github.com/gemaraproj/gemara@v1.3.0

policy.cue raw

  1// SPDX-License-Identifier: Apache-2.0
  2
  3// Schema lifecycle: experimental | stable | deprecated
  4@status("experimental")
  5package gemara
  6
  7@go(gemara)
  8
  9// Policy represents a policy document with metadata, contacts, scope, imports, implementation plan, risks, and adherence requirements.
 10#Policy: {
 11	title:    string
 12	metadata: #Metadata
 13	metadata: type: "Policy"
 14	contacts:               #RACI
 15	scope:                  #Scope
 16	imports:                #Imports
 17	"implementation-plan"?: #ImplementationPlan @go(ImplementationPlan)
 18	risks?:                 #Risks
 19	adherence:              #Adherence
 20}
 21
 22// Scope defines what is included and excluded from policy applicability.
 23#Scope: {
 24	in:   #Dimensions
 25	out?: #Dimensions
 26}
 27
 28// Dimensions specify the applicability criteria for a policy
 29#Dimensions: {
 30	// technologies is an optional list of technology categories or services
 31	technologies?: [string, ...string]
 32	// geopolitical is an optional list of geopolitical regions
 33	geopolitical?: [string, ...string]
 34	// sensitivity is an optional list of data classification levels
 35	sensitivity?: [string, ...string]
 36	// users is an optional list of user roles
 37	users?: [string, ...string]
 38	groups?: [string, ...string]
 39}
 40
 41// Imports defines external policies, controls, and guidelines required by this policy.
 42#Imports: {
 43	policies?: [#ArtifactMapping, ...#ArtifactMapping]
 44	catalogs?: [#CatalogImport, ...#CatalogImport]
 45	guidance?: [#GuidanceImport, ...#GuidanceImport]
 46}
 47
 48// ImplementationPlan defines when and how the policy becomes active.
 49#ImplementationPlan: {
 50	"notification-process"?: string                 @go(NotificationProcess)
 51	"evaluation-timeline":   #ImplementationDetails @go(EvaluationTimeline)
 52	"enforcement-timeline":  #ImplementationDetails @go(EnforcementTimeline)
 53}
 54
 55// ImplementationDetails specifies the timeline for policy implementation.
 56#ImplementationDetails: {
 57	start: #Datetime
 58	end?:  #Datetime
 59	notes: string
 60}
 61
 62// Risks defines mitigated and accepted risks addressed by this policy.
 63#Risks: {
 64	// Mitigated risks only need reference-id and risk-id (no justification required)
 65	mitigated?: [#MitigatedRisk, ...#MitigatedRisk]
 66	// Accepted risks require rationale (justification) and may include scope. Controls addressing these risks are implicitly identified through threat mappings.
 67	accepted?: [#AcceptedRisk, ...#AcceptedRisk]
 68}
 69
 70// MitigatedRisk represents a risk addressed by the policy
 71#MitigatedRisk: {
 72	// id allows this mitigated risk entry to be referenced by accepted risks
 73	id: string
 74
 75	// risk references the risk being mitigated
 76	risk: #EntryMapping
 77}
 78
 79// AcceptedRisk documents a risk the organization has chosen to accept,
 80// optionally linking it to a mitigated risk when the acceptance covers
 81// residual risk after partial mitigation.
 82#AcceptedRisk: {
 83	// id allows this accepted risk entry to be referenced
 84	id: string
 85
 86	// target-id optionally links this acceptance to a mitigated risk entry
 87	"target-id"?: string
 88
 89	// risk references the risk being accepted
 90	risk: #EntryMapping
 91
 92	// scope defines where the risk acceptance applies
 93	scope?: #Scope
 94
 95	// justification explains why the risk is accepted
 96	justification?: string
 97}
 98
 99// Adherence defines evaluation methods, assessment plans, enforcement methods, and non-compliance notifications.
100#Adherence: {
101	"evaluation-methods"?: [#AcceptedMethod & {type: #EvaluationMethodType}, ...#AcceptedMethod & {type: #EvaluationMethodType}] @go(EvaluationMethods)
102	"assessment-plans"?: [#AssessmentPlan, ...#AssessmentPlan] @go(AssessmentPlans)
103	"enforcement-methods"?: [#AcceptedMethod & {type: #EnforcementMethodType}, ...#AcceptedMethod & {type: #EnforcementMethodType}] @go(EnforcementMethods)
104	"non-compliance"?: string @go(NonCompliance)
105}
106
107// AssessmentPlan defines how a specific assessment requirement is evaluated.
108#AssessmentPlan: {
109	id:               string
110	"requirement-id": string @go(RequirementId)
111	frequency:        string
112	"evaluation-methods": [#AcceptedMethod & {type: #EvaluationMethodType}, ...#AcceptedMethod & {type: #EvaluationMethodType}] @go(EvaluationMethods)
113	"evidence-requirements"?: string @go(EvidenceRequirements)
114	parameters?: [#Parameter, ...#Parameter]
115}
116
117// AcceptedMethod defines a method for evaluation or enforcement.
118#AcceptedMethod: {
119	id:           string
120	type:         #MethodType
121	mode:         #ModeType
122	required:     *false | bool
123	description?: string
124	executor?:    #Actor
125}
126
127#ModeType:              "Manual" | "Automated"                           @go(-)
128#MethodType:            "Behavioral" | "Intent" | "Remediation" | "Gate" @go(-)
129#EvaluationMethodType:  "Intent" | "Behavioral"                          @go(-)
130#EnforcementMethodType: "Gate" | "Remediation"                           @go(-)
131
132// Parameter defines a configurable parameter for assessment or enforcement activities.
133#Parameter: {
134	id:          string
135	label:       string
136	description: string
137	"accepted-values"?: [string, ...string] @go(AcceptedValues)
138}
139
140// GuidanceImport defines how to import guidance documents with optional exclusions and constraints.
141#GuidanceImport: {
142	"reference-id": string @go(ReferenceId)
143	exclusions?: [string, ...string]
144	// Constraints allow policy authors to define ad hoc minimum requirements (e.g., "review at least annually").
145	constraints?: [#Constraint, ...#Constraint]
146}
147
148// CatalogImport defines how to import control catalogs with optional exclusions, constraints, and assessment requirement modifications.
149#CatalogImport: {
150	"reference-id": string @go(ReferenceId)
151	exclusions?: [string, ...string]
152	constraints?: [#Constraint, ...#Constraint]
153	"assessment-requirement-modifications"?: [#AssessmentRequirementModifier, ...#AssessmentRequirementModifier] @go(AssessmentRequirementModifications)
154}
155
156// Constraint defines a prescriptive requirement that applies to a specific guidance or control.
157#Constraint: {
158	// Unique ID for this constraint to enable Layer 5/6 tracking
159	id: string
160	// Links to the specific Guidance or Control being constrained
161	"target-id": string @go(TargetId)
162	// The prescriptive requirement/constraint text
163	text: string
164}
165
166// AssessmentRequirementModifier allows organizations to customize assessment requirements based on how an organization wants to gather evidence for the objective.
167#AssessmentRequirementModifier: {
168	id:                       string
169	"target-id":              string   @go(TargetId)
170	"modification-type":      #ModType @go(ModificationType)
171	"modification-rationale": string   @go(ModificationRationale)
172	// The updated text of the assessment requirement
173	text?: string
174	// The updated applicability of the assessment requirement
175	applicability?: [string, ...string]
176	// The updated recommendation for the assessment requirement
177	recommendation?: string
178}
179
180// ModType defines the type of modification to the assessment requirement.
181#ModType: "Add" | "Modify" | "Remove" | "Replace" | "Override" @go(-)