. Document Control

| Field | Value |
|---|---|
| **Document ID** | CERG-GOV-PERF-001 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Effective Date** | 2026-05-27 |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader (Policy & Standards) |
| **Approved By** | CISO |
| **Parent Policy** | [`CERG-POL-001`](CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Annual; and on any change to grade definitions or organizational structure |
| **Next Scheduled Review** | 2027-05-27 |
| **Frameworks** | NIST CSF 2.0 (GOVERN); ISO/IEC 27001 A.7.2 |
| **Regulations** | Cross-cutting |
| **Environments** | Program-wide |

### Revision History

| **Version** | **Date** | **Author** | **Change Summary** |
|---|---|---|---|
| 1.0 Draft | 2026-05-27 | Cyber Governance | Initial release. Establishes semi-annual performance management cadence aligned to CERG operating rhythm. Defines six SME and three management evaluation dimensions mapped to JA-001 and CMP-001. Establishes calibration process with evidence-based ratings. Defines promotion process from initiation through CISO approval. Provides documentation standards and performance improvement process. |

### Review Triggers

- Change to the grade definitions in CERG-GOV-JA-001
- Feedback from calibration sessions indicating dimensions or ratings need refinement
- Material change to organizational structure or management hierarchy
- Regulatory requirement for personnel evaluation documentation
- Direction from the CISO

### Related Documents

| **Document** | **ID** | **Relationship** |
|---|---|---|
| Cybersecurity Policy | [`CERG-POL-001`](CERG-POL-001_Cybersecurity_Policy.md) | Parent policy |
| Job Architecture and Grade Framework | [`CERG-GOV-JA-001`](CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) | Grade definitions and progression dimensions |
| Competency Model | [`CERG-GOV-CMP-001`](CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) | Behavioral anchors for evaluation dimensions |
| CERG Job Descriptions | [`CERG-GOV-JD-001`](CERG-GOV-JD-001_CERG_Job_Descriptions.md) | Success profiles and role-specific outcomes |
| CERG Operating Model | [`CERG-GOV-OM-001`](CERG-GOV-OM-001_CERG_Operating_Model.md) | Canonical role roster |
| Succession Planning Framework | [`CERG-GOV-SUCC-001`](CERG-GOV-SUCC-001_Succession_Planning_and_Talent_Review_Framework.md) | Consumes calibrated ratings |
| Training Framework | [`CERG-GOV-TRN-001`](CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md) | Development resource for gap closure |
| Document Catalog | [`CERG-GOV-CAT-001`](CERG-GOV-CAT-001_Document_Catalog_and_Naming_Convention.md) | Registers this artifact |

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining CISO endorsement for all changes.