Tutorials
Start here
Gemara Layers — Knowledge, Inputs & Outputs — Start here if you’re new to the model.
Find Your Tutorial
Pick your goal — each path leads to the right guide.
Performing a threat assessment
For a system or component → Threat Assessment Guide — identify capabilities and threats, map them to attack surfaces (Layer 2).
Defining security controls
That mitigate those threats → Control Catalog Guide — create a control catalog with assessment requirements and threat-mappings (Layer 2).
Understanding what threats and controls exist
Before writing policy → Threat Assessment Guide for threats and capabilities, and Control Catalog Guide for threat-informed controls and assessment requirements (Layer 2).
Reviewing the controls to reference in a policy
→ Control Catalog Guide — control structure, assessment requirements, and threat links (Layer 2).
Understanding the security posture of consumed software
→ Threat Assessment Guide — review threat catalogs for your dependencies (Layer 2).
→ COMING SOON: Use control catalogs (e.g. OSPS, CCC) as hardening guides (Layer 2).
Creating a guidance catalog from best practices
From a spreadsheet or checklist — create a guidance catalog (guidelines, groups, mapping-references) that threat-informed controls can reference; express relationships to other frameworks in a Mapping Document (see mapping-document.yaml). → Guidance Catalog Guide.
Creating organizational policy
Create a policy document that translates risk appetite into mandatory rules — Policy Guide — scope, imports, adherence, and risks (Layer 3).
Creating a risk catalog
When you need a structured inventory of organizational or system risks—risk categories (appetite, optional max-severity), per-risk severity, optional RACI owner and impact, and optional threats links backed by metadata.mapping-references—so policies can reference mitigated or accepted risks → Risk Catalog Guide (Layer 3).
What You’ll Build
| Layer | Artifact | Guide |
|---|---|---|
| Layer 1 — Guidance | Guidance Catalog (guidelines, groups, mapping-references); Principle Catalog (principles, groups) | Guidance Catalog Guide |
| Layer 2 — Controls | Threat Catalog + Control Catalog (assessment requirements, threats) | Threat Assessment, Control Catalog |
| Layer 3 — Policy | Policy Document (scope, imports, adherence) | Policy Guide |
| Layer 3 — Risks | Risk Catalog (risk categories, appetite, risks, optional threat mappings) | Risk Catalog Guide |
What You’ll Need
goinstalledcueinstalled for validation
Have Ideas?
- Reach out via Slack in
#gemara - Discuss in one of our bi-weekly meetings on the OpenSSF calendar
- Open a GitHub Issue