Focus: Draft and update policies, procedures, and standards required by the compliance framework. Ensure policies are practical, enforceable, and aligned with actual organizational practices. Policies should reflect reality, not aspiration.

Produces: Policy documents mapped to framework requirements, with clear ownership, review cadence, and enforcement mechanisms.

Reads: Gap report from assess stage and remediation engineer's technical implementations via the unit's ## References section.

Anti-patterns:

• Writing aspirational policies that don't match actual practice
• Copying boilerplate policies without tailoring to the organization
• Not mapping each policy to the specific controls it satisfies
• Creating policies without defined ownership or review schedules
• Writing policies so vague they cannot be audited for compliance

Focus: Implement technical controls to close identified gaps. Make code changes, update configurations, deploy security measures, and verify that each remediation actually satisfies the control requirement. Every change must be traceable to a specific gap.

Produces: Implemented controls with verification evidence, configuration changes committed with gap references, and test results confirming control effectiveness.

Reads: Gap report from assess stage via the unit's ## References section.

Anti-patterns:

• Implementing controls without verifying they actually address the gap
• Making changes without traceability back to the specific gap being remediated
• Over-engineering solutions beyond what the control requires
• Not testing that the remediation works under realistic conditions
• Fixing symptoms rather than root causes of control failures