metadata provides detailed data about this catalog
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
capabilities is a list of capabilities defined by this catalog
groups contains a list of groups that can be referenced by entries in this catalog
ReferenceId should reference the corresponding MappingReference id from metadata
Capability describes a system capability such as a feature, component or object.
description provides a detailed overview of this capability
Catalog describes a set of topically-associated entries
metadata provides detailed data about this catalog
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
groups contains a list of groups that can be referenced by entries in this catalog
ReferenceId should reference the corresponding MappingReference id from metadata
ControlCatalog describes a set of related controls and relevant metadata
metadata provides detailed data about this catalog
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
controls is a list of unique controls defined by this catalog
assessment-requirements is a list of requirements that must be verified to confirm the control objective has been met
applicability is a list of strings describing the situations where this text functions as a requirement for its parent control
recommendation provides readers with non-binding suggestions to aid in evaluation or enforcement of the requirement
replaced-by references the assessment requirement that supersedes this one when deprecated or retired
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
guidelines documents relationships between this control and Layer 1 guideline artifacts
ReferenceId should reference the corresponding MappingReference id from metadata
threats documents relationships between this control and Layer 2 threat artifacts
ReferenceId should reference the corresponding MappingReference id from metadata
replaced-by references the control that supersedes this one when deprecated or retired
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
groups contains a list of groups that can be referenced by entries in this catalog
ReferenceId should reference the corresponding MappingReference id from metadata
Control describes a safeguard or countermeasure with a clear objective and assessment requirements
assessment-requirements is a list of requirements that must be verified to confirm the control objective has been met
applicability is a list of strings describing the situations where this text functions as a requirement for its parent control
recommendation provides readers with non-binding suggestions to aid in evaluation or enforcement of the requirement
replaced-by references the assessment requirement that supersedes this one when deprecated or retired
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
guidelines documents relationships between this control and Layer 1 guideline artifacts
ReferenceId should reference the corresponding MappingReference id from metadata
threats documents relationships between this control and Layer 2 threat artifacts
ReferenceId should reference the corresponding MappingReference id from metadata
replaced-by references the control that supersedes this one when deprecated or retired
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
AssessmentRequirement describes a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator
applicability is a list of strings describing the situations where this text functions as a requirement for its parent control
recommendation provides readers with non-binding suggestions to aid in evaluation or enforcement of the requirement
replaced-by references the assessment requirement that supersedes this one when deprecated or retired
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
EnforcementLog records actions taken in response to noncompliance findings from Layer 5 evaluations.
metadata provides detailed data about this log
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
disposition is the aggregate enforcement disposition across all actions in this log
[#ActionLog, ...#ActionLog] & [...{
if disposition == "Clear" {
justification: {
assessments: [...{
result: "Passed"
}]
}
}
}]actions is the list of enforcement actions performed
Enforce that Clear dispositions only contain Passed assessment results
#ActionLog &
{
{
if disposition == "Clear" {
justification: {
assessments: [...{
result: "Passed"
}]
}
}
}
}disposition is the enforcement action taken
method references the specific AcceptedMethod entry within the Policy being enforced
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
justification links the action to its assessment findings and any applicable exceptions
assessments links the action to one or more Assessment Findings
requirement maps to the Layer 2 assessment requirement that was evaluated
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
plan maps to the Policy assessment plan that was executed
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
log maps to the EvaluationLog entry containing the finding
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
exceptions references approved Policy exceptions that authorize the action
ReferenceId should reference the corresponding MappingReference id from metadata
target identifies the resource being evaluated
environment describes where the resource exists (e.g., production, staging, development, specific region)
owner is the contact information for the person or group responsible for managing or owning this resource
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
ActionLog captures a performed enforcement action.
disposition is the enforcement action taken
method references the specific AcceptedMethod entry within the Policy being enforced
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
justification links the action to its assessment findings and any applicable exceptions
assessments links the action to one or more Assessment Findings
requirement maps to the Layer 2 assessment requirement that was evaluated
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
plan maps to the Policy assessment plan that was executed
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
log maps to the EvaluationLog entry containing the finding
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
exceptions references approved Policy exceptions that authorize the action
ReferenceId should reference the corresponding MappingReference id from metadata
EnforcementStep is a reference to the code that performed an enforcement action
Entity represents a human or tool
description provides additional context about the entity
Actor represents an entity (human or tool) that performs actions in evaluations
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
EvaluationLog contains the results of evaluating a set of Layer 2 controls.
metadata provides detailed data about this log
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
[#AssessmentLog, ...#AssessmentLog] & [...{
requirement: {
"reference-id": control."reference-id"
}
}]Enforce that control reference and the assessments' references match This formulation uses the control's reference if the assessment doesn't include a reference
Requirement should map to the assessment requirement for this assessment.
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Plan maps to the policy assessment plan being executed.
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Description provides a summary of the assessment procedure.
Applicability is elevated from the Layer 2 Assessment Requirement to aid in execution and reporting.
Steps-executed is the number of steps that were executed as part of the assessment.
Recommendation provides guidance on how to address a failed assessment.
ConfidenceLevel indicates the evaluator's confidence level in this specific assessment result.
target identifies the resource being evaluated
environment describes where the resource exists (e.g., production, staging, development, specific region)
owner is the contact information for the person or group responsible for managing or owning this resource
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
ControlEvaluation contains the results of evaluating a single Layer 5 control.
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
[#AssessmentLog, ...#AssessmentLog] & [...{
requirement: {
"reference-id": control."reference-id"
}
}]Enforce that control reference and the assessments' references match This formulation uses the control's reference if the assessment doesn't include a reference
Requirement should map to the assessment requirement for this assessment.
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Plan maps to the policy assessment plan being executed.
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Description provides a summary of the assessment procedure.
Applicability is elevated from the Layer 2 Assessment Requirement to aid in execution and reporting.
Steps-executed is the number of steps that were executed as part of the assessment.
Recommendation provides guidance on how to address a failed assessment.
ConfidenceLevel indicates the evaluator's confidence level in this specific assessment result.
AssessmentLog contains the results of executing a single assessment procedure for a control requirement.
Requirement should map to the assessment requirement for this assessment.
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Plan maps to the policy assessment plan being executed.
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Description provides a summary of the assessment procedure.
Applicability is elevated from the Layer 2 Assessment Requirement to aid in execution and reporting.
Steps-executed is the number of steps that were executed as part of the assessment.
Recommendation provides guidance on how to address a failed assessment.
ConfidenceLevel indicates the evaluator's confidence level in this specific assessment result.
Group represents a classification or grouping that can be used in different contexts with semantic meaning derived from its usage
description explains the significance and traits of entries to this group
GuidanceCatalog represents a concerted documentation effort to help bring about an optimal future without foreknowledge of the implementation details
metadata provides detailed data about this catalog
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
groups contains a list of groups that can be referenced by entries in this catalog
ReferenceId should reference the corresponding MappingReference id from metadata
front-matter provides introductory text for the document to be used during rendering
guidelines is a list of unique guidelines defined by this catalog
extends is an id for a guideline which this guideline adds to, in this document or elsewhere
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
applicability specifies the contexts in which this guideline applies
rationale provides the context for this guideline
importance is an explanation of why this guideline matters
statements is a list of structural sub-requirements within a guideline
recommendations is a list of non-binding suggestions to aid in evaluation or enforcement of the statement
principles documents the relationship between this guideline and one or more principles
ReferenceId should reference the corresponding MappingReference id from metadata
vector-mappings documents the relationship between this guideline and one or more vectors
ReferenceId should reference the corresponding MappingReference id from metadata
see-also lists related guideline IDs within the same GuidanceCatalog
replaced-by references the guideline that supersedes this one when deprecated or retired
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
exemptions provides information about situations where this guidance is not applicable
description identifies who or what is exempt from the full guidance
redirect points to alternative guidelines or controls that should be followed instead
ReferenceId should reference the corresponding MappingReference id from metadata
GuidanceType restricts the possible types that a catalog may be listed as
Exemption describes a single scenario where the catalog is not applicable
description identifies who or what is exempt from the full guidance
redirect points to alternative guidelines or controls that should be followed instead
ReferenceId should reference the corresponding MappingReference id from metadata
Guideline provides explanatory context and recommendations for designing optimal outcomes
extends is an id for a guideline which this guideline adds to, in this document or elsewhere
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
applicability specifies the contexts in which this guideline applies
rationale provides the context for this guideline
importance is an explanation of why this guideline matters
statements is a list of structural sub-requirements within a guideline
recommendations is a list of non-binding suggestions to aid in evaluation or enforcement of the statement
principles documents the relationship between this guideline and one or more principles
ReferenceId should reference the corresponding MappingReference id from metadata
vector-mappings documents the relationship between this guideline and one or more vectors
ReferenceId should reference the corresponding MappingReference id from metadata
see-also lists related guideline IDs within the same GuidanceCatalog
replaced-by references the guideline that supersedes this one when deprecated or retired
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Justification provides the assessment data and exception references that justify an enforcement action.
assessments links the action to one or more Assessment Findings
requirement maps to the Layer 2 assessment requirement that was evaluated
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
plan maps to the Policy assessment plan that was executed
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
log maps to the EvaluationLog entry containing the finding
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
exceptions references approved Policy exceptions that authorize the action
ReferenceId should reference the corresponding MappingReference id from metadata
AssessmentFinding maps an enforcement action to its originating assessment data across Layer 2, Layer 3, and Layer 5.
requirement maps to the Layer 2 assessment requirement that was evaluated
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
plan maps to the Policy assessment plan that was executed
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
log maps to the EvaluationLog entry containing the finding
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Disposition enumerates the possible enforcement outcomes.
Lifecycle represents the lifecycle state of a guideline, control, or assessment requirement
Log describes a set of recorded entries from a measurement activity
metadata provides detailed data about this log
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
target identifies the resource being evaluated
environment describes where the resource exists (e.g., production, staging, development, specific region)
owner is the contact information for the person or group responsible for managing or owning this resource
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
MappingDocument captures the user's intent for how entries in a source artifact relate to entries in a target artifact
metadata provides detailed data about this document
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
applicability-groups is a list of groups used to classify within this artifact to specify scope
source-reference identifies the artifact being mapped from; must match a mapping-reference id
ReferenceId should reference the corresponding MappingReference id from metadata
target-reference identifies the artifact being mapped to; must match a mapping-reference id
ReferenceId should reference the corresponding MappingReference id from metadata
mappings is one or more atomic relationships between entries in the referenced artifacts
source identifies the entry being mapped from
entry-id identifies the specific entry in the referenced artifact
entry-type identifies what kind of atomic unit this entry is
target identifies the entry being mapped to; absent when relationship is no-match
relationship describes the nature or purpose of the mapping
applicability constrains the contexts in which this mapping holds
rationale explains why this relationship exists
MappingReference represents a reference to an external document with full metadata.
description is prose regarding the artifact's purpose or content
ReferenceId should reference the corresponding MappingReference id from metadata
Metadata represents common metadata fields shared across all layers
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
"CapabilityCatalog" | "ControlCatalog" | "GuidanceCatalog" | "ThreatCatalog" | "RiskCatalog" | "Policy" | "MappingDocument" | "EvaluationLog" | "EnforcementLog" | "VectorCatalog"
ArtifactType identifies the kind of Gemara artifact for unambiguous parsing
MultiEntryMapping represents a mapping to an external reference with one or more entries.
ReferenceId should reference the corresponding MappingReference id from metadata
EntryMapping represents how a specific entry (control/requirement/procedure) maps to a MappingReference.
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Policy represents a policy document with metadata, contacts, scope, imports, implementation plan, risks, and adherence requirements.
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
responsible identifies the entities responsible for executing work to manage or mitigate the artifact
accountable identifies the entity ultimately accountable for the outcome
consulted identifies entities whose input is required when assessing or responding to the artifact
informed identifies entities that should be notified about changes to the artifact status
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
The updated applicability of the assessment requirement
The updated recommendation for the assessment requirement
Constraints allow policy authors to define ad hoc minimum requirements (e.g., "review at least annually").
Mitigated risks only need reference-id and risk-id (no justification required)
risk references the risk being mitigated
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Accepted risks require rationale (justification) and may include scope. Controls addressing these risks are implicitly identified through threat mappings.
target-id optionally links this acceptance to a mitigated risk entry
risk references the risk being accepted
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
scope defines where the risk acceptance applies
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
justification explains why the risk is accepted
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
Resource represents an entity that exists in the system and can be evaluated
environment describes where the resource exists (e.g., production, staging, development, specific region)
owner is the contact information for the person or group responsible for managing or owning this resource
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
EntityType specifies what entity is interacting in the workflow
Contact is the contact information for a person or group
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
RACI defines the roles responsible for managing an artifact
responsible identifies the entities responsible for executing work to manage or mitigate the artifact
accountable identifies the entity ultimately accountable for the outcome
consulted identifies entities whose input is required when assessing or responding to the artifact
informed identifies entities that should be notified about changes to the artifact status
A RiskCatalog is a structured collection of documented risks that may affect an organization, system, or service. It provides a centralized reference for risks that can be mapped to threats and referenced by policies when documenting how those risks are mitigated or accepted.
metadata provides detailed data about this catalog
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
groups narrows the base groups to risk categories with appetite and severity boundaries
groups contains a list of groups that can be referenced by entries in this catalog
description explains the significance and traits of entries to this group
max-severity defines the risk tolerance boundary: the highest severity the organization will accept within this category
ReferenceId should reference the corresponding MappingReference id from metadata
risks is a list of risks defined by this catalog
description explains the risk scenario
owner defines the RACI roles responsible for managing this risk
responsible identifies the entities responsible for executing work to manage or mitigate the artifact
accountable identifies the entity ultimately accountable for the outcome
consulted identifies entities whose input is required when assessing or responding to the artifact
informed identifies entities that should be notified about changes to the artifact status
threats link this risk to Layer 2 threats
ReferenceId should reference the corresponding MappingReference id from metadata
RiskCategory describes a grouping of risks and defines appetite boundaries
max-severity defines the risk tolerance boundary: the highest severity the organization will accept within this category
description explains the significance and traits of entries to this group
Scope defines what is included and excluded from policy applicability.
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
Dimensions specify the applicability criteria for a policy
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
Imports defines external policies, controls, and guidelines required by this policy.
The updated applicability of the assessment requirement
The updated recommendation for the assessment requirement
Constraints allow policy authors to define ad hoc minimum requirements (e.g., "review at least annually").
Risks defines mitigated and accepted risks addressed by this policy.
Mitigated risks only need reference-id and risk-id (no justification required)
risk references the risk being mitigated
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
Accepted risks require rationale (justification) and may include scope. Controls addressing these risks are implicitly identified through threat mappings.
target-id optionally links this acceptance to a mitigated risk entry
risk references the risk being accepted
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
scope defines where the risk acceptance applies
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
justification explains why the risk is accepted
MitigatedRisk represents a risk addressed by the policy
risk references the risk being mitigated
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
AcceptedRisk documents a risk the organization has chosen to accept, optionally linking it to a mitigated risk when the acceptance covers residual risk after partial mitigation.
target-id optionally links this acceptance to a mitigated risk entry
risk references the risk being accepted
reference-id is the id for a MappingReference entry in the artifact's metadata
entry-id is the identifier being mapped to in the referenced artifact
scope defines where the risk acceptance applies
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
technologies is an optional list of technology categories or services
geopolitical is an optional list of geopolitical regions
sensitivity is an optional list of data classification levels
justification explains why the risk is accepted
Adherence defines evaluation methods, assessment plans, enforcement methods, and non-compliance notifications.
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
AssessmentPlan defines how a specific assessment requirement is evaluated.
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
AcceptedMethod defines a method for evaluation or enforcement.
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
Parameter defines a configurable parameter for assessment or enforcement activities.
GuidanceImport defines how to import guidance documents with optional exclusions and constraints.
Constraints allow policy authors to define ad hoc minimum requirements (e.g., "review at least annually").
CatalogImport defines how to import control catalogs with optional exclusions, constraints, and assessment requirement modifications.
The updated applicability of the assessment requirement
The updated recommendation for the assessment requirement
Constraint defines a prescriptive requirement that applies to a specific guidance or control.
Links to the specific Guidance or Control being constrained
AssessmentRequirementModifier allows organizations to customize assessment requirements based on how an organization wants to gather evidence for the objective.
The updated applicability of the assessment requirement
The updated recommendation for the assessment requirement
RiskAppetite defines the acceptable level of exposure for a risk category
A Risk represents the potential for negative impact resulting from one or more threats.
description explains the risk scenario
owner defines the RACI roles responsible for managing this risk
responsible identifies the entities responsible for executing work to manage or mitigate the artifact
accountable identifies the entity ultimately accountable for the outcome
consulted identifies entities whose input is required when assessing or responding to the artifact
informed identifies entities that should be notified about changes to the artifact status
threats link this risk to Layer 2 threats
ReferenceId should reference the corresponding MappingReference id from metadata
Statement represents a structural sub-requirement within a guideline; They do not increase strictness and all statements within a guideline apply together
recommendations is a list of non-binding suggestions to aid in evaluation or enforcement of the statement
Rationale provides a structured way to communicate a guideline author's intent
importance is an explanation of why this guideline matters
ThreatCatalog describes a set of topically-associated threats
metadata provides detailed data about this catalog
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
groups contains a list of groups that can be referenced by entries in this catalog
ReferenceId should reference the corresponding MappingReference id from metadata
threats is a list of threats defined by this catalog
description provides a detailed explanation of an opportunity for negative impact
capabilities documents the relationship between this threat and a system capability
ReferenceId should reference the corresponding MappingReference id from metadata
vectors documents the relationship between this threat and one or more vectors
ReferenceId should reference the corresponding MappingReference id from metadata
actors describes the relevant internal or external threat actors
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
Threat describes a specifically-scoped opportunity for a negative impact to the organization
description provides a detailed explanation of an opportunity for negative impact
capabilities documents the relationship between this threat and a system capability
ReferenceId should reference the corresponding MappingReference id from metadata
vectors documents the relationship between this threat and one or more vectors
ReferenceId should reference the corresponding MappingReference id from metadata
actors describes the relevant internal or external threat actors
contact is contact information for the actor
affiliation is the organization with which the contact entity is associated, such as a team, school, or employer
description provides additional context about the entity
metadata provides detailed data about this catalog
gemara-version declares which version of the Gemara specification this artifact conforms to
description provides a high-level summary of the artifact's purpose and scope
mapping-references is a list of external documents referenced within this artifact
description is prose regarding the artifact's purpose or content
applicability-groups is a list of groups used to classify within this artifact to specify scope
groups contains a list of groups that can be referenced by entries in this catalog
ReferenceId should reference the corresponding MappingReference id from metadata
vectors is a list of attack vectors documented in this catalog
description explains how the attack vector works
applicability specifies the contexts in which this vector can manifest
A Vector represents a method, pathway, or technique through which a threat may be realized or an attack may be carried out.
description explains how the attack vector works
applicability specifies the contexts in which this vector can manifest
#Mapping &
{
@go(-)
{
relationship: #RelationshipType
if relationship != "no-match" {
target: #TypedEntry
}
}
}_MappingStrict layers the "target required when not no-match" rule on top of #Mapping
source identifies the entry being mapped from
entry-id identifies the specific entry in the referenced artifact
entry-type identifies what kind of atomic unit this entry is
target identifies the entry being mapped to; absent when relationship is no-match
relationship describes the nature or purpose of the mapping
applicability constrains the contexts in which this mapping holds
rationale explains why this relationship exists
Mapping represents an atomic relationship between a source entry and an optional target entry
source identifies the entry being mapped from
entry-id identifies the specific entry in the referenced artifact
entry-type identifies what kind of atomic unit this entry is
target identifies the entry being mapped to; absent when relationship is no-match
entry-id identifies the specific entry in the referenced artifact
entry-type identifies what kind of atomic unit this entry is
relationship describes the nature or purpose of the mapping
applicability constrains the contexts in which this mapping holds
rationale explains why this relationship exists
RelationshipType enumerates the nature of the mapping between entries.
EntryReference identifies a specific entry within a referenced artifact
entry-id identifies the specific entry in the referenced artifact
entry-type identifies what kind of atomic unit this entry is
EntryType enumerates the atomic units within Gemara artifacts that can participate in mappings
ConfidenceLevel indicates the evaluator's confidence level in an assessment result.
CapabilityCatalog describes a collection of system capabilities