Discover modules > github.com/gemaraproj/gemara
v1.3.0
#AuditLog: ¶

AuditLog records results from an audit performed against a target resource

metadata: ¶
type: "AuditLog" ¶
owner?: #RACI ¶

owner defines the RACI roles responsible for managing the audit

summary: string ¶

summary provides the high-level conclusion

criteria: [#ArtifactMapping, ...#ArtifactMapping] ¶

criteria defines the acceptable state for the audited resource

results: [#AuditResult, ...#AuditResult] ¶

results records audit results against the criteria

#ResultType: "Gap" | "Finding" | "Observation" | "Strength" ¶

ResultType classifies the nature of an audit result

#AuditResult: ¶

AuditResult records a single result with supporting evidence and recommendations.

id: string ¶

id uniquely identifies this result

title: string ¶

title describes this result at a glance

type: #ResultType ¶

type classifies the nature of this result

description: string ¶

description explains the result in detail

"criteria-reference": #MultiEntryMapping ¶

criteria-reference maps this result to specific criteria entries

evidence?: [#Evidence, ...#Evidence] ¶

evidence records the data sources that support this result

recommendations?: [#Recommendation, ...#Recommendation] ¶

recommendations records corrective actions for this result

#Recommendation: ¶

Recommendation provides a corrective action for an audit result

id?: string ¶

id uniquely identifies this recommendation

text: string ¶

text describes the recommended corrective action

required: *false | bool ¶

required indicates whether this recommendation is a mandatory corrective action

#Evidence: ¶

Evidence records what was cited to support an opinion for a specific activity: raw data for the evaluation layer, evaluation and enforcement artifacts for the audit layer.

id: string ¶

id uniquely identifies this evidence

type: #EvidenceType ¶

type categorizes the kind of evidence

"collected-at": #Datetime ¶

collected-at is the timestamp when the evidence was gathered

payload?: _ ¶

payload is the raw evidence data collected

description?: string ¶

description explains what this evidence represents

#EvidenceType: #ArtifactType | string ¶

EvidenceType categorizes the kind of evidence. It remains an open enum: recommended values include artifact types already known to Gemara (e.g. EvaluationLog, EnforcementLog) plus categories for common evidence forms.

#CapabilityCatalog: ¶

CapabilityCatalog describes a collection of system capabilities

metadata: ¶
type: "CapabilityCatalog" ¶
capabilities?: [#Capability, ...#Capability] ¶

capabilities is a list of capabilities defined by this catalog

#Capability: ¶

Capability describes a system capability such as a feature, component or object.

id: string ¶

id allows this entry to be referenced by other elements

title: string ¶

title describes this capability at a glance

description: string ¶

description provides a detailed overview of this capability

group: string ¶

group references by id a catalog group that this capability belongs to

#Catalog: ¶

Catalog describes a set of topically-associated entries

title: string ¶

title describes the purpose of this catalog at a glance

metadata: #Metadata ¶

metadata provides detailed data about this catalog

groups?: [#Group, ...#Group] ¶

groups contains a list of groups that can be referenced by entries in this catalog

extends?: [...#ArtifactMapping] ¶

extends references catalogs that this catalog builds upon

imports?: [#MultiEntryMapping, ...#MultiEntryMapping] ¶
#Log: ¶

Log describes a set of recorded entries from a measurement activity

metadata: #Metadata ¶

metadata provides detailed data about this log

target: #Resource ¶

target identifies the resource being evaluated

#Lifecycle: *"Active" | "Draft" | "Deprecated" | "Retired" ¶

Lifecycle represents the lifecycle state of a guideline, control, or assessment requirement

#ConfidenceLevel: "Undetermined" | "Low" | "Medium" | "High" ¶

ConfidenceLevel indicates the evaluator's confidence level in an assessment result.

#ControlCatalog: ¶

ControlCatalog describes a set of related controls and relevant metadata

metadata: ¶
type: "ControlCatalog" ¶
controls?: [#Control, ...#Control] ¶

controls is a list of unique controls defined by this catalog

#Control: ¶

Control describes a safeguard or countermeasure with a clear objective and assessment requirements

id: string ¶

id allows this entry to be referenced by other elements

title: string ¶

title describes the purpose of this control at a glance

objective: string ¶

objective is a unified statement of intent, which may encompass multiple situationally applicable requirements

group: string ¶

group references by id a catalog group that this control belongs to

"assessment-requirements": [#AssessmentRequirement, ...#AssessmentRequirement] ¶

assessment-requirements is a list of requirements that must be verified to confirm the control objective has been met

guidelines?: [#MultiEntryMapping, ...#MultiEntryMapping] ¶

guidelines documents relationships between this control and Layer 1 guideline artifacts

threats?: [#MultiEntryMapping, ...#MultiEntryMapping] ¶

threats documents relationships between this control and Layer 2 threat artifacts

state: #Lifecycle ¶

state is the lifecycle state of this control

"replaced-by"?: #EntryMapping ¶

replaced-by references the control that supersedes this one when deprecated or retired

#AssessmentRequirement: ¶

AssessmentRequirement describes a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator

id: string ¶

id allows this entry to be referenced by other elements

text: string ¶

text is the body of the requirement, typically written as a MUST condition

applicability: [string, ...string] ¶

applicability is a list of strings describing the situations where this text functions as a requirement for its parent control

recommendation?: string ¶

recommendation provides readers with non-binding suggestions to aid in evaluation or enforcement of the requirement

state: #Lifecycle ¶

state is the lifecycle state of this assessment requirement

"replaced-by"?: #EntryMapping ¶

replaced-by references the assessment requirement that supersedes this one when deprecated or retired

#EnforcementLog: ¶

EnforcementLog records actions taken in response to noncompliance findings from Layer 5 evaluations.

metadata: ¶
type: "EnforcementLog" ¶
disposition: #Disposition ¶

disposition is the aggregate enforcement disposition across all actions in this log

actions: [#ActionResult, ...#ActionResult] ¶

actions is the list of enforcement actions performed

actions:
click to see definition
[...{
	if disposition == "Clear" {
		justification: assessments: [...{result: "Passed"}]
	}
}]
¶

Enforce that Clear dispositions only contain Passed assessment results

#ActionResult: ¶

ActionResult captures a performed enforcement action.

disposition: #Disposition ¶

disposition is the enforcement action taken

method: #EntryMapping ¶

method references the specific AcceptedMethod entry within the Policy being enforced

message?: string ¶

message provides additional context about the action

start: #Datetime ¶

start is the timestamp when the enforcement action began

end?: #Datetime ¶

end is the timestamp when the enforcement action concluded

steps: [#EnforcementStep, ...#EnforcementStep] ¶

steps references the code paths or addresses that carried out this enforcement action

justification: #Justification ¶

justification links the action to its assessment findings and any applicable exceptions

#EnforcementStep: string ¶

EnforcementStep is a reference to the code that performed an enforcement action

#Justification: ¶

Justification provides the assessment data and exception references that justify an enforcement action.

assessments: [#AssessmentFinding, ...#AssessmentFinding] ¶

assessments links the action to one or more Assessment Findings

exceptions?: [#ArtifactMapping, ...#ArtifactMapping] ¶

exceptions references approved Policy exceptions that authorize the action

#AssessmentFinding: ¶

AssessmentFinding maps an enforcement action to its originating assessment data across Layer 2, Layer 3, and Layer 5.

result: #Result ¶

result is the assessment outcome that triggered the enforcement action

requirement?: #EntryMapping ¶

requirement maps to the Layer 2 assessment requirement that was evaluated

plan?: #EntryMapping ¶

plan maps to the Policy assessment plan that was executed

log: #EntryMapping ¶

log maps to the EvaluationLog entry containing the finding

#Disposition:
click to see definition
// Enforcement outcome could not be determined.
"Undetermined" |
// Findings existed and actions were taken.
"Enforced" |
// Findings existed but were accepted without action.
"Tolerated" |
// No findings, nothing to act on.
"Clear"
¶

Disposition enumerates the possible enforcement outcomes.

#Entity: ¶

Entity represents a human or tool

id: string ¶

id uniquely identifies the entity and allows this entry to be referenced by other elements

name: string ¶

name is the name of the entity

type: #EntityType ¶

type specifies the type of entity interacting in the workflow

version?: string ¶

version is the version of the entity (for tools; if applicable)

description?: string ¶

description provides additional context about the entity

uri?: =~"^https?://[^\\s]+$" ¶

uri is a general URI for the entity information

#Actor: ¶

Actor represents an entity (human or tool) that performs actions in evaluations

contact?: #Contact ¶

contact is contact information for the actor

#Resource: ¶

Resource represents an entity that exists in the system and can be evaluated

environment?: string ¶

environment describes where the resource exists (e.g., production, staging, development, specific region)

owner?: #Contact ¶

owner is the contact information for the person or group responsible for managing or owning this resource

#EntityType: "Human" | "Software" | "Software Assisted" ¶

EntityType specifies what entity is interacting in the workflow

#Contact: ¶

Contact is the contact information for a person or group

name: string ¶

name is the preferred descriptor for the contact entity

affiliation?: string ¶

affiliation is the organization with which the contact entity is associated, such as a team, school, or employer

email?: #Email ¶

email is the preferred email address to reach the contact

social?: string ¶

social is a social media handle or other profile for the contact, such as GitHub

#Email: =~"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}$" ¶

Email represents a validated email address pattern

#RACI: ¶

RACI defines the roles responsible for managing an artifact

responsible: [#Contact, ...#Contact] ¶

responsible identifies the entities responsible for executing work to manage or mitigate the artifact

accountable: [#Contact, ...#Contact] ¶

accountable identifies the entity ultimately accountable for the outcome

consulted?: [#Contact, ...#Contact] ¶

consulted identifies entities whose input is required when assessing or responding to the artifact

informed?: [#Contact, ...#Contact] ¶

informed identifies entities that should be notified about changes to the artifact status

#EvaluationLog: ¶

EvaluationLog contains the results of evaluating a set of Layer 2 controls.

metadata: ¶
type: "EvaluationLog" ¶
result: #Result ¶

result is the aggregate outcome across all evaluations in this log

evaluations: [#ControlEvaluation, ...#ControlEvaluation] ¶
#ControlEvaluation: ¶

ControlEvaluation contains the results of evaluating a single Layer 5 control.

name: string ¶
result: #Result ¶
message: string ¶
control: #EntryMapping ¶
"assessment-logs": [#AssessmentLog, ...#AssessmentLog] ¶
"assessment-logs": [...{ requirement: "reference-id": (control."reference-id") }] ¶

Enforce that control reference and the assessments' references match This formulation uses the control's reference if the assessment doesn't include a reference

#AssessmentLog: ¶

AssessmentLog contains the results of executing a single assessment procedure for a control requirement.

requirement: #EntryMapping ¶

Requirement should map to the assessment requirement for this assessment.

plan?: #EntryMapping ¶

Plan maps to the policy assessment plan being executed.

description: string ¶

Description provides a summary of the assessment procedure.

result: #Result ¶

Result is the overall outcome of the assessment procedure, matching the result of the last step that was run.

message: string ¶

Message provides additional context about the assessment result.

applicability: [string, ...string] ¶

Applicability is elevated from the Layer 2 Assessment Requirement to aid in execution and reporting.

steps: [#AssessmentStep, ...#AssessmentStep] ¶

Steps are sequential actions taken as part of the assessment, which may halt the assessment if a failure occurs.

"steps-executed"?: int ¶

Steps-executed is the number of steps that were executed as part of the assessment.

start: #Datetime ¶

Start is the timestamp when the assessment began.

end?: #Datetime ¶

End is the timestamp when the assessment concluded.

recommendation?: string ¶

Recommendation provides guidance on how to address a failed assessment.

"confidence-level"?: #ConfidenceLevel ¶

ConfidenceLevel indicates the evaluator's confidence level in this specific assessment result.

evidence?: [#Evidence, ...#Evidence] ¶

Evidence records the raw data cited to support this assessment's opinion.

#AssessmentStep: string ¶
#Result: "Not Run" | "Passed" | "Failed" | "Needs Review" | "Not Applicable" | "Unknown" ¶
#GuidanceCatalog: ¶

GuidanceCatalog represents a concerted documentation effort to help bring about an optimal future without foreknowledge of the implementation details

metadata: ¶
type: "GuidanceCatalog" ¶
type: #GuidanceType ¶

type categorizes this document based on the intent of its contents

"front-matter"?: string ¶

front-matter provides introductory text for the document to be used during rendering

guidelines?: [#Guideline, ...#Guideline] ¶

guidelines is a list of unique guidelines defined by this catalog

exemptions?: [#Exemption, ...#Exemption] ¶

exemptions provides information about situations where this guidance is not applicable

#GuidanceType: "Standard" | "Regulation" | "Best Practice" | "Framework" ¶

GuidanceType restricts the possible types that a catalog may be listed as

#Exemption: ¶

Exemption describes a single scenario where the catalog is not applicable

description: string ¶

description identifies who or what is exempt from the full guidance

reason: string ¶

reason explains why the exemption is granted

redirect?: #MultiEntryMapping ¶

redirect points to alternative guidelines or controls that should be followed instead

#Guideline: ¶

Guideline provides explanatory context and recommendations for designing optimal outcomes

id: string ¶

id allows this entry to be referenced by other elements

title: string ¶

title describes the contents of this guideline

objective: string ¶

objective is a unified statement of intent, which may encompass multiple situationally applicable statements

group: string ¶

group provides an id to the group that this guideline belongs to

recommendations?: [string, ...string] ¶

recommendations is a list of non-binding suggestions to aid in evaluation or enforcement of the guideline

extends?: #EntryMapping ¶

extends is an id for a guideline which this guideline adds to, in this document or elsewhere

applicability?: [string, ...string] ¶

applicability specifies the contexts in which this guideline applies

rationale?: #Rationale ¶

rationale provides the context for this guideline

statements?: [#Statement, ...#Statement] ¶

statements is a list of structural sub-requirements within a guideline

"principles"?: [#MultiEntryMapping, ...#MultiEntryMapping] ¶

principles documents the relationship between this guideline and one or more principles

"vectors"?: [#MultiEntryMapping, ...#MultiEntryMapping] ¶

vector-mappings documents the relationship between this guideline and one or more vectors

"see-also"?: [string, ...string] ¶

see-also lists related guideline IDs within the same GuidanceCatalog

state: #Lifecycle ¶

state is the lifecycle state of this guideline

"replaced-by"?: #EntryMapping ¶

replaced-by references the guideline that supersedes this one when deprecated or retired

#Statement: ¶

Statement represents a structural sub-requirement within a guideline; They do not increase strictness and all statements within a guideline apply together

id: string ¶

id allows this entry to be referenced by other elements

title?: string ¶

title describes the contents of this statement

text: string ¶

text is the body of this statement

recommendations?: [string, ...string] ¶

recommendations is a list of non-binding suggestions to aid in evaluation or enforcement of the statement

#Rationale: ¶

Rationale provides a structured way to communicate a guideline author's intent

importance: string ¶

importance is an explanation of why this guideline matters

goals: [string, ...string] ¶

goals is a list of outcomes this guideline seeks to achieve

#Lexicon: ¶

Lexicon is a controlled vocabulary or glossary artifact referenced by Metadata.lexicon

title: string ¶

title describes the purpose of this lexicon at a glance

metadata: #Metadata ¶

metadata provides detailed data about this document

metadata: ¶
type: "Lexicon" ¶
terms: [#LexiconTerm, ...#LexiconTerm] ¶

terms is one or more defined entries for linking and rendering

#LexiconTerm: ¶

LexiconTerm is a single definition within a lexicon

id: string ¶

id allows this entry to be referenced for anchors and tooling

title: string ¶

title is the canonical name of the defined concept

definition: string ¶

definition explains the meaning of the term

synonyms?: [string, ...string] ¶

synonyms lists alternative labels that should resolve to this term for linking

references?: [#LexiconReference, ...#LexiconReference] ¶

references cites external authorities supporting the definition

#LexiconReference: ¶

LexiconReference cites a source supporting a lexicon definition

citation: string ¶

citation identifies the source material in prose

url?: =~"^(https?|file)://[^\\s]+$" ¶

url points to supporting material when available

#MappingReference: ¶

MappingReference represents a reference to an external document with full metadata.

id: string ¶

id allows this entry to be referenced by other elements

title: string ¶

title describes the purpose of this mapping reference at a glance

version: string ¶

version is the version identifier of the artifact being mapped to

description?: string ¶

description is prose regarding the artifact's purpose or content

url?: =~"^(https?|file)://[^\\s]+$" ¶

url is the path where the artifact may be retrieved; preferrably responds with Gemara-compatible YAML/JSON

#ArtifactMapping: ¶

ArtifactMapping represents a mapping to an external artifact or artifact entry

"reference-id": string ¶

reference-id identifies an element from a MappingReference in the artifact's metadata

remarks?: string ¶

remarks is prose regarding the mapped artifact or the mapping relationship

#MultiEntryMapping: ¶

MultiEntryMapping represents a mapping to an external reference with one or more entries.

entries: [#ArtifactMapping, ...#ArtifactMapping] ¶

entries is a list of mapping entries

#EntryMapping: ¶

EntryMapping represents how a specific entry maps to a MappingReference.

"reference-id": string ¶

reference-id is the id for a MappingReference entry in the artifact's metadata

"entry-id": string ¶

entry-id is the identifier being mapped to in the referenced artifact

remarks?: string ¶

remarks is prose describing the mapping relationship

#MappingDocument: ¶

MappingDocument captures the user's intent for how entries in a source artifact relate to entries in a target artifact

title: string ¶

title describes the purpose of this mapping document at a glance

metadata: #Metadata ¶

metadata provides detailed data about this document

metadata: ¶
type: "MappingDocument" ¶
metadata: ¶
"mapping-references": [#MappingReference, ...#MappingReference] ¶
"source-reference": #TypedMapping ¶

source-reference identifies the artifact being mapped from; must match a mapping-reference id

"target-reference": #TypedMapping ¶

target-reference identifies the artifact being mapped to; must match a mapping-reference id

mappings: [#_MappingStrict, ...#_MappingStrict] ¶

mappings is one or more atomic relationships between entries in the referenced artifacts

remarks?: string ¶

remarks is prose regarding this mapping document

#TypedMapping: ¶

TypedMapping extends ArtifactMapping with a required entry-type for all entries in this direction

"entry-type": #EntryType ¶

entry-type identifies the type of atomic unit entries in this direction

#_MappingStrict:
click to see definition
{
	@go(-)
} & #Mapping & {
	relationship: #RelationshipType
	if relationship != "no-match" {
		targets: [#MappingTarget, ...#MappingTarget]
	}
}
¶

_MappingStrict layers the "targets required when not no-match" rule on top of #Mapping

relationship: #RelationshipType ¶
#MappingTarget: ¶

MappingTarget identifies a target entry with optional per-target metadata

"entry-id": string ¶

entry-id identifies the specific entry in the target artifact

strength?: int & >=1 & <=10 ¶

strength is the author's estimate of how completely the source satisfies this target; range 1-10

"confidence-level"?: #ConfidenceLevel ¶
applicability?: [string, ...string] ¶

applicability constrains the contexts in which this target mapping holds

rationale?: string ¶

rationale explains why this relationship exists for this target

remarks?: string ¶

remarks is general prose regarding this target mapping

#Mapping: ¶

Mapping represents a relationship between a source entry and one or more target entries

id: string ¶

id allows this mapping to be referenced by other elements

source: string ¶

source identifies the entry being mapped from by its entry-id

targets?: [#MappingTarget, ...#MappingTarget] ¶

targets identifies the entries being mapped to; absent when relationship is no-match

relationship: #RelationshipType ¶

relationship describes the nature of the mapping between source and all targets

remarks?: string ¶

remarks is general prose regarding this mapping

#RelationshipType:
click to see definition
// source fulfills the target's objective
"implements" |
// target fulfills the source's objective (requirements-to-implementation direction)
"implemented-by" |
// source contributes to, but does not fully satisfy, the target
"supports" |
// target contributes to, but does not fully satisfy, the source
"supported-by" |
// source and target express the same intent
"equivalent" |
// source fully contains the target's scope and more
"subsumes" |
// source has no counterpart in the target artifact
"no-match" |
// source and target are related but the nature is unspecified
"relates-to"
¶

RelationshipType enumerates the nature of the mapping between entries.

#EntryType:
click to see definition
"Guideline" | "Statement" | "Control" | "AssessmentRequirement" | "Capability" | "Threat" | "Risk" | "Vector" | "Principle"
¶

EntryType enumerates the atomic units within Gemara artifacts that can participate in mappings

#Datetime: time.Format("2006-01-02T15:04:05Z07:00") ¶

Datetime represents an ISO 8601 formatted datetime string

#Group: ¶

Group represents a classification or grouping that can be used in different contexts with semantic meaning derived from its usage

id: string ¶

id allows this entry to be referenced by other elements

title: string ¶

title describes the purpose of this group at a glance

description: string ¶

description explains the significance and traits of entries to this group

#Metadata: ¶

Metadata represents common metadata fields shared across all layers

id: string ¶

id allows this entry to be referenced by other elements

type: #ArtifactType ¶

type identifies the kind of Gemara artifact for unambiguous parsing

"gemara-version": string ¶

gemara-version declares which version of the Gemara specification this artifact conforms to

version?: string ¶

version is the version identifier of this artifact

date?: #Datetime ¶

date is the publication or effective date of this artifact

description: string ¶

description provides a high-level summary of the artifact's purpose and scope

author: #Actor ¶

author is the person or group primarily responsible for this artifact

MR="mapping-references"?: [#MappingReference, ...#MappingReference] ¶

mapping-references is a list of external documents referenced within this artifact

AG="applicability-groups"?: [#Group, ...#Group] ¶

applicability-groups is a list of groups used to classify within this artifact to specify scope

draft?: bool ¶

draft indicates whether this artifact is a pre-release version; open to modification

lexicon?: #ArtifactMapping ¶

lexicon is a URI pointing to a controlled vocabulary or glossary relevant to this artifact

#ArtifactType:
click to see definition
"CapabilityCatalog" | "ControlCatalog" | "GuidanceCatalog" | "ThreatCatalog" | "RiskCatalog" | "Policy" | "MappingDocument" | "Lexicon" | "EvaluationLog" | "EnforcementLog" | "VectorCatalog" | "PrincipleCatalog" | "AuditLog"
¶

ArtifactType identifies the kind of Gemara artifact for unambiguous parsing

#Policy: ¶

Policy represents a policy document with metadata, contacts, scope, imports, implementation plan, risks, and adherence requirements.

title: string ¶
metadata: #Metadata ¶
metadata: ¶
type: "Policy" ¶
contacts: #RACI ¶
scope: #Scope ¶
imports: #Imports ¶
"implementation-plan"?: #ImplementationPlan ¶
risks?: #Risks ¶
adherence: #Adherence ¶
#Scope: ¶

Scope defines what is included and excluded from policy applicability.

in: #Dimensions ¶
out?: #Dimensions ¶
#Dimensions: ¶

Dimensions specify the applicability criteria for a policy

technologies?: [string, ...string] ¶

technologies is an optional list of technology categories or services

geopolitical?: [string, ...string] ¶

geopolitical is an optional list of geopolitical regions

sensitivity?: [string, ...string] ¶

sensitivity is an optional list of data classification levels

users?: [string, ...string] ¶

users is an optional list of user roles

groups?: [string, ...string] ¶
#Imports: ¶

Imports defines external policies, controls, and guidelines required by this policy.

policies?: [#ArtifactMapping, ...#ArtifactMapping] ¶
catalogs?: [#CatalogImport, ...#CatalogImport] ¶
guidance?: [#GuidanceImport, ...#GuidanceImport] ¶
#ImplementationPlan: ¶

ImplementationPlan defines when and how the policy becomes active.

"notification-process"?: string ¶
"evaluation-timeline": #ImplementationDetails ¶
"enforcement-timeline": #ImplementationDetails ¶
#ImplementationDetails: ¶

ImplementationDetails specifies the timeline for policy implementation.

start: #Datetime ¶
end?: #Datetime ¶
notes: string ¶
#Risks: ¶

Risks defines mitigated and accepted risks addressed by this policy.

mitigated?: [#MitigatedRisk, ...#MitigatedRisk] ¶

Mitigated risks only need reference-id and risk-id (no justification required)

accepted?: [#AcceptedRisk, ...#AcceptedRisk] ¶

Accepted risks require rationale (justification) and may include scope. Controls addressing these risks are implicitly identified through threat mappings.

#MitigatedRisk: ¶

MitigatedRisk represents a risk addressed by the policy

id: string ¶

id allows this mitigated risk entry to be referenced by accepted risks

risk: #EntryMapping ¶

risk references the risk being mitigated

#AcceptedRisk: ¶

AcceptedRisk documents a risk the organization has chosen to accept, optionally linking it to a mitigated risk when the acceptance covers residual risk after partial mitigation.

id: string ¶

id allows this accepted risk entry to be referenced

"target-id"?: string ¶

target-id optionally links this acceptance to a mitigated risk entry

risk: #EntryMapping ¶

risk references the risk being accepted

scope?: #Scope ¶

scope defines where the risk acceptance applies

justification?: string ¶

justification explains why the risk is accepted

#Adherence: ¶

Adherence defines evaluation methods, assessment plans, enforcement methods, and non-compliance notifications.

"evaluation-methods"?: [#AcceptedMethod & {type: #EvaluationMethodType}, ...#AcceptedMethod & {type: #EvaluationMethodType}] ¶
"assessment-plans"?: [#AssessmentPlan, ...#AssessmentPlan] ¶
"enforcement-methods"?: [#AcceptedMethod & {type: #EnforcementMethodType}, ...#AcceptedMethod & {type: #EnforcementMethodType}] ¶
"non-compliance"?: string ¶
#AssessmentPlan: ¶

AssessmentPlan defines how a specific assessment requirement is evaluated.

id: string ¶
"requirement-id": string ¶
frequency: string ¶
"evaluation-methods": [#AcceptedMethod & {type: #EvaluationMethodType}, ...#AcceptedMethod & {type: #EvaluationMethodType}] ¶
"evidence-requirements"?: string ¶
parameters?: [#Parameter, ...#Parameter] ¶
#AcceptedMethod: ¶

AcceptedMethod defines a method for evaluation or enforcement.

id: string ¶
type: #MethodType ¶
mode: #ModeType ¶
required: *false | bool ¶
description?: string ¶
executor?: #Actor ¶
#ModeType: "Manual" | "Automated" ¶
#MethodType: "Behavioral" | "Intent" | "Remediation" | "Gate" ¶
#EvaluationMethodType: "Intent" | "Behavioral" ¶
#EnforcementMethodType: "Gate" | "Remediation" ¶
#Parameter: ¶

Parameter defines a configurable parameter for assessment or enforcement activities.

id: string ¶
label: string ¶
description: string ¶
"accepted-values"?: [string, ...string] ¶
#GuidanceImport: ¶

GuidanceImport defines how to import guidance documents with optional exclusions and constraints.

"reference-id": string ¶
exclusions?: [string, ...string] ¶
constraints?: [#Constraint, ...#Constraint] ¶

Constraints allow policy authors to define ad hoc minimum requirements (e.g., "review at least annually").

#CatalogImport: ¶

CatalogImport defines how to import control catalogs with optional exclusions, constraints, and assessment requirement modifications.

"reference-id": string ¶
exclusions?: [string, ...string] ¶
constraints?: [#Constraint, ...#Constraint] ¶
"assessment-requirement-modifications"?: [#AssessmentRequirementModifier, ...#AssessmentRequirementModifier] ¶
#Constraint: ¶

Constraint defines a prescriptive requirement that applies to a specific guidance or control.

id: string ¶

Unique ID for this constraint to enable Layer 5/6 tracking

"target-id": string ¶

Links to the specific Guidance or Control being constrained

text: string ¶

The prescriptive requirement/constraint text

#AssessmentRequirementModifier: ¶

AssessmentRequirementModifier allows organizations to customize assessment requirements based on how an organization wants to gather evidence for the objective.

id: string ¶
"target-id": string ¶
"modification-type": #ModType ¶
"modification-rationale": string ¶
text?: string ¶

The updated text of the assessment requirement

applicability?: [string, ...string] ¶

The updated applicability of the assessment requirement

recommendation?: string ¶

The updated recommendation for the assessment requirement

#ModType: "Add" | "Modify" | "Remove" | "Replace" | "Override" ¶

ModType defines the type of modification to the assessment requirement.

#PrincipleCatalog: ¶

PrincipleCatalog describes a set of related principles and relevant metadata

metadata: ¶
type: "PrincipleCatalog" ¶
principles?: [#Principle, ...#Principle] ¶

principles is a list of unique principles defined by this catalog

#Principle: ¶

Principle represents a foundational value or tenet that guides governance, design, and operational decisions

id: string ¶

id allows this entry to be referenced by other elements

title: string ¶

title describes the principle at a glance

description: string ¶

description explains the principle and its expected outcomes

group: string ¶

group references by id a catalog group that this principle belongs to

rationale?: string ¶

rationale provides the context for this principle

#RiskCatalog: ¶

A RiskCatalog is a structured collection of documented risks that may affect an organization, system, or service. It provides a centralized reference for risks that can be mapped to threats and referenced by policies when documenting how those risks are mitigated or accepted.

metadata: ¶
type: "RiskCatalog" ¶
groups?: [#RiskCategory, ...#RiskCategory] ¶

groups narrows the base groups to risk categories with appetite and severity boundaries

risks?: [#Risk, ...#Risk] ¶

risks is a list of risks defined by this catalog

#RiskCategory: ¶

RiskCategory describes a grouping of risks and defines appetite boundaries

appetite: #RiskAppetite ¶

appetite defines the acceptable level of risk for this category

"max-severity"?: #Severity ¶

max-severity defines the risk tolerance boundary: the highest severity the organization will accept within this category

#Severity:
click to see definition
// minor consequence if realized; manageable within normal operations
"Low" |
// moderate consequence if realized; may impair specific functions or objectives
"Medium" |
// severe consequence if realized; likely to disrupt core operations or objectives
"High" |
// extreme consequence if realized; threatens organizational viability or mission
"Critical"
¶

Severity defines the assessed level of a risk based on its potential impact and likelihood

#RiskAppetite:
click to see definition
// organization is willing to accept higher cost to minimize risk
"Minimal" |
// organization favors caution but permits limited risk
"Low" |
// organization tolerates residual risk when justified by value
"Moderate" |
// organization is willing to operate with less restrictive controls
"High"
¶

RiskAppetite defines the acceptable level of exposure for a risk category

#Risk: ¶

A Risk represents the potential for negative impact resulting from one or more threats.

id: string ¶

id allows this risk to be referenced by other elements

title: string ¶

title describes the risk

description: string ¶

description explains the risk scenario

group: string ¶

group references by id a catalog group that this risk belongs to

severity: #Severity ¶

severity describes the assessed level of this risk

rank?: int ¶

rank optionally orders risks for the same catalog (e.g. when several share the same severity). Lower values mean higher relative importance. Omitted when the four severity levels are enough. When set, each value must be unique among all risks in the catalog that specify rank.

owner?: #RACI ¶

owner defines the RACI roles responsible for managing this risk

impact?: string ¶

impact describes the business or operational impact

"threats"?: [#MultiEntryMapping, ...#MultiEntryMapping] ¶

threats link this risk to Layer 2 threats

#ThreatCatalog: ¶

ThreatCatalog describes a set of topically-associated threats

metadata: ¶
type: "ThreatCatalog" ¶
threats?: [#Threat, ...#Threat] ¶

threats is a list of threats defined by this catalog

#Threat: ¶

Threat describes a specifically-scoped opportunity for a negative impact to the organization

id: string ¶

id allows this entry to be referenced by other elements

title: string ¶

title describes this threat at a glance

description: string ¶

description provides a detailed explanation of an opportunity for negative impact

group: string ¶

group references by id a catalog group that this threat belongs to

capabilities: [#MultiEntryMapping, ...#MultiEntryMapping] ¶

capabilities documents the relationship between this threat and a system capability

vectors?: [#MultiEntryMapping, ...#MultiEntryMapping] ¶

vectors documents the relationship between this threat and one or more vectors

actors?: [#Actor, ...#Actor] ¶

actors describes the relevant internal or external threat actors

#VectorCatalog: ¶
metadata: ¶
type: "VectorCatalog" ¶
vectors?: [#Vector, ...#Vector] ¶

vectors is a list of attack vectors documented in this catalog

#Vector: ¶

A Vector represents a method, pathway, or technique through which a threat may be realized or an attack may be carried out.

id: string ¶

id allows this vector to be referenced by other elements

title: string ¶

title describes the vector

description: string ¶

description explains how the attack vector works

group: string ¶

group references by id a catalog group that this vector belongs to

applicability?: [string, ...string] ¶

applicability specifies the contexts in which this vector can manifest

Source files

  • auditlog.cue
  • capabilitycatalog.cue
  • collections.cue
  • controlcatalog.cue
  • enforcementlog.cue
  • entities.cue
  • evaluationlog.cue
  • guidancecatalog.cue
  • lexicon.cue
  • mapping_inline.cue
  • mappingdocument.cue
  • metadata.cue
  • policy.cue
  • principlecatalog.cue
  • riskcatalog.cue
  • threatcatalog.cue
  • vectorcatalog.cue