Start here

Gemara Layers — Knowledge, Inputs & Outputs — Start here if you’re new to the model.

Find Your Tutorial

Pick your goal — each path leads to the right guide.

Performing a threat assessment

For a system or component → Threat Assessment Guide — identify capabilities and threats, map them to attack surfaces (Layer 2).

Defining security controls

That mitigate those threats → Control Catalog Guide — create a control catalog with assessment requirements and threat-mappings (Layer 2).

Understanding what threats and controls exist

Before writing policy → Threat Assessment Guide

COMING SOON: Review or author threat-informed controls that your policy will reference (Layer 2).

Reviewing the controls to reference in a policy

COMING SOON: Understand the control catalog structure and assessment requirements (Layer 2).

Understanding the security posture of consumed software

Threat Assessment Guide — review threat catalogs for your dependencies (Layer 2).

COMING SOON: Use control catalogs (e.g. OSPS, CCC) as hardening guides (Layer 2).

Creating a guidance catalog from best practices

From a spreadsheet or checklist — create a guidance catalog (guidelines, families, mapping-references) that threat-informed controls can reference; express relationships to other frameworks in a Mapping Document. → Guidance Catalog Guide.

Creating organizational policy

Create a policy document that translates risk appetite into mandatory rules — Policy Guide — scope, imports, adherence, and risks (Layer 3).

What You’ll Build

Layer Artifact Guide
Layer 1Guidance Guidance Catalog (guidelines, families, mapping-references) Guidance Catalog Guide
Layer 2 — Controls Threat Catalog + Control Catalog (assessment requirements, threats) Threat Assessment, Control Catalog
Layer 3Policy Policy Document (scope, imports, adherence, risks) Policy Guide

What You’ll Need

  • go installed
  • cue installed for validation

Have Ideas?