Tutorials
Start here
Gemara Layers — Knowledge, Inputs & Outputs — Start here if you’re new to the model.
Find Your Tutorial
Pick your goal — each path leads to the right guide.
Performing a threat assessment
For a system or component → Threat Assessment Guide — identify capabilities and threats, map them to attack surfaces (Layer 2).
Defining security controls
That mitigate those threats → Control Catalog Guide — create a control catalog with assessment requirements and threat-mappings (Layer 2).
Understanding what threats and controls exist
Before writing policy → Threat Assessment Guide for threats and capabilities, and Control Catalog Guide for threat-informed controls and assessment requirements (Layer 2).
Reviewing the controls to reference in a policy
→ Control Catalog Guide — control structure, assessment requirements, and threat links (Layer 2).
Understanding the security posture of consumed software
→ Threat Assessment Guide — review threat catalogs for your dependencies (Layer 2).
→ COMING SOON: Use control catalogs (e.g. OSPS, CCC) as hardening guides (Layer 2).
Creating a guidance catalog from best practices
From a spreadsheet or checklist — create a guidance catalog (guidelines, groups, mapping-references) that threat-informed controls can reference; express relationships to other frameworks in a Mapping Document Guide (see also the Mapping Document schema). → Guidance Catalog Guide.
Creating a mapping document between artifacts
Express how entries in a source artifact (e.g., guidance, principle, or control catalog) relate to a target artifact (e.g., regulation or framework) — Mapping Document Guide — typed source/target references (#TypedMapping), source plus targets (#MappingTarget), relationship types, and applicability (cross-artifact).
Creating organizational policy
Create a policy document that translates risk appetite into mandatory rules — Policy Guide — scope, imports, adherence, and risks (Layer 3).
Creating a risk catalog
When you need a structured inventory of organizational or system risks—risk categories (appetite, optional max-severity), per-risk severity, optional RACI owner and impact, and optional threats links backed by metadata.mapping-references—so policies can reference mitigated or accepted risks → Risk Catalog Guide (Layer 3).
What You’ll Build
| Layer | Artifact | Guide |
|---|---|---|
| Layer 1 — Guidance | Guidance Catalog (guidelines, groups, mapping-references); Principle Catalog (principles, groups) | Guidance Catalog Guide |
| Layer 2 — Controls | Threat Catalog + Control Catalog (assessment requirements, threats) | Threat Assessment, Control Catalog |
| Layer 3 — Policy | Policy Document (scope, imports, adherence) | Policy Guide |
| Layer 3 — Risks | Risk Catalog (risk categories, appetite, risks, optional threat mappings) | Risk Catalog Guide |
| Cross-artifact | Mapping Document (typed source/target references, targets per mapping, relationship types; entry types per schema include guidelines, controls, Principle, threats, risks, and others) |
Mapping Document Guide |
What You’ll Need
goinstalledcueinstalled for validation (e.g.cue vet -c -d '#MappingDocument' . your-mapping-document-example.yamlfrom a clone, or the same placeholder filename withgithub.com/gemaraproj/gemara@latestfor the published module)
Have Ideas?
- Reach out via Slack in
#gemara - Discuss in one of our bi-weekly meetings on the OpenSSF calendar
- Open a GitHub Issue