Which publication is the primary source for risk management guidance in the material?

The main idea tested is identifying the publication that provides the comprehensive, organization-wide approach to handling risk. This publication establishes the enterprise risk management framework, guiding how to frame, assess, respond to, and monitor risk across missions, assets, and information systems. It emphasizes governance, senior management involvement, and a lifecycle approach, making it the primary source for risk management guidance and how risk decisions are integrated into the broader organization. By design, risk assessment guides (while important for analyzing specific threats and vulnerabilities) don’t set the overall governance and lifecycle; the controls catalog focuses on what to implement to mitigate risk in systems; and incident handling guides how to respond to incidents after they occur. So the publication that lays out the end-to-end risk management framework is the primary reference.