Skip to content

Build Order

Authoritative sequence for authoring the policy library. BATCH indicates the recommended grouping for Claude Code sessions. P0P3 is priority; P0 first.

Format: [BATCH] [PRIORITY] DOC_ID — Title — target path

Batch 1 — Governance Shell (P0)

  • [B1] [P0] AUL-POL-01 — Information Security Policy (Master) — policies/00-governance/01-information-security-policy.md
  • [B1] [P0] AUL-POL-02 — Roles & Responsibilities Policy — policies/00-governance/02-roles-responsibilities-policy.md
  • [B1] [P0] AUL-POL-03 — Risk Management Policy — policies/00-governance/03-risk-management-policy.md
  • [B1] [P0] AUL-POL-04 — Information Classification & Handling Policy — policies/00-governance/04-information-classification-handling-policy.md
  • [B1] [P0] AUL-POL-05 — Acceptable Use Policy — policies/00-governance/05-acceptable-use-policy.md

Batch 2 — Governance Completion + Personnel (P0)

  • [B2] [P0] AUL-POL-06 — Code of Conduct & Ethics Policy — policies/00-governance/06-code-of-conduct-ethics-policy.md
  • [B2] [P0] AUL-POL-07 — Policy Exception & Waiver Policy — policies/00-governance/07-policy-exception-waiver-policy.md
  • [B2] [P0] AUL-POL-08 — Personnel Security Policy — policies/01-personnel-physical/08-personnel-security-policy.md
  • [B2] [P0] AUL-POL-09 — Onboarding & Offboarding Policy — policies/01-personnel-physical/09-onboarding-offboarding-policy.md
  • [B2] [P0] AUL-POL-10 — Security Awareness & Training Policy — policies/01-personnel-physical/10-security-awareness-training-policy.md

Batch 3 — Personnel/Physical + Access (P0)

  • [B3] [P0] AUL-POL-11 — Physical & Environmental Security Policy — policies/01-personnel-physical/11-physical-environmental-security-policy.md
  • [B3] [P0] AUL-POL-12 — Remote Work / Telework Policy — policies/01-personnel-physical/12-remote-work-telework-policy.md
  • [B3] [P1] AUL-POL-13 — Travel Security Policy — policies/01-personnel-physical/13-travel-security-policy.md
  • [B3] [P0] AUL-POL-14 — Insider Threat Program Policy — policies/01-personnel-physical/14-insider-threat-program-policy.md
  • [B3] [P0] AUL-POL-15 — Access Control Policy — policies/02-access-identity/15-access-control-policy.md

Batch 4 — Access & Identity (P0)

  • [B4] [P0] AUL-POL-16 — Identity & Authentication Policy — policies/02-access-identity/16-identity-authentication-policy.md
  • [B4] [P0] AUL-POL-17 — Password & Credential Policy — policies/02-access-identity/17-password-credential-policy.md
  • [B4] [P0] AUL-POL-18 — Multi-Factor Authentication Policy — policies/02-access-identity/18-mfa-policy.md
  • [B4] [P0] AUL-POL-19 — Privileged Access Management Policy — policies/02-access-identity/19-privileged-access-management-policy.md
  • [B4] [P0] AUL-POL-20 — Remote Access Policy — policies/02-access-identity/20-remote-access-policy.md

Batch 5 — Data Protection (P0)

  • [B5] [P0] AUL-POL-21 — Data Protection & Encryption Policy — policies/03-data-protection/21-data-protection-encryption-policy.md
  • [B5] [P0] AUL-POL-22 — Cryptographic Key Management Policy — policies/03-data-protection/22-cryptographic-key-management-policy.md
  • [B5] [P0] AUL-POL-23 — CUI Handling Policy — policies/03-data-protection/23-cui-handling-policy.md
  • [B5] [P0] AUL-POL-24 — Export Control Policy (ITAR/EAR) — policies/03-data-protection/24-export-control-policy.md
  • [B5] [P0] AUL-POL-25 — Data Retention & Disposal Policy — policies/03-data-protection/25-data-retention-disposal-policy.md

Batch 6 — Data Protection Completion + Network (P0)

  • [B6] [P1] AUL-POL-26 — Data Loss Prevention Policy — policies/03-data-protection/26-data-loss-prevention-policy.md
  • [B6] [P1] AUL-POL-27 — Privacy Policy (Internal) — policies/03-data-protection/27-privacy-policy.md
  • [B6] [P0] AUL-POL-28 — Backup & Recovery Policy — policies/03-data-protection/28-backup-recovery-policy.md
  • [B6] [P0] AUL-POL-29 — Network Security Policy — policies/04-system-network/29-network-security-policy.md
  • [B6] [P0] AUL-POL-30 — Endpoint Security Policy — policies/04-system-network/30-endpoint-security-policy.md

Batch 7 — System & Network (P0/P1)

  • [B7] [P1] AUL-POL-31 — Mobile Device Management Policy — policies/04-system-network/31-mobile-device-management-policy.md
  • [B7] [P0] AUL-POL-32 — Server & Infrastructure Hardening Policy — policies/04-system-network/32-server-infrastructure-hardening-policy.md
  • [B7] [P0] AUL-POL-33 — Cloud Security Policy — policies/04-system-network/33-cloud-security-policy.md
  • [B7] [P0] AUL-POL-34 — Email & Messaging Security Policy — policies/04-system-network/34-email-messaging-security-policy.md
  • [B7] [P1] AUL-POL-35 — Wireless & IoT Policy — policies/04-system-network/35-wireless-iot-policy.md

Batch 8 — Operations & Change (P0)

  • [B8] [P0] AUL-POL-36 — Configuration Management Policy — policies/05-operations-change/36-configuration-management-policy.md
  • [B8] [P0] AUL-POL-37 — Change Management Policy — policies/05-operations-change/37-change-management-policy.md
  • [B8] [P0] AUL-POL-38 — Patch & Vulnerability Management Policy — policies/05-operations-change/38-patch-vulnerability-management-policy.md
  • [B8] [P0] AUL-POL-39 — Asset Management Policy — policies/05-operations-change/39-asset-management-policy.md
  • [B8] [P0] AUL-POL-40 — Logging & Monitoring Policy — policies/05-operations-change/40-logging-monitoring-policy.md

Batch 9 — Operations Completion + SDLC (P0)

  • [B9] [P0] AUL-POL-41 — Audit & Accountability Policy — policies/05-operations-change/41-audit-accountability-policy.md
  • [B9] [P2] AUL-POL-42 — Capacity & Availability Management Policy — policies/05-operations-change/42-capacity-availability-management-policy.md
  • [B9] [P0] AUL-POL-43 — Secure Software Development Policy (SSDLC) — policies/06-software-ai/43-secure-software-development-policy.md
  • [B9] [P0] AUL-POL-44 — Secure Coding Standards Policy — policies/06-software-ai/44-secure-coding-standards-policy.md
  • [B9] [P0] AUL-POL-45 — Code Review & Branch Protection Policy — policies/06-software-ai/45-code-review-branch-protection-policy.md

Batch 10 — Software & AI (P0/P1)

  • [B10] [P0] AUL-POL-46 — Source Code Management & Repository Policy — policies/06-software-ai/46-source-code-management-policy.md
  • [B10] [P0] AUL-POL-47 — CI/CD Pipeline Security Policy — policies/06-software-ai/47-cicd-pipeline-security-policy.md
  • [B10] [P0] AUL-POL-48 — Application Security Testing Policy — policies/06-software-ai/48-application-security-testing-policy.md
  • [B10] [P0] AUL-POL-49 — AI/ML Model Governance Policy — policies/06-software-ai/49-ai-ml-model-governance-policy.md
  • [B10] [P0] AUL-POL-50 — AI/ML Security Policy — policies/06-software-ai/50-ai-ml-security-policy.md

Batch 11 — AI Completion + Third Party (P0/P1)

  • [B11] [P0] AUL-POL-51 — Training Data Governance Policy — policies/06-software-ai/51-training-data-governance-policy.md
  • [B11] [P0] AUL-POL-52 — Generative AI / Third-Party AI Tool Use Policy — policies/06-software-ai/52-generative-ai-tool-use-policy.md
  • [B11] [P1] AUL-POL-53 — API Security Policy — policies/06-software-ai/53-api-security-policy.md
  • [B11] [P1] AUL-POL-54 — Open Source Software Policy — policies/06-software-ai/54-open-source-software-policy.md
  • [B11] [P0] AUL-POL-55 — Third-Party / Vendor Risk Management Policy — policies/07-third-party-supply-chain/55-vendor-risk-management-policy.md

Batch 12 — Supply Chain + Incident (P0)

  • [B12] [P0] AUL-POL-56 — Supply Chain Risk Management Policy — policies/07-third-party-supply-chain/56-supply-chain-risk-management-policy.md
  • [B12] [P0] AUL-POL-57 — Subcontractor Flow-Down Policy — policies/07-third-party-supply-chain/57-subcontractor-flow-down-policy.md
  • [B12] [P0] AUL-POL-58 — Customer Data Handling Policy — policies/07-third-party-supply-chain/58-customer-data-handling-policy.md
  • [B12] [P0] AUL-POL-59 — Incident Response Policy — policies/08-incident-continuity/59-incident-response-policy.md
  • [B12] [P0] AUL-POL-60 — Cyber Incident Reporting Policy (DFARS) — policies/08-incident-continuity/60-cyber-incident-reporting-policy.md

Batch 13 — Continuity + Compliance (P0/P1)

  • [B13] [P1] AUL-POL-61 — Breach Notification Policy — policies/08-incident-continuity/61-breach-notification-policy.md
  • [B13] [P0] AUL-POL-62 — Business Continuity Policy — policies/08-incident-continuity/62-business-continuity-policy.md
  • [B13] [P0] AUL-POL-63 — Disaster Recovery Policy — policies/08-incident-continuity/63-disaster-recovery-policy.md
  • [B13] [P2] AUL-POL-64 — Pandemic / Site-Loss Continuity Annex — policies/08-incident-continuity/64-pandemic-site-loss-annex.md
  • [B13] [P1] AUL-POL-65 — Forensics & Evidence Handling Policy — policies/08-incident-continuity/65-forensics-evidence-handling-policy.md

Batch 14 — Compliance & Audit (P0)

  • [B14] [P0] AUL-POL-66 — Compliance Management Policy — policies/09-compliance-audit/66-compliance-management-policy.md
  • [B14] [P0] AUL-POL-68 — Plan of Action & Milestones (POA&M) Policy — policies/09-compliance-audit/68-poam-policy.md
  • [B14] [P0] AUL-POL-69 — Continuous Monitoring Policy — policies/09-compliance-audit/69-continuous-monitoring-policy.md
  • [B14] [P1] AUL-POL-70 — Internal Audit Policy — policies/09-compliance-audit/70-internal-audit-policy.md
  • [B14] [P1] AUL-POL-71 — External Audit & Assessment Policy — policies/09-compliance-audit/71-external-audit-policy.md

Note: AUL-POL-67 (System Security Plan) is a plan, not a policy — see plans/. Skip in policy authoring.

Batch 15 — Defense-Specific (P0/P1)

  • [B15] [P0] AUL-POL-72 — Operations Security (OPSEC) Policy — policies/10-defense-specific/72-opsec-policy.md
  • [B15] [P0] AUL-POL-73 — Foreign Ownership, Control, or Influence (FOCI) Policy — policies/10-defense-specific/73-foci-policy.md
  • [B15] [P3] AUL-POL-74 — Classified Information Handling Policy (Placeholder) — policies/10-defense-specific/74-classified-information-handling-policy.md
  • [B15] [P0] AUL-POL-75 — Controlled Technical Information (CTI) Policy — policies/10-defense-specific/75-controlled-technical-information-policy.md
  • [B15] [P1] AUL-POL-76 — Research Data & Publication Review Policy — policies/10-defense-specific/76-research-publication-review-policy.md
  • [B16] [P1] AUL-POL-77 — Collaboration & Information Sharing Policy — policies/10-defense-specific/77-collaboration-information-sharing-policy.md
  • [B16] [P1] AUL-POL-78 — Acquisition & Procurement Security Policy — policies/11-acquisition-legal/78-acquisition-procurement-security-policy.md
  • [B16] [P1] AUL-POL-79 — Software Procurement & Licensing Policy — policies/11-acquisition-legal/79-software-procurement-licensing-policy.md
  • [B16] [P2] AUL-POL-80 — Legal Hold & E-Discovery Policy — policies/11-acquisition-legal/80-legal-hold-ediscovery-policy.md
  • [B16] [P1] AUL-POL-81 — Whistleblower & Reporting Policy — policies/11-acquisition-legal/81-whistleblower-reporting-policy.md

Plans (after policies are drafted)

  • AUL-PLN-01 — System Security Plan (SSP) — plans/01-system-security-plan.md
  • AUL-PLN-02 — Incident Response Plan — plans/02-incident-response-plan.md
  • AUL-PLN-03 — Business Continuity Plan — plans/03-business-continuity-plan.md
  • AUL-PLN-04 — Disaster Recovery Plan — plans/04-disaster-recovery-plan.md
  • AUL-PLN-05 — Insider Threat Program Plan — plans/05-insider-threat-program-plan.md
  • AUL-PLN-06 — Supply Chain Risk Management Plan — plans/06-scrm-plan.md
  • AUL-PLN-07 — Continuous Monitoring Plan — plans/07-continuous-monitoring-plan.md
  • AUL-PLN-08 — Configuration Management Plan — plans/08-configuration-management-plan.md
  • AUL-PLN-09 — Contingency Plan — plans/09-contingency-plan.md

Standards (companion to policies)

  • AUL-STD-01 — Encryption Standard
  • AUL-STD-02 — Logging Standard
  • AUL-STD-03 — Hardening Standard (CIS / DISA STIG baselines)
  • AUL-STD-04 — Password Standard
  • AUL-STD-05 — MFA Standard
  • AUL-STD-06 — Network Architecture Standard
  • AUL-STD-07 — CUI Marking Standard
  • AUL-STD-08 — Secure Coding Standard
  • AUL-STD-09 — AI/ML Model Card Standard
  • AUL-STD-10 — Vulnerability Severity & SLA Standard

(Targets in standards/NN-name.md. Add SOPs to procedures/ as referenced.)

Procedures / SOPs (referenced by policies)

  • AUL-SOP-01 — Onboarding SOP
  • AUL-SOP-02 — Offboarding SOP
  • AUL-SOP-03 — Access Review SOP
  • AUL-SOP-04 — Incident Response Runbook (general)
  • AUL-SOP-05 — DFARS 72-Hour DoD Cyber Incident Reporting Runbook
  • AUL-SOP-06 — CUI Spillage Procedure
  • AUL-SOP-07 — Backup Restoration SOP
  • AUL-SOP-08 — Vulnerability Triage SOP
  • AUL-SOP-09 — Vendor Onboarding Security SOP
  • AUL-SOP-10 — Foreign Travel Pre/Post-Briefing SOP
  • AUL-SOP-11 — Patch Deployment SOP
  • AUL-SOP-12 — Phishing Reporting SOP

(Add as referenced by policies; track in STATUS.md.)

Registers (continuously maintained)

  • Risk Register — registers/risk-register.md
  • Asset Register — registers/asset-register.md
  • Vendor Register — registers/vendor-register.md
  • Exception Register — registers/exception-register.md
  • Incident Log — registers/incident-log.md
  • Change Log — registers/change-log.md
  • POA&M — registers/poam.md
  • Training Records — registers/training-records.md