Gemara (Juh-MAH-ruh)

GRC Engineering Model for Automated Risk Assessment

Gemara provides a logical model to describe the categories of compliance activities, how they interact, and the schemas to enable automated interoperability between them.

In order to better facilitate cross-functional communication, the Gemara Model seeks to outline the categorical layers of activities related to automated governance.

The Three Components

Gemara delivers three core components that work together to support automated GRC:

The Model

The foundational layer model that describes the seven categorical layers of GRC activities. This model is stable and rarely changes, as it reflects the longstanding reality of GRC activity types.

Provides the conceptual framework for understanding how different types of compliance activities relate to each other.

The Schemas

Schemas (CUE format) that standardize the expression of elements in the model.

Provides CUE schemas for validation across all layers. Enables automated validation and interoperability between tools.

The SDKs

Language-specific SDKs that provide programmatic access to Gemara documents and tooling to accelerate automated tool development.

Currently provides Go SDK for reading, writing, and manipulating Gemara documents.

Quick Start

Choose your starting point based on your needs:

Understanding GRC structure? Start with The Model component
Validating documents? Use The Schemas component
Building tools? Jump to The SDKs component

All three components work together - you’ll likely use elements from each as you work with Gemara.

Real-World Usage

Gemara is being used today in production environments:

FINOS Common Cloud Controls - Layer 2 controls for cloud environments
Open Source Project Security Baseline - Layer 2 security baseline for open source projects
Privateer - Layer 5 evaluation framework with plugins like the OSPS Baseline Plugin