Designed around the plan-protect-respond cycle. Security threats, cryptographic security, access control, identity management, firewalls, intrusion detection systems, host hardening, and application security. Repeatable one time. Pre: 431 or consent. (Once a year)