---
layout: page
title: Tutorials
---

## Start here

**Gemara Layers — Knowledge, Inputs & Outputs** — Start here if you're new to the model.

---

## Find Your Tutorial

Pick your goal — each path leads to the right guide.

### Performing a threat assessment

For a system or component → [Threat Assessment Guide](controls/threat-assessment-guide) — identify capabilities and threats, map them to attack surfaces (Layer 2).

### Defining security controls

That mitigate those threats → [Control Catalog Guide](controls/control-catalog-guide) — create a control catalog with assessment requirements and threat-mappings (Layer 2).

### Understanding what threats and controls exist

Before writing policy → [Threat Assessment Guide](controls/threat-assessment-guide)

→ **COMING SOON:** Review or author threat-informed controls that your policy will reference (Layer 2).

### Reviewing the controls to reference in a policy

→ **COMING SOON:** Understand the control catalog structure and assessment requirements (Layer 2).

### Understanding the security posture of consumed software

→ [Threat Assessment Guide](controls/threat-assessment-guide) — review threat catalogs for your dependencies (Layer 2).

→ **COMING SOON:** Use control catalogs (e.g. OSPS, CCC) as hardening guides (Layer 2).

### Creating a guidance catalog from best practices

From a spreadsheet or checklist — create a guidance catalog (guidelines, groups, mapping-references) that threat-informed controls can reference; express relationships to other frameworks in a [Mapping Document](https://gemara.openssf.org/schema/mapping.html). → [Guidance Catalog Guide](guidance/guidance-guide).

### Creating organizational policy

Create a policy document that translates risk appetite into mandatory rules — [Policy Guide](policy/policy-guide) — scope, imports, adherence, and risks (Layer 3).

---

## What You'll Build

| Layer | Artifact | Guide |
|-------|----------|-------|
| **Layer 1** — Guidance | Guidance Catalog (guidelines, groups, mapping-references) | [Guidance Catalog Guide](guidance/guidance-guide) |
| **Layer 2** — Controls | Threat Catalog + Control Catalog (assessment requirements, threats) | [Threat Assessment](controls/threat-assessment-guide), [Control Catalog](controls/control-catalog-guide) |
| **Layer 3** — Policy   | Policy Document (scope, imports, adherence, risks)                  | [Policy Guide](policy/policy-guide) |

## What You'll Need

- `go` installed
- `cue` installed for validation

## Have Ideas?

- Reach out via Slack in `#gemara`
- Discuss in one of our bi-weekly meetings on the [OpenSSF calendar](https://calendar.google.com/calendar/u/0?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)
- Open a [GitHub Issue](https://github.com/gemaraproj/gemara/issues)