Federal Auditing is... Complicated.

Breaking down your understanding of all things Federal, eh? Yeah, I'm *still* learning. I love this compilation you can find at https://csiac.org/resources/the-dod-cybersecurity-policy-chart. I've been using this chart for years to demonstrate to my peers how different bodies of work interact. You'll find this in compliance slide decks I've created for graduate college classes to drive the point that there is a lot to consider when making control selection, design, implementation, and operational decisions. 

You can use this as another tool for peeling back layers and quickly finding related directives and publications. 

From the website (do yourself a favor and read this before looking at the chart...): 

• "The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware of, in a helpful organizational scheme. The use of colors, fonts, and hyperlinks is designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems, and data.
• At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right-hand side are boxes identifying key legal authorities, federal/national level cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can also be found in the chart."