Security specialty

Compliance Governance

Browse every cataloged workflow for compliance governance, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

9 skills

cybersecuritySkill

Achieving CMMC Level 2 Compliance

Prepare a defense-contractor environment for CMMC Level 2 certification: scope CUI and FCI, implement the 110 NIST SP 800-171 Rev 2 security requirements across 14 families, compute the SPRS score with the DoD Assessment Methodology, manage a compliant POA&M, and ready the organization for a C3PAO assessment. Use when an organization handles Controlled Unclassified Information (CUI) under a DoD contract, when a contract carries DFARS clause 252.204-7012/7019/7020/7021, when preparing for or responding to a CMMC assessment, when computing or improving an SPRS score, when building a System Security Plan or POA&M for 800-171, or when scoping which systems are in the CUI boundary. Keywords: CMMC, CMMC Level 2, NIST 800-171, SP 800-171 Rev 2, CUI, FCI, SPRS, DFARS 7012, C3PAO, POA&M, System Security Plan, DoD Assessment Methodology, 110 controls, defense industrial base, DIB, FedRAMP equivalency.

Compliance Governance
c3paocmmccompliancecui+6
ATT&CK, 5 mappingsNIST CSF, 6 mappings
cybersecuritySkill

Conducting a Cyber Risk Assessment with NIST SP 800-30

Conduct a defensible cybersecurity risk assessment using the NIST SP 800-30 Rev 1 methodology: prepare scope and a risk model, identify threat sources and threat events, identify vulnerabilities and predisposing conditions, determine likelihood and impact, compute risk, and communicate results as a prioritized risk register. Use when an organization needs an actual risk *assessment* (not a maturity score), when a control framework (CSF, ISO 27001, RMF, SOC 2, PCI) requires a documented risk analysis as input, when leadership asks "what are our top risks and how bad are they", when assessing risk for a new system or major change, or when building a risk register from scratch. This is the methodology that feeds framework selection, ATO packages, and treatment decisions. Keywords: risk assessment, NIST 800-30, threat modeling, likelihood and impact, risk register, risk analysis, threat sources, vulnerabilities, risk determination, qualitative risk, risk matrix, residual risk, risk treatment.

Compliance Governance
compliancegovernancenist-800-30nist-800-39+4
ATT&CK, 5 mappingsNIST CSF, 5 mappings
cybersecuritySkill

Executing the NIST RMF to an Authorization to Operate (ATO)

Drive a federal system through the NIST Risk Management Framework (SP 800-37 Rev 2) to an Authorization to Operate (ATO): Prepare, Categorize (FIPS 199), Select a control baseline (FIPS 200 / SP 800-53 Rev 5), Implement, Assess (SP 800-53A), Authorize, and Monitor continuously. Use when a system needs an ATO or a renewal, when working a FISMA/FedRAMP authorization package, when building or reviewing an SSP, SAR, or POA&M, when categorizing a system as Low/Moderate/High impact, when selecting or tailoring a control baseline, or when standing up continuous monitoring (ConMon) after authorization. Covers ATO, conditional ATO (cATO), and the artifacts assessors expect. Keywords: NIST RMF, 800-37, ATO, authorization to operate, FISMA, FedRAMP, SSP, SAR, POA&M, FIPS 199, FIPS 200, 800-53, 800-53A, control baseline, security categorization, continuous monitoring, authorizing official, system boundary, ongoing authorization.

Compliance Governance
atocontinuous-monitoringfedrampfips-199+7
ATT&CK, 5 mappingsNIST CSF, 5 mappings
cybersecuritySkill

Implementing GDPR Data Protection Controls

The General Data Protection Regulation (EU) 2016/679 (GDPR) is the EU's comprehensive data protection law governing the collection, processing, storage, and transfer of personal data. This skill covers implementing the technical and organizational measures required by GDPR, including data protection by design and by default, Data Protection Impact Assessments (DPIAs), data subject rights management, breach notification procedures, and cross-border data transfer mechanisms.

Compliance Governance
compliancedata-protectioneu-regulationgdpr+2
ATT&CK, 3 mappingsNIST CSF, 5 mappingsATLAS, 3 mappingsAI RMF, 5 mappings
cybersecuritySkill

Implementing HIPAA Security Rule Safeguards

Implement the HIPAA Security Rule (45 CFR Part 164 Subpart C) to protect electronic protected health information (ePHI): conduct the required risk analysis, deploy the administrative, physical, and technical safeguards, handle required vs addressable implementation specifications, execute Business Associate Agreements, and stand up breach-notification readiness. Use when an organization is a HIPAA covered entity or business associate, when protecting ePHI, when preparing for an OCR audit or responding to a breach, when performing a HIPAA Security Risk Analysis, when drafting or reviewing a BAA, or when mapping security controls to the §164.308/310/312/314/316 safeguards. Notes the 2025 NPRM proposed changes (not yet final). Keywords: HIPAA, HIPAA Security Rule, ePHI, PHI, 45 CFR 164, risk analysis, administrative safeguards, physical safeguards, technical safeguards, addressable, required, Business Associate Agreement, BAA, OCR, breach notification, HITECH, covered entity, business associate.

Compliance Governance
45-cfr-164baabreach-notificationcompliance+7
ATT&CK, 5 mappingsNIST CSF, 7 mappings
cybersecuritySkill

Implementing ISO 27001 Information Security Management

ISO/IEC 27001:2022 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). This skill covers the complete lifecycle from scoping through certification, including Annex A control selection, risk assessment methodology, Statement of Applicability (SoA) creation, and continuous improvement processes.

Compliance Governance
certificationcompliancegovernanceisms+2
ATT&CK, 3 mappingsNIST CSF, 5 mappings
cybersecuritySkill

Implementing PCI DSS Compliance Controls

PCI DSS 4.0.1 establishes 12 requirements across 6 control objectives for organizations that store, process, or transmit cardholder data. With PCI DSS 3.2.1 retiring April 2024 and 51 new requirements becoming mandatory March 31, 2025, this skill covers implementing all requirements including the new customized validation approach, enhanced authentication, and continuous monitoring controls.

Compliance Governance
cardholder-datacompliancegovernancepayment-security+1
ATT&CK, 3 mappingsNIST CSF, 5 mappings
cybersecuritySkill

Managing Third-Party Vendor Risk

Build and run a third-party / vendor risk management (TPRM) program aligned to NIST SP 800-161 C-SCRM and NIST CSF 2.0 GV.SC: inventory and tier vendors by risk, send the right due-diligence questionnaire (SIG, CAIQ), review evidence (SOC 2, ISO 27001, pen-test reports), set contractual security and right-to-audit clauses, monitor vendors continuously, manage Nth-party / subcontractor risk, and offboard securely. Use when an organization needs to assess a new vendor before onboarding, when standing up or maturing a vendor-risk program, when tiering a vendor portfolio, when reviewing a SOC 2 or CAIQ, when writing security requirements into a contract or DPA, when a vendor suffers a breach, or when managing supply-chain / software supply-chain risk. Keywords: third-party risk, vendor risk management, TPRM, supply chain risk, C-SCRM, NIST 800-161, vendor tiering, SIG questionnaire, CAIQ, SOC 2, ISO 27001, right to audit, continuous monitoring, security ratings, fourth-party risk, Nth-party, vendor offboarding, due diligence.

Compliance Governance
c-scrmcaiqcontinuous-monitoringgovernance+6
ATT&CK, 5 mappingsNIST CSF, 6 mappings
cybersecuritySkill

Performing NIST CSF Maturity Assessment

The NIST Cybersecurity Framework (CSF) 2.0, released in February 2024, provides a comprehensive taxonomy for managing cybersecurity risk through six core Functions - Govern, Identify, Protect, Detect, Respond, and Recover. This skill covers conducting a maturity assessment against the CSF using Implementation Tiers to measure organizational cybersecurity posture and create improvement roadmaps.

Compliance Governance
compliancecsfgovernancematurity-assessment+2
ATT&CK, 3 mappingsNIST CSF, 5 mappings