Gemara: GRC Engineering Model for Automated Risk Assessment

Pronounced: Juh-MAH-ruh (think 💎)

What is Gemara?

Gemara (the GRC Engineering Model for Automated Risk Assessment) provides a logical model to describe the categories of compliance activities, how they interact, and the schemas to enable automated interoperability between them.

In order to better facilitate cross-functional communication, the Gemara Model seeks to outline the categorical layers of activities related to automated governance.

The Six Layers

Gemara organizes compliance activities into six categorical layers, each building upon the previous:

Layer 1: Guidance

High-level guidance on cybersecurity measures from industry groups and standards bodies.

Layer 2: Controls

Technology-specific, threat-informed security controls for protecting information systems.

Layer 3: Policy

Risk-informed guidance tailored to your organization's specific needs and risk appetite.

Layer 4: Evaluation

Inspection of code, configurations, and deployments against policies and controls.

Layer 5: Enforcement

Prevention or remediation based on assessment findings (Coming Soon).

Layer 6: Audit

Review of organizational policy and conformance (Coming Soon).

Real-World Usage

Gemara is being used today in production environments:

FINOS Common Cloud Controls - Layer 2 controls for cloud environments
Open Source Project Security Baseline - Layer 2 security baseline for open source projects
Privateer - Layer 4 evaluation framework with plugins like the OSPS Baseline Plugin

Get Started

Install the Go module:

go get github.com/ossf/gemara

Or use the CUE schemas directly for validation:

# Install CUE
go install cuelang.org/go/cmd/cue@latest

# Validate your data
cue vet ./your-data.yaml ./schemas/layer-2.cue

Community

Join the conversation:

Slack: #gemara on OpenSSF Slack
Meetings: Bi-weekly on alternate Thursdays - see the OpenSSF calendar
GitHub: ossf/gemara