7

Audit & Continuous Monitoring

Efficacy review of all previous outputs

6

Preventive & Remediative Enforcement

Corrective actions for noncompliance

5

Intent & Behavior Evaluation

Inspection of sensitive activities

4

Sensitive Activities

Actions that might introduce risk

3

Risk & Policy

Organization-specific rules

2

Threats & Controls

Technology-specific objectives

1

Vectors & Guidance

Foundational knowledge or regulations