diff --git a/content/en/assessment-requirement.md b/content/en/assessment-requirement.md
new file mode 100644
index 0000000..f4913e7
--- /dev/null
+++ b/content/en/assessment-requirement.md
@@ -0,0 +1,20 @@
+---
+title: Assessment Requirement
+status: Completed
+category: concept
+tags: ["gemara", "grc"]
+---
+
+An assessment requirement is a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator.
+
+## Problem it addresses
+
+Broad or vague rules are hard to verify and lead to inconsistent judgments.
+Teams need conditions that are specific enough to be tested and agreed upon.
+
+## How it helps
+
+Tightly scoped, verifiable requirements give evaluators a clear target.
+They support consistent [assessment](assessment) and [evaluation](evaluation) and make it easier to automate checks.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/assessment.md b/content/en/assessment.md
new file mode 100644
index 0000000..3575f97
--- /dev/null
+++ b/content/en/assessment.md
@@ -0,0 +1,20 @@
+---
+title: Assessment
+status: Completed
+category: concept
+tags: ["gemara", "grc"]
+---
+
+An assessment is (1) the process of determining whether an outcome meets the actor's intent, or (2) an atomic process within an [evaluation](evaluation) used to determine a resource's [compliance](compliance) with an [assessment requirement](assessment-requirement).
+
+## Problem it addresses
+
+Organizations need to know whether their systems and processes actually meet the rules they have set.
+A single, repeatable way to answer "did we meet this requirement?" is missing without a clear idea of what an assessment is.
+
+## How it helps
+
+Defining assessment as a process (or an atomic step within evaluation) gives teams a shared way to check [compliance](compliance).
+It separates the act of judging from the broader [evaluation](evaluation) and from the requirements being checked.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/audit.md b/content/en/audit.md
new file mode 100644
index 0000000..5426c18
--- /dev/null
+++ b/content/en/audit.md
@@ -0,0 +1,20 @@
+---
+title: Audit
+status: Completed
+category: concept
+tags: ["gemara", "grc"]
+---
+
+An audit is a formal, opinionated review of an organization's [policy](policy) and posture, conducted at a specific point in time to verify that established requirements are met.
+
+## Problem it addresses
+
+Stakeholders need independent assurance that an organization follows its own rules and meets external expectations.
+Without a defined audit practice, it is unclear who checks what and when.
+
+## How it helps
+
+A formal audit at a point in time provides a snapshot of [compliance](compliance) and gaps.
+It supports accountability and helps organizations improve their [policy](policy) and [control](control) implementation.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/behavior-evaluation.md b/content/en/behavior-evaluation.md
new file mode 100644
index 0000000..a1799da
--- /dev/null
+++ b/content/en/behavior-evaluation.md
@@ -0,0 +1,20 @@
+---
+title: Behavior Evaluation
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A behavior evaluation is an opinionated observation of actions that are simulated or that occur in real use.
+
+## Problem it addresses
+
+Policies and [control](control)s are only as good as how people and systems actually behave.
+Organizations need a way to judge behavior, not only written configuration or design.
+
+## How it helps
+
+Observing simulated or real-world behavior supports [evaluation](evaluation) of whether actions align with [assessment requirement](assessment-requirement)s.
+It complements [intent evaluation](intent-evaluation) by focusing on what happens in practice.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/capabilities.md b/content/en/capabilities.md
index 5e5ddf5..8b4d223 100644
--- a/content/en/capabilities.md
+++ b/content/en/capabilities.md
@@ -2,9 +2,21 @@
 title: Capabilities
 status: Completed
 category: concept
-tags: ["fundamental", "", ""]
+tags: ["fundamental", "gemara"]
 ---
 
-Linux kernel uses capabilities to compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable.
+a. A capability is a feature or function of a system; the primary component comprising an attack surface.
 
-Reference for capabilities list: https://man7.org/linux/man-pages/man7/capabilities.7.html
\ No newline at end of file
+b. Linux kernel uses capabilities to compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable.
+
+## Problem it addresses
+
+a. To manage [risk](risk) and [threat](threat)s, you must know what a system can do.
+Vague or incomplete descriptions of functionality make it hard to identify where things can go wrong.
+
+## How it helps
+
+a. Naming capabilities makes it possible to map [threat](threat)s and [vulnerability](vulnerability)s to specific functions. It supports [risk assessment](risk-assessment) and the design of [control](control)s that protect or constrain those capabilities.
+
+Source (a): [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/). 
+Source (b): Reference for capabilities list: https://man7.org/linux/man-pages/man7/capabilities.7.html
diff --git a/content/en/catalog.md b/content/en/catalog.md
new file mode 100644
index 0000000..cf2e79b
--- /dev/null
+++ b/content/en/catalog.md
@@ -0,0 +1,20 @@
+---
+title: Catalog
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A catalog is a structured set of related prose and relevant metadata, such as [guidance](guidance), [control](control)s, or [threat](threat)s.
+
+## Problem it addresses
+
+Scattered or ad hoc lists of rules, [guideline](guideline)s, or [control](control)s are hard to maintain and reuse.
+Organizations need a consistent way to group and reference related items.
+
+## How it helps
+
+A catalog gives a single place to store and version related content.
+It supports reuse across [policy](policy), [evaluation](evaluation), and tooling and makes it easier to align with standards.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/compliance.md b/content/en/compliance.md
new file mode 100644
index 0000000..3d9ff49
--- /dev/null
+++ b/content/en/compliance.md
@@ -0,0 +1,20 @@
+---
+title: Compliance
+status: Completed
+category: concept
+tags: ["gemara", "grc"]
+---
+
+Compliance is adherence to a [rule](rule) or set of rules.
+
+## Problem it addresses
+
+Organizations need a simple way to say whether something meets the requirements they have set.
+Without a clear idea of compliance, it is hard to judge the results of [assessment](assessment) and [evaluation](evaluation).
+
+## How it helps
+
+Defining compliance as adherence to rules gives a shared standard for [evaluation](evaluation) and [enforcement](enforcement).
+It supports [policy](policy) and [audit](audit) by making it clear what "meets the requirement" means.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/continuous-monitoring.md b/content/en/continuous-monitoring.md
new file mode 100644
index 0000000..3c59ed7
--- /dev/null
+++ b/content/en/continuous-monitoring.md
@@ -0,0 +1,20 @@
+---
+title: Continuous Monitoring
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Continuous monitoring is a multi-system process that gathers [evaluation](evaluation) and operational data over time to detect non-compliance and malicious activity, support [remediative enforcement](remediative-enforcement), and track trends.
+
+## Problem it addresses
+
+Point-in-time checks can miss issues that appear between reviews.
+Organizations need ongoing visibility into [compliance](compliance) and security to respond quickly.
+
+## How it helps
+
+Ongoing collection of data supports faster detection of problems and [enforcement](enforcement) actions.
+It complements [audit](audit)s and helps organizations understand how their posture changes over time.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/control.md b/content/en/control.md
new file mode 100644
index 0000000..4791520
--- /dev/null
+++ b/content/en/control.md
@@ -0,0 +1,20 @@
+---
+title: Control
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+A control can mean: (1) an organization's ability to fully assert desired state on a system, resource, or state; (2) a mechanism such as a safeguard or countermeasure that asserts desired state; or (3) prose describing the [objective](objective) and [assessment requirement](assessment-requirement)s associated with a desired state.
+
+## Problem it addresses
+
+Without a shared idea of what a control is, people mix up the ability to govern, the mechanisms that enforce it, and the documentation that describes it.
+That leads to unclear [policy](policy) and [evaluation](evaluation) expectations.
+
+## How it helps
+
+Clarifying these three senses of control helps teams align on intent, implementation, and evidence.
+It supports [compliance](compliance) checking and [enforcement](enforcement) by tying requirements to concrete mechanisms and documentation.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/enforcement.md b/content/en/enforcement.md
new file mode 100644
index 0000000..1548bfb
--- /dev/null
+++ b/content/en/enforcement.md
@@ -0,0 +1,20 @@
+---
+title: Enforcement
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+Enforcement is an action taken in response to non-compliance findings and their causes.
+
+## Problem it addresses
+
+Finding non-compliance is only useful if the organization can act on it.
+Without a clear idea of enforcement, responses may be inconsistent or delayed.
+
+## How it helps
+
+Defining enforcement as the response to non-compliance links [evaluation](evaluation) and [assessment](assessment) findings to concrete actions.
+It supports [preventive enforcement](preventive-enforcement) and [remediative enforcement](remediative-enforcement) and helps close gaps in [compliance](compliance).
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/evaluation-finding.md b/content/en/evaluation-finding.md
new file mode 100644
index 0000000..c35358d
--- /dev/null
+++ b/content/en/evaluation-finding.md
@@ -0,0 +1,20 @@
+---
+title: Evaluation Finding
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+An evaluation finding is the evidence and opinionated result of an [assessment](assessment).
+
+## Problem it addresses
+
+[Evaluation](evaluation) must produce something that others can use for [enforcement](enforcement), [audit](audit), or improvement.
+Raw data without structure or [opinion](opinion) is hard to act on.
+
+## How it helps
+
+Findings bundle evidence with a clear result so that stakeholders can see what was checked and what was concluded.
+They support accountability and traceability from [assessment requirement](assessment-requirement)s to outcomes.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/evaluation.md b/content/en/evaluation.md
new file mode 100644
index 0000000..cb31dc2
--- /dev/null
+++ b/content/en/evaluation.md
@@ -0,0 +1,20 @@
+---
+title: Evaluation
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+Evaluation is the manual or automated process of forming an [opinion](opinion) on the state of [compliance](compliance), using a set of [assessment requirement](assessment-requirement)s as a guide.
+
+## Problem it addresses
+
+Organizations need a consistent way to judge whether resources meet their [policy](policy) and [control](control)s.
+Ad hoc or inconsistent checks make it hard to trust results or improve over time.
+
+## How it helps
+
+Evaluation ties [assessment](assessment)s to explicit requirements and produces findings that support [enforcement](enforcement) and [audit](audit).
+It can be manual or automated, so teams can scale and repeat the process.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/governance.md b/content/en/governance.md
new file mode 100644
index 0000000..d5fd006
--- /dev/null
+++ b/content/en/governance.md
@@ -0,0 +1,20 @@
+---
+title: Governance
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Governance is the strategic oversight of an [organization](organization) and its activities.
+
+## Problem it addresses
+
+Without clear oversight, decisions and actions may be inconsistent or misaligned with [policy](policy) and [risk appetite](risk-appetite).
+Stakeholders need a shared idea of who sets direction and how it is carried out.
+
+## How it helps
+
+Defining governance as strategic oversight clarifies the link between [organization](organization) goals and day-to-day [compliance](compliance) and [enforcement](enforcement).
+It supports [GRC](grc) programs and [audit](audit) by making accountability explicit.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/grc.md b/content/en/grc.md
new file mode 100644
index 0000000..f9e6cab
--- /dev/null
+++ b/content/en/grc.md
@@ -0,0 +1,21 @@
+---
+title: GRC
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+GRC stands for Governance, Risk, and Compliance.
+It can mean (1) the domain of [governance](governance), [risk](risk), and [compliance](compliance) in cybersecurity, or (2) a coordinated program that addresses these areas within a business unit.
+
+## Problem it addresses
+
+Organizations need a shared way to talk about oversight, [risk](risk) management, and adherence to [rule](rule)s.
+Without a common term, teams may treat these as separate concerns and miss connections.
+
+## How it helps
+
+Using GRC as a shared label helps align [policy](policy), [risk assessment](risk-assessment), and [audit](audit) efforts.
+It supports the design of programs that integrate [governance](governance), [risk](risk), and [compliance](compliance) activities.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/guidance.md b/content/en/guidance.md
new file mode 100644
index 0000000..c964462
--- /dev/null
+++ b/content/en/guidance.md
@@ -0,0 +1,20 @@
+---
+title: Guidance
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+Guidance is prose meant to help achieve a desired outcome for a topic or general scenario, based on knowledge of relevant [vector](vector)s.
+
+## Problem it addresses
+
+Teams need practical direction that is informed by how systems can be misused or neglected.
+Generic advice that ignores [vulnerability](vulnerability) and [threat](threat)s is less useful for security and [risk](risk) management.
+
+## How it helps
+
+Guidance that references [vector](vector)s helps readers design and operate systems with known risks in mind.
+It supports [control](control) and [policy](policy) design and can be organized in a [catalog](catalog) of [guideline](guideline)s.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/guideline.md b/content/en/guideline.md
new file mode 100644
index 0000000..745c718
--- /dev/null
+++ b/content/en/guideline.md
@@ -0,0 +1,20 @@
+---
+title: Guideline
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A guideline is an atomic element of a [guidance](guidance) [catalog](catalog); often includes explanatory context and recommendations for designing optimal implementations.
+
+## Problem it addresses
+
+[Guidance](guidance) is easier to use when it is broken into clear, reusable pieces.
+Long documents without structure are hard to reference, maintain, or map to [control](control)s.
+
+## How it helps
+
+Guidelines give readers concrete, scoped advice they can apply to specific decisions.
+They support consistent practice and make it easier to build [catalog](catalog)s and link [guidance](guidance) to [assessment requirement](assessment-requirement)s.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/intent-evaluation.md b/content/en/intent-evaluation.md
new file mode 100644
index 0000000..727e3dd
--- /dev/null
+++ b/content/en/intent-evaluation.md
@@ -0,0 +1,20 @@
+---
+title: Intent Evaluation
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+An intent evaluation is an [evaluation](evaluation) that checks whether a resource is prepared in line with [policy](policy), for example through training, configuration, or code.
+
+## Problem it addresses
+
+Organizations need to know whether systems and people are set up to comply before they are used.
+Checking only behavior after the fact may be too late to prevent harm.
+
+## How it helps
+
+Intent evaluation focuses on readiness and design, complementing [behavior evaluation](behavior-evaluation), which focuses on what actually happens.
+Together they support a fuller view of [compliance](compliance) and [risk](risk).
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/objective.md b/content/en/objective.md
new file mode 100644
index 0000000..fa0045f
--- /dev/null
+++ b/content/en/objective.md
@@ -0,0 +1,20 @@
+---
+title: Objective
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+An objective is a unified statement of intent that may encompass multiple situationally applicable statements or requirements.
+
+## Problem it addresses
+
+Teams need a way to state what they want to achieve without listing every possible case.
+Long, fragmented requirement lists are hard to maintain and communicate.
+
+## How it helps
+
+An objective gives a clear, high-level goal that can be broken into [assessment requirement](assessment-requirement)s and [control](control)s.
+It supports [policy](policy) and [evaluation](evaluation) by linking intent to verifiable conditions.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/opinion.md b/content/en/opinion.md
new file mode 100644
index 0000000..2799d3c
--- /dev/null
+++ b/content/en/opinion.md
@@ -0,0 +1,20 @@
+---
+title: Opinion
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+An opinion is a firmly held approximation of reality formed within the constraints of an evaluator's philosophy, perspective, and capabilities.
+
+## Problem it addresses
+
+[Evaluation](evaluation) and [assessment](assessment) are not purely mechanical; they involve judgment.
+Stakeholders need to understand that findings reflect an opinion shaped by how and who evaluates.
+
+## How it helps
+
+Being explicit about opinion in [evaluation](evaluation) and [audit](audit) supports transparency and accountability.
+It helps readers interpret [evaluation finding](evaluation-finding)s and [enforcement](enforcement) decisions.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/organization.md b/content/en/organization.md
new file mode 100644
index 0000000..92300d6
--- /dev/null
+++ b/content/en/organization.md
@@ -0,0 +1,20 @@
+---
+title: Organization
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+An organization is any logical grouping of human, physical, virtual, and information resources, such as a company, business unit, or team.
+
+## Problem it addresses
+
+[Policy](policy), [risk](risk), and [compliance](compliance) only make sense in the context of some entity that sets rules and bears [risk](risk).
+Without a clear idea of what an organization is, scope and accountability are unclear.
+
+## How it helps
+
+Defining organization as a logical grouping lets teams apply [governance](governance), [risk appetite](risk-appetite), and [policy](policy) at the right level.
+It supports [GRC](grc) and [audit](audit) by clarifying who is responsible and what is in scope.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/policy.md b/content/en/policy.md
new file mode 100644
index 0000000..1754561
--- /dev/null
+++ b/content/en/policy.md
@@ -0,0 +1,20 @@
+---
+title: Policy
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+A policy is a clearly scoped set of [rule](rule)s based on an [organization](organization)'s [risk appetite](risk-appetite).
+
+## Problem it addresses
+
+Organizations need to state what is allowed or required in a way that fits their tolerance for [risk](risk).
+Unclear or unbounded rules are hard to enforce and [evaluate](evaluation).
+
+## How it helps
+
+Scoping policy and tying it to [risk appetite](risk-appetite) makes [compliance](compliance) and [audit](audit) meaningful.
+It supports [control](control) design and [enforcement](enforcement) by linking [rule](rule)s to [organization](organization) intent.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/preventive-enforcement.md b/content/en/preventive-enforcement.md
new file mode 100644
index 0000000..3c30fad
--- /dev/null
+++ b/content/en/preventive-enforcement.md
@@ -0,0 +1,20 @@
+---
+title: Preventive Enforcement
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Preventive enforcement is any action that interrupts another process which would otherwise cause non-compliance.
+
+## Problem it addresses
+
+Responding only after non-compliance occurs can be costly or too late.
+Organizations need ways to block actions that would violate [policy](policy) or [control](control)s.
+
+## How it helps
+
+Preventive enforcement reduces [risk](risk) by interrupting processes that would lead to non-[compliance](compliance).
+It complements [remediative enforcement](remediative-enforcement) and supports a fuller [enforcement](enforcement) strategy.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/remediative-enforcement.md b/content/en/remediative-enforcement.md
new file mode 100644
index 0000000..b1fad4b
--- /dev/null
+++ b/content/en/remediative-enforcement.md
@@ -0,0 +1,20 @@
+---
+title: Remediative Enforcement
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Remediative enforcement is corrective action taken after non-compliance is found in a deployed activity.
+
+## Problem it addresses
+
+When [evaluation](evaluation) or [assessment](assessment) finds non-compliance, the [organization](organization) must be able to fix it.
+Without a clear idea of corrective action, findings may not lead to improved [compliance](compliance).
+
+## How it helps
+
+Remediative enforcement ties [evaluation finding](evaluation-finding)s to concrete corrections.
+It supports [continuous monitoring](continuous-monitoring) and [audit](audit) by closing gaps and reducing [residual risk](residual-risk).
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/residual-risk.md b/content/en/residual-risk.md
new file mode 100644
index 0000000..32bbb42
--- /dev/null
+++ b/content/en/residual-risk.md
@@ -0,0 +1,20 @@
+---
+title: Residual Risk
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Residual risk is the [risk](risk) that remains after [risk mitigation](risk-mitigation) and [enforcement](enforcement) actions have been applied.
+
+## Problem it addresses
+
+Not all [risk](risk) can be removed; some remains after [control](control)s and [policy](policy) are in place.
+Organizations need a clear way to talk about what is left and whether it is acceptable.
+
+## How it helps
+
+Naming residual risk supports [risk acceptance](risk-acceptance) and [risk appetite](risk-appetite) decisions.
+It helps [organization](organization)s be explicit about what they accept and what they will monitor or improve.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/risk-acceptance.md b/content/en/risk-acceptance.md
new file mode 100644
index 0000000..0a6c9e5
--- /dev/null
+++ b/content/en/risk-acceptance.md
@@ -0,0 +1,20 @@
+---
+title: Risk Acceptance
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Risk acceptance is a clearly documented decision to accept an unmitigated [risk](risk) as necessary or unavoidable.
+
+## Problem it addresses
+
+Not every [risk](risk) can or should be fully mitigated; some must be explicitly accepted.
+Without documentation, accepted [risk](risk) can be forgotten or disputed later.
+
+## How it helps
+
+Risk acceptance ties [residual risk](residual-risk) and [risk appetite](risk-appetite) to a formal decision.
+It supports [governance](governance) and [audit](audit) by making accepted [risk](risk) visible and accountable.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/risk-appetite.md b/content/en/risk-appetite.md
new file mode 100644
index 0000000..a349665
--- /dev/null
+++ b/content/en/risk-appetite.md
@@ -0,0 +1,20 @@
+---
+title: Risk Appetite
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+Risk appetite is the amount of [risk](risk) an [organization](organization) is willing to accept in pursuit of its objectives.
+
+## Problem it addresses
+
+Organizations must decide how much [risk](risk) they will tolerate so that [policy](policy) and [control](control)s can be set accordingly.
+Without a stated appetite, decisions about [risk acceptance](risk-acceptance) and [residual risk](residual-risk) are inconsistent.
+
+## How it helps
+
+Defining risk appetite gives a clear basis for [policy](policy) scope and [risk assessment](risk-assessment).
+It supports [governance](governance) and [audit](audit) by making tolerance explicit.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/risk-assessment.md b/content/en/risk-assessment.md
new file mode 100644
index 0000000..c254b55
--- /dev/null
+++ b/content/en/risk-assessment.md
@@ -0,0 +1,20 @@
+---
+title: Risk Assessment
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Risk assessment is the process of identifying the potential or actual [risk](risk)s introduced by a system.
+
+## Problem it addresses
+
+Organizations need a structured way to understand what could go wrong before they set [policy](policy) or [control](control)s.
+Without assessment, [risk mitigation](risk-mitigation) and [risk appetite](risk-appetite) lack a clear basis.
+
+## How it helps
+
+Risk assessment ties [capability](capabilities)s, [threat](threat)s, and [vulnerability](vulnerability)s to [risk](risk) so that [organization](organization)s can prioritize and respond.
+It supports [risk catalog](risk-catalog)s and [policy](policy) design.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/risk-catalog.md b/content/en/risk-catalog.md
new file mode 100644
index 0000000..5d965f5
--- /dev/null
+++ b/content/en/risk-catalog.md
@@ -0,0 +1,20 @@
+---
+title: Risk Catalog
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A risk catalog is a group of related [risk](risk)s that are relevant to an [organization](organization), used to decide when and how [policy](policy) is created.
+
+## Problem it addresses
+
+[Risk](risk)s are easier to manage when they are collected and described in one place.
+Scattered or ad hoc risk lists make it hard to align [policy](policy) and [risk appetite](risk-appetite).
+
+## How it helps
+
+A risk catalog supports [risk assessment](risk-assessment) and [governance](governance) by giving a shared view of what the [organization](organization) cares about.
+It helps connect [threat](threat)s and [vulnerability](vulnerability)s to [policy](policy) and [control](control) decisions.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/risk-mitigation.md b/content/en/risk-mitigation.md
new file mode 100644
index 0000000..4fba9ca
--- /dev/null
+++ b/content/en/risk-mitigation.md
@@ -0,0 +1,20 @@
+---
+title: Risk Mitigation
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Risk mitigation is the process of defining and taking actions to prevent [threat](threat)s or reduce their impact on [organization](organization) objectives.
+
+## Problem it addresses
+
+Identifying [risk](risk) is not enough; organizations must decide what to do about it.
+Without a clear idea of mitigation, [risk assessment](risk-assessment) does not lead to [control](control)s or [policy](policy).
+
+## How it helps
+
+Risk mitigation connects [threat](threat)s and [vulnerability](vulnerability)s to [enforcement](enforcement) and [control](control) design.
+It supports [residual risk](residual-risk) and [risk acceptance](risk-acceptance) by making it clear what has been addressed and what remains.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/risk.md b/content/en/risk.md
new file mode 100644
index 0000000..f5196ec
--- /dev/null
+++ b/content/en/risk.md
@@ -0,0 +1,20 @@
+---
+title: Risk
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+Risk is the potential for loss or damage when a [threat](threat) is actualized, determined by calculating the impact of an event on an [organization](organization) and the likelihood of its occurrence.
+
+## Problem it addresses
+
+Organizations need a shared way to talk about what could go wrong and how much it matters.
+Without a clear idea of risk, [policy](policy), [risk assessment](risk-assessment), and [risk mitigation](risk-mitigation) lack a common basis.
+
+## How it helps
+
+Defining risk in terms of [threat](threat) and impact supports [risk appetite](risk-appetite), [risk acceptance](risk-acceptance), and [residual risk](residual-risk) discussions.
+It ties [governance](governance) and [compliance](compliance) to the potential for harm.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/rule.md b/content/en/rule.md
new file mode 100644
index 0000000..aa866ac
--- /dev/null
+++ b/content/en/rule.md
@@ -0,0 +1,20 @@
+---
+title: Rule
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A rule is an active, enforceable [policy](policy), regulation, or law.
+
+## Problem it addresses
+
+Organizations need a clear idea of what must be followed and what can be [evaluated](evaluation) and [enforced](enforcement).
+Vague or inactive "rules" make [compliance](compliance) and [audit](audit) unclear.
+
+## How it helps
+
+Defining a rule as active and enforceable separates what is binding from general [guidance](guidance).
+It supports [policy](policy), [control](control), and [compliance](compliance) by making obligations explicit.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/sensitive-activity.md b/content/en/sensitive-activity.md
new file mode 100644
index 0000000..4cbd6b6
--- /dev/null
+++ b/content/en/sensitive-activity.md
@@ -0,0 +1,20 @@
+---
+title: Sensitive Activity
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A sensitive activity is a type of action that introduces [risk](risk) to an [organization](organization).
+
+## Problem it addresses
+
+Organizations need to know which actions deserve extra [policy](policy), [control](control), or [evaluation](evaluation).
+Treating all activities the same can leave high-[risk](risk) actions under-managed.
+
+## How it helps
+
+Naming sensitive activities helps focus [risk assessment](risk-assessment) and [control](control) design where they matter most.
+It supports [governance](governance) and [compliance](compliance) by making risk-bearing actions explicit.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/threat.md b/content/en/threat.md
new file mode 100644
index 0000000..84d8cc1
--- /dev/null
+++ b/content/en/threat.md
@@ -0,0 +1,20 @@
+---
+title: Threat
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+A threat is a circumstance or event where the concepts of a [vector](vector) are applied to a [capability](capabilities) in a specific context, resulting in the potential for negative impact.
+
+## Problem it addresses
+
+To manage [risk](risk), organizations must understand what can go wrong and in what context.
+Vague or disconnected ideas about harm make [risk assessment](risk-assessment) and [control](control) design harder.
+
+## How it helps
+
+Defining threat as the application of [vector](vector) concepts to [capability](capabilities)s ties [risk](risk) to concrete system features and contexts.
+It supports [risk mitigation](risk-mitigation), [policy](policy), and threat [catalog](catalog)s.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/vector.md b/content/en/vector.md
new file mode 100644
index 0000000..cee7893
--- /dev/null
+++ b/content/en/vector.md
@@ -0,0 +1,20 @@
+---
+title: Vector
+status: Completed
+category: concept
+tags: ["gemara", "grc", "fundamental"]
+---
+
+A vector is (1) an opportunity for an attacker to exploit a [vulnerability](vulnerability) in a system, or (2) a path by which neglect could result in unintentional negative outcomes.
+
+## Problem it addresses
+
+To manage [risk](risk) and [threat](threat)s, organizations must understand how harm can reach a system or outcome.
+Vague ideas about "how things go wrong" make [guidance](guidance) and [control](control) design harder.
+
+## How it helps
+
+Defining vector supports [guidance](guidance) and [threat](threat) analysis by tying harm to specific paths and [capability](capabilities)s.
+It helps connect [vulnerability](vulnerability)s and [threat](threat)s to [risk mitigation](risk-mitigation) and [policy](policy).
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/content/en/vulnerability.md b/content/en/vulnerability.md
new file mode 100644
index 0000000..bac85b1
--- /dev/null
+++ b/content/en/vulnerability.md
@@ -0,0 +1,20 @@
+---
+title: Vulnerability
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+A vulnerability is (1) a weakness in a system inherent in or associated with a [capability](capabilities) that can be exploited when used in unintended ways, or (2) a lack of [control](control) or gap in defense, introduced intentionally or unintentionally, which can be leveraged to cause harm.
+
+## Problem it addresses
+
+Organizations need a clear idea of what can be exploited or missed so they can design [control](control)s and [risk mitigation](risk-mitigation).
+Vague or inconsistent use of "vulnerability" makes [threat](threat) and [risk assessment](risk-assessment) harder.
+
+## How it helps
+
+Defining vulnerability in relation to [capability](capabilities) and [control](control) supports [threat](threat) analysis and [guidance](guidance).
+It helps tie [vector](vector)s and [risk](risk) to concrete weaknesses and [policy](policy) responses.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
diff --git a/wordlist.txt b/wordlist.txt
index 3ea4ff0..f3446f2 100644
--- a/wordlist.txt
+++ b/wordlist.txt
@@ -59,8 +59,8 @@ csrc
 customizable
 CVE
 CVSS
-CWE
 cwe
+CWE
 CWEs
 cyber
 cybersecurity
@@ -69,10 +69,10 @@ DAST
 datacenter
 datacenters
 datadog
-DBA
 dba
-DBaaS
+DBA
 dbaas
+DBaaS
 de
 Dechand
 declaratively
@@ -81,8 +81,8 @@ decrypted
 definitions
 dependabot
 deployable
-Dereference
 dereference
+Dereference
 dereferences
 dereferencing
 details
@@ -116,6 +116,7 @@ flaxman
 fu
 fuzzers
 gcp
+gemara
 github
 gitops
 gmail
@@ -138,11 +139,11 @@ inlinehilite
 interdependencies
 io
 iot
-Ispas
 ispas
+Ispas
 jason
-Jihoon
 jihoon
+Jihoon
 jonasbn
 jones
 josé
@@ -223,8 +224,8 @@ Scanlon
 sce
 SDK
 SDKs
-Seo
 seo
+Seo
 seokho
 Sergej
 serverless