ossf · hbraswelrh · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
@@ -0,0 +1,20 @@
+---
+title: Assessment Requirement
+status: Completed
+category: concept
+tags: ["gemara", "grc"]
+---
+
+An assessment requirement is a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator.
+
+## Problem it addresses
+
+Broad or vague rules are hard to verify and lead to inconsistent judgments.
+Teams need conditions that are specific enough to be tested and agreed upon.
+
+## How it helps
+
+Tightly scoped, verifiable requirements give evaluators a clear target.
+They support consistent [assessment](assessment) and [evaluation](evaluation) and make it easier to automate checks.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Assessment
+status: Completed
+category: concept
+tags: ["gemara", "grc"]
+---
+
+An assessment is (1) the process of determining whether an outcome meets the actor's intent, or (2) an atomic process within an [evaluation](evaluation) used to determine a resource's [compliance](compliance) with an [assessment requirement](assessment-requirement).
+
+## Problem it addresses
+
+Organizations need to know whether their systems and processes actually meet the rules they have set.
+A single, repeatable way to answer "did we meet this requirement?" is missing without a clear idea of what an assessment is.
+
+## How it helps
+
+Defining assessment as a process (or an atomic step within evaluation) gives teams a shared way to check [compliance](compliance).
+It separates the act of judging from the broader [evaluation](evaluation) and from the requirements being checked.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Audit
+status: Completed
+category: concept
+tags: ["gemara", "grc"]
+---
+
+An audit is a formal, opinionated review of an organization's [policy](policy) and posture, conducted at a specific point in time to verify that established requirements are met.
-An audit is a formal, opinionated review of an organization's [policy](policy) and posture, conducted at a specific point in time to verify that established requirements are met.
+An audit is a formal review of an organization's [policy](policy) and posture, conducted at a specific point in time to verify that established requirements are met.
-An audit is a formal, opinionated review of an organization's [policy](policy) and posture, conducted at a specific point in time to verify that established requirements are met.
+An audit is a formal review of an organization's [policy](policy) and posture, conducted at a specific point in time to verify that established requirements are met.
+
+## Problem it addresses
+
+Stakeholders need independent assurance that an organization follows its own rules and meets external expectations.
+Without a defined audit practice, it is unclear who checks what and when.
+
+## How it helps
+
+A formal audit at a point in time provides a snapshot of [compliance](compliance) and gaps.
+It supports accountability and helps organizations improve their [policy](policy) and [control](control) implementation.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Behavior Evaluation
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A behavior evaluation is an opinionated observation of actions that are simulated or that occur in real use.
-A behavior evaluation is an opinionated observation of actions that are simulated or that occur in real use.
+A behavior evaluation is an observation of actions that are simulated or that occur in real use.
-A behavior evaluation is an opinionated observation of actions that are simulated or that occur in real use.
+A behavior evaluation is an observation of actions that are simulated or that occur in real use.
+
+## Problem it addresses
+
+Policies and [control](control)s are only as good as how people and systems actually behave.
+Organizations need a way to judge behavior, not only written configuration or design.
+
+## How it helps
+
+Observing simulated or real-world behavior supports [evaluation](evaluation) of whether actions align with [assessment requirement](assessment-requirement)s.
+It complements [intent evaluation](intent-evaluation) by focusing on what happens in practice.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -2,9 +2,21 @@
 title: Capabilities
 status: Completed
 category: concept
-tags: ["fundamental", "", ""]
+tags: ["fundamental", "gemara"]
 ---
 
-Linux kernel uses capabilities to compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable.
+a. A capability is a feature or function of a system; the primary component comprising an attack surface.
 
-Reference for capabilities list: https://man7.org/linux/man-pages/man7/capabilities.7.html
+b. Linux kernel uses capabilities to compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable.
-b. Linux kernel uses capabilities to compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable.
+b. In some systems, such as the Linux kernel, a capability is a non-overlapping subbset of UNIX root privilege that can be individually assigned where higher granularity than root/non-root is desired.
+c. In some systems, such as seL4, a capability is a communicable, unforgeable token of authority.
-b. Linux kernel uses capabilities to compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable.
+b. In some systems, such as the Linux kernel, a capability is a non-overlapping subbset of UNIX root privilege that can be individually assigned where higher granularity than root/non-root is desired.
+c. In some systems, such as seL4, a capability is a communicable, unforgeable token of authority.
+
+## Problem it addresses
+
+a. To manage [risk](risk) and [threat](threat)s, you must know what a system can do.
+Vague or incomplete descriptions of functionality make it hard to identify where things can go wrong.
+
+## How it helps
+
+a. Naming capabilities makes it possible to map [threat](threat)s and [vulnerability](vulnerability)s to specific functions. It supports [risk assessment](risk-assessment) and the design of [control](control)s that protect or constrain those capabilities.
+
+Source (a): [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/). 
+Source (b): Reference for capabilities list: https://man7.org/linux/man-pages/man7/capabilities.7.html
@@ -0,0 +1,20 @@
+---
+title: Catalog
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A catalog is a structured set of related prose and relevant metadata, such as [guidance](guidance), [control](control)s, or [threat](threat)s.
+
+## Problem it addresses
+
+Scattered or ad hoc lists of rules, [guideline](guideline)s, or [control](control)s are hard to maintain and reuse.
+Organizations need a consistent way to group and reference related items.
+
+## How it helps
+
+A catalog gives a single place to store and version related content.
+It supports reuse across [policy](policy), [evaluation](evaluation), and tooling and makes it easier to align with standards.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Compliance
+status: Completed
+category: concept
+tags: ["gemara", "grc"]
+---
+
+Compliance is adherence to a [rule](rule) or set of rules.
+
+## Problem it addresses
+
+Organizations need a simple way to say whether something meets the requirements they have set.
+Without a clear idea of compliance, it is hard to judge the results of [assessment](assessment) and [evaluation](evaluation).
+
+## How it helps
+
+Defining compliance as adherence to rules gives a shared standard for [evaluation](evaluation) and [enforcement](enforcement).
+It supports [policy](policy) and [audit](audit) by making it clear what "meets the requirement" means.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Continuous Monitoring
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Continuous monitoring is a multi-system process that gathers [evaluation](evaluation) and operational data over time to detect non-compliance and malicious activity, support [remediative enforcement](remediative-enforcement), and track trends.
+
+## Problem it addresses
+
+Point-in-time checks can miss issues that appear between reviews.
+Organizations need ongoing visibility into [compliance](compliance) and security to respond quickly.
+
+## How it helps
+
+Ongoing collection of data supports faster detection of problems and [enforcement](enforcement) actions.
+It complements [audit](audit)s and helps organizations understand how their posture changes over time.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Control
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+A control can mean: (1) an organization's ability to fully assert desired state on a system, resource, or state; (2) a mechanism such as a safeguard or countermeasure that asserts desired state; or (3) prose describing the [objective](objective) and [assessment requirement](assessment-requirement)s associated with a desired state.
-A control can mean: (1) an organization's ability to fully assert desired state on a system, resource, or state; (2) a mechanism such as a safeguard or countermeasure that asserts desired state; or (3) prose describing the [objective](objective) and [assessment requirement](assessment-requirement)s associated with a desired state.
+A control can mean: (1) an organization's ability to fully assert desired state on a system, resource, or state; (2) a mechanism such as a safeguard or countermeasure that enforces or asserts a desired state; or (3) prose describing the [objective](objective) and [assessment requirement](assessment-requirement)s associated with a desired state.
-A control can mean: (1) an organization's ability to fully assert desired state on a system, resource, or state; (2) a mechanism such as a safeguard or countermeasure that asserts desired state; or (3) prose describing the [objective](objective) and [assessment requirement](assessment-requirement)s associated with a desired state.
+A control can mean: (1) an organization's ability to fully assert desired state on a system, resource, or state; (2) a mechanism such as a safeguard or countermeasure that enforces or asserts a desired state; or (3) prose describing the [objective](objective) and [assessment requirement](assessment-requirement)s associated with a desired state.
+
+## Problem it addresses
+
+Without a shared idea of what a control is, people mix up the ability to govern, the mechanisms that enforce it, and the documentation that describes it.
+That leads to unclear [policy](policy) and [evaluation](evaluation) expectations.
+
+## How it helps
+
+Clarifying these three senses of control helps teams align on intent, implementation, and evidence.
+It supports [compliance](compliance) checking and [enforcement](enforcement) by tying requirements to concrete mechanisms and documentation.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Enforcement
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+Enforcement is an action taken in response to non-compliance findings and their causes.
+
+## Problem it addresses
+
+Finding non-compliance is only useful if the organization can act on it.
+Without a clear idea of enforcement, responses may be inconsistent or delayed.
+
+## How it helps
+
+Defining enforcement as the response to non-compliance links [evaluation](evaluation) and [assessment](assessment) findings to concrete actions.
+It supports [preventive enforcement](preventive-enforcement) and [remediative enforcement](remediative-enforcement) and helps close gaps in [compliance](compliance).
-It supports [preventive enforcement](preventive-enforcement) and [remediative enforcement](remediative-enforcement) and helps close gaps in [compliance](compliance).
+This may include changes to prevent future issues, remediating past results, and penalties for non-compliance.
+It supports [preventive enforcement](preventive-enforcement) and [remediative enforcement](remediative-enforcement) and helps close gaps in [compliance](compliance).
-It supports [preventive enforcement](preventive-enforcement) and [remediative enforcement](remediative-enforcement) and helps close gaps in [compliance](compliance).
+This may include changes to prevent future issues, remediating past results, and penalties for non-compliance.
+It supports [preventive enforcement](preventive-enforcement) and [remediative enforcement](remediative-enforcement) and helps close gaps in [compliance](compliance).
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Evaluation Finding
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+An evaluation finding is the evidence and opinionated result of an [assessment](assessment).
-An evaluation finding is the evidence and opinionated result of an [assessment](assessment).
+An evaluation finding is the evidence and adjudicated result of an [assessment](assessment).
-An evaluation finding is the evidence and opinionated result of an [assessment](assessment).
+An evaluation finding is the evidence and adjudicated result of an [assessment](assessment).
+
+## Problem it addresses
+
+[Evaluation](evaluation) must produce something that others can use for [enforcement](enforcement), [audit](audit), or improvement.
+Raw data without structure or [opinion](opinion) is hard to act on.
-Raw data without structure or [opinion](opinion) is hard to act on.
+Raw data without structure or [judgment](judgment) is hard to act on.
-Raw data without structure or [opinion](opinion) is hard to act on.
+Raw data without structure or [judgment](judgment) is hard to act on.
+
+## How it helps
+
+Findings bundle evidence with a clear result so that stakeholders can see what was checked and what was concluded.
+They support accountability and traceability from [assessment requirement](assessment-requirement)s to outcomes.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Evaluation
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+Evaluation is the manual or automated process of forming an [opinion](opinion) on the state of [compliance](compliance), using a set of [assessment requirement](assessment-requirement)s as a guide.
+
+## Problem it addresses
+
+Organizations need a consistent way to judge whether resources meet their [policy](policy) and [control](control)s.
+Ad hoc or inconsistent checks make it hard to trust results or improve over time.
+
+## How it helps
+
+Evaluation ties [assessment](assessment)s to explicit requirements and produces findings that support [enforcement](enforcement) and [audit](audit).
+It can be manual or automated, so teams can scale and repeat the process.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Governance
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+Governance is the strategic oversight of an [organization](organization) and its activities.
+
+## Problem it addresses
+
+Without clear oversight, decisions and actions may be inconsistent or misaligned with [policy](policy) and [risk appetite](risk-appetite).
+Stakeholders need a shared idea of who sets direction and how it is carried out.
+
+## How it helps
+
+Defining governance as strategic oversight clarifies the link between [organization](organization) goals and day-to-day [compliance](compliance) and [enforcement](enforcement).
+It supports [GRC](grc) programs and [audit](audit) by making accountability explicit.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,21 @@
+---
+title: GRC
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+GRC stands for Governance, Risk, and Compliance.
+It can mean (1) the domain of [governance](governance), [risk](risk), and [compliance](compliance) in cybersecurity, or (2) a coordinated program that addresses these areas within a business unit.
+
+## Problem it addresses
+
+Organizations need a shared way to talk about oversight, [risk](risk) management, and adherence to [rule](rule)s.
+Without a common term, teams may treat these as separate concerns and miss connections.
+
+## How it helps
+
+Using GRC as a shared label helps align [policy](policy), [risk assessment](risk-assessment), and [audit](audit) efforts.
+It supports the design of programs that integrate [governance](governance), [risk](risk), and [compliance](compliance) activities.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
-Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
+[NIST Cyber Security Resource Center Glosssary, GRC](https://csrc.nist.gov/glossary/term/grc)
-Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
+[NIST Cyber Security Resource Center Glosssary, GRC](https://csrc.nist.gov/glossary/term/grc)
@@ -0,0 +1,20 @@
+---
+title: Guidance
+status: Completed
+category: concept
+tags: ["gemara", "fundamental"]
+---
+
+Guidance is prose meant to help achieve a desired outcome for a topic or general scenario, based on knowledge of relevant [vector](vector)s.
+
+## Problem it addresses
+
+Teams need practical direction that is informed by how systems can be misused or neglected.
+Generic advice that ignores [vulnerability](vulnerability) and [threat](threat)s is less useful for security and [risk](risk) management.
+
+## How it helps
+
+Guidance that references [vector](vector)s helps readers design and operate systems with known risks in mind.
+It supports [control](control) and [policy](policy) design and can be organized in a [catalog](catalog) of [guideline](guideline)s.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Guideline
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+A guideline is an atomic element of a [guidance](guidance) [catalog](catalog); often includes explanatory context and recommendations for designing optimal implementations.
+
+## Problem it addresses
+
+[Guidance](guidance) is easier to use when it is broken into clear, reusable pieces.
+Long documents without structure are hard to reference, maintain, or map to [control](control)s.
+
+## How it helps
+
+Guidelines give readers concrete, scoped advice they can apply to specific decisions.
+They support consistent practice and make it easier to build [catalog](catalog)s and link [guidance](guidance) to [assessment requirement](assessment-requirement)s.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Intent Evaluation
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+An intent evaluation is an [evaluation](evaluation) that checks whether a resource is prepared in line with [policy](policy), for example through training, configuration, or code.
+
+## Problem it addresses
+
+Organizations need to know whether systems and people are set up to comply before they are used.
+Checking only behavior after the fact may be too late to prevent harm.
+
+## How it helps
+
+Intent evaluation focuses on readiness and design, complementing [behavior evaluation](behavior-evaluation), which focuses on what actually happens.
+Together they support a fuller view of [compliance](compliance) and [risk](risk).
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)
@@ -0,0 +1,20 @@
+---
+title: Objective
+status: Completed
+category: concept
+tags: ["gemara"]
+---
+
+An objective is a unified statement of intent that may encompass multiple situationally applicable statements or requirements.
+
+## Problem it addresses
+
+Teams need a way to state what they want to achieve without listing every possible case.
+Long, fragmented requirement lists are hard to maintain and communicate.
+
+## How it helps
+
+An objective gives a clear, high-level goal that can be broken into [assessment requirement](assessment-requirement)s and [control](control)s.
+It supports [policy](policy) and [evaluation](evaluation) by linking intent to verifiable conditions.
+
+Source: [Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment](https://openssf.org/resources/gemara-a-governance-risk-and-compliance-engineering-model-for-automated-risk-assessment/)