Status: Active Development

Layer Schemas

Machine-readable schemas (CUE format) standardize the expression of elements in the model. Click on a layer to view its schema:

Layer 1: Guidance

High-level guidance on cybersecurity measures from industry groups and standards bodies.

Layer 2: Controls

Technology-specific, threat-informed security controls for protecting information systems.

Layer 3: Policy

Risk-informed guidance tailored to your organization's specific needs and risk appetite.

Layer 4: Evaluation

Inspection of code, configurations, and deployments against policies and controls.

Layer 5: Enforcement

Prevention or remediation based on assessment findings. (Coming Soon)

Layer 6: Audit

Review of organizational policy and conformance. (Coming Soon)

Browse all schemas on GitHub →

Validation

Validate data against Gemara schemas using CUE:

go install cuelang.org/go/cmd/cue@latest
cue vet ./your-controls.yaml ./schemas/layer-2.cue

Go SDK

The Go SDK provides APIs for reading, writing, and manipulating Gemara documents.

Go Package Reference →

Installation

go get github.com/ossf/gemara

Usage Example

package main

import (
    "fmt"
    "github.com/ossf/gemara"
)

func main() {
    catalog := &gemara.Catalog{}
    catalog, err := catalog.LoadFile("file://controls.yaml")
    if err != nil {
        panic(err)
    }
    fmt.Printf("Catalog: %s\n", catalog.Metadata.ID)
}

See repository examples for more.

Contributing

The Implementation evolves based on community needs:

  • Schema improvements? Open an issue or submit a PR
  • New features or APIs? Propose changes via PR
  • Found a bug? Report it
  • Significant architectural changes? Document in an ADR

See the Contributing Guide for details.

Architecture Decisions

Significant implementation changes are documented in Architecture Decision Records (ADRs).

Versioning and Maintenance

See the Implementation Maintenance document for versioning and releases procedures.

Relationship to Other Components

The Model

Provides the conceptual foundation. Each schema corresponds to a layer in the model.

The Lexicon

Informs Implementation design. Schema field names and SDK documentation use Lexicon definitions for consistency.