This model provides a clear, actionable, and extensible framework for engineering modern Governance, Risk, and Compliance programs. By establishing a common vocabulary and a logical, layered architecture, it demystifies the complex interactions between high-level Guidance, technical Controls, organizational Policy, and automated Enforcement.

The Gemara Project has been formed within the Linux Foundation and is stewarded by the Open Source Security Foundation (OpenSSF). The project is responsible for maintaining machine-optimized document schemas for all of the activity types listed in this model, as well as a lexicon of helpful terms and software development kits (SDKs). The project’s governance structure ensures that maintenance is fully distributed among multiple organizations, with founding maintainers from Sonatype, Red Hat, and CVS Health.

The community-maintained schemas are open to extension or, in extreme cases, modification to best support the community at large. The similarly open source SDKs are designed to assist in reading and transforming Gemara-compatible documents. These resources ensure that any organization can rapidly bootstrap an internal GRC Engineering solution, and anyone looking to build solutions to accelerate the ecosystem can get started in minutes.

The Gemara Project offers a structured path toward Automated Governance by bridging the divide between high-level industry frameworks and technology-specific safeguards. By providing a common logical basis for GRC Engineering, the project moves beyond abstract concepts to offer a practical, machine-optimized foundation for the modern secure software factory.