ossf · eddie-knight · Jan 14, 2026
@@ -0,0 +1,9 @@
+---
+title: Assessment Log
+status: 
+tags: "grc"
+---
+
+
+The documented result of an assessment, containing details about when and how a specific set of steps was taken in accordance with an assessment requirement.  
+Layer 4
@@ -0,0 +1,9 @@
+---
+title: Assessment Plan
+status: 
+tags: "grc"
+---
+
+An outline of assessment details for a specific control, based on the assessment requirements that are applicable for the given scenario. This includes information such as the procedure for executing each assessment.
+
+Part of Gemara Layer 4.
@@ -0,0 +1,9 @@
+---
+title: Assessment Requirement
+status: 
+tags: "grc"
+---
+
+A specific, testable statement within a control that defines the exact conditions or evidence needed to verify its successful implementation. These requirements form the basis for evaluations, when deemed applicable according to the organization's policy.  
+
+Part of Gemara Layer 2.
@@ -0,0 +1,9 @@
+---
+title: Assessment
+status: 
+tags: "grc"
+---
+
+The manual or automated process of evaluating control compliance following a specific assessment requirement. Multiple assessments may be required by a single control.  
+
+Part of Gemara Layer 4.
@@ -0,0 +1,9 @@
+---
+title: Audit
+status: 
+tags: "grc"
+---
+
+A formal, systematic review of an organization's policies, procedures, and conformance to ensure GRC processes are effective.  
+
+Part of Gemara Layer 6.
@@ -0,0 +1,9 @@
+---
+title: Automated Governance
+status: 
+tags: "grc"
+---
+
+a. An automated process for tracking governance throughout the deployment pipeline.
+
+b. The philosophy of treating policy compliance as a required quality gate in the deployment to production
@@ -0,0 +1,9 @@
+---
+title: Baseline
+status: 
+tags: fundamental
+---
+
+A standardized level of minimum security configuration that is required for all systems of a certain type.
+
+Part of Gemara Layer 3.
@@ -2,9 +2,10 @@
 title: Capabilities
 status: Completed
 category: concept
-tags: ["fundamental", "", ""]
+tags: ["fundamental", "gemara", ""]
 ---
 
-Linux kernel uses capabilities to compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable.
+a. Highly specific descriptions of software behavior for elements such as command line interface, network accessibility, encryption by default, backups, recovery, and much more. Part of Gemara Layer 2.
 
-Reference for capabilities list: https://man7.org/linux/man-pages/man7/capabilities.7.html
+b. In the Linux kernel, capabilities compartmentalize the UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable. 
+__Reference for capabilities list: https://man7.org/linux/man-pages/man7/capabilities.7.html__
@@ -0,0 +1,8 @@
+---
+title: Compensating Control
+status: 
+tags: ["grc"]
+---
+
+An alternative measure that can be used to satisfy a security requirement when the primary control cannot be implemented. 
+It must demonstrate a similar or greater level of risk mitigation than the requirement it compensates for.
@@ -0,0 +1,7 @@
+---
+title: Compliance
+status: 
+tags: ["grc"]
+---
+
+The act of adhering to the stated requirements within specific policies. These policies may encompass laws, regulations, industry standards, and internal organizational decisions.
@@ -0,0 +1,9 @@
+---
+title: Continuous ATO
+status: 
+tags: ["grc"]
+---
+
+A modern approach to authorization where the Authority To Operate is maintained through continuous monitoring, automated assessments, and real-time risk data, rather than through static, point-in-time audits.
+
+Part of Gemara Layer 6.
@@ -0,0 +1,9 @@
+---
+title: Control Catalog
+status: 
+tags: ["grc"]
+---
+
+A version-controlled document containing controls tailored to a specific technology. The catalog may also contain threats for better understanding the rationale behind the controls, and capabilities to increase precision around when and how the controls should be enforced.  
+
+Part of Gemara Layer 2.
@@ -0,0 +1,9 @@
+---
+title: Control Family
+status: 
+tags: ["grc"]
+---
+
+A logical grouping of controls which share a common purpose or function. Useful for quickly navigating complex control catalogs, and for ensuring proper coverage within a topical domain.  
+
+Part of Gemara Layers 1 and 2.
@@ -0,0 +1,9 @@
+---
+title: Control
+status: 
+tags: fundamental
+---
+
+
+A specific, technology-focused, threat-informed safeguard or countermeasure containing a clear cybersecurity or compliance objective.
+Layer 2
@@ -0,0 +1,8 @@
+---
+title: Cybersecurity
+status: 
+tags: fundamental
+---
+
+
+The processes and procedures implemented to reduce risk to a software system.
@@ -0,0 +1,8 @@
+---
+title: Drift Detection
+status: 
+tags:
+---
+
+
+The process of evaluating resources after they have been deployed, with the aim of ensuring that there are no changes which might impact compliance or indicate a breach.
@@ -0,0 +1,9 @@
+---
+title: Enforcement Gate
+status: 
+tags:
+---
+
+
+A manual or automated process which will prevent the deployment of any resource that cannot demonstrate compliance to achieve a satisfactory degree.  
+Layer 5
@@ -0,0 +1,9 @@
+---
+title: Enforcement
+status: 
+tags: fundamental
+---
+
+
+The preventive or remedial actions taken based on evaluation findings, such as blocking a non-compliant deployment or automatically fixing a misconfiguration.  
+Layer 5
@@ -0,0 +1,8 @@
+---
+title: Engineering
+status: 
+tags: fundamental
+---
+
+
+The application of scientific principles to design, build, and maintain efficient, reliable, and scalable systems, structures, and processes.
@@ -0,0 +1,10 @@
+---
+title: Evaluation Log
+status: 
+tags:
+---
+
+
+A group of assessment logs corresponding to an evaluation plan. 
+Provides the details necessary for enforcement actions.  
+Layer 4
@@ -0,0 +1,9 @@
+---
+title: Evaluation Plan
+status: 
+tags:
+---
+
+
+A set of assessment plans that can be executed together to evaluate a specific scenario, such as for a particular technology, deployment region, and purpose.  
+Layer 4
@@ -0,0 +1,9 @@
+---
+title: Evaluation
+status: 
+tags: fundamental
+---
+
+
+The inspection and assessment of code, configurations, and deployments to verify compliance with established policies.  
+Layer 4
@@ -0,0 +1,9 @@
+---
+title: FINOS CCC
+status: 
+tags: acronym
+---
+
+
+A FINOS project that creates a unified set of cybersecurity controls for the financial services industry by harmonizing global regulations and standards to simplify cloud adoption and compliance.  
+Adheres to Gemara Layer 2
@@ -0,0 +1,10 @@
+---
+title: Gemara
+status: 
+tags:
+---
+
+
+Open source logical model to describe the categories of compliance activities, how they interact, and the associated schemas to enable automated interoperability between them. 
+Governed by the Open Source Security Foundation under an Apache 2 license.  
+Layers 1-6
@@ -0,0 +1,9 @@
+---
+title: GRC Engineering
+status: Completed
+tags: 
+---
+
+
+An approach that strategically applies engineering principles to GRC processes to make them more efficient and integrated. 
+Also known as automated governance.
@@ -0,0 +1,8 @@
+---
+title: GRC
+status: 
+tags: acronym
+---
+
+
+An integrated strategy for managing an organization's Governance, Risk, and Compliance to reliably achieve objectives, address uncertainty, and ensure integrity.
@@ -0,0 +1,10 @@
+---
+title: Guidance
+status: 
+tags: fundamental
+---
+
+
+High-level, abstract rules and frameworks pertaining to cybersecurity, typically developed by industry groups or government bodies. 
+Because these are not tied to specific technologies, they are not likely to need frequent updates and may remain useful for years after creation.
+Layer 1
@@ -0,0 +1,8 @@
+---
+title: Governance
+status: 
+tags: fundamental
+---
+
+
+The set of rules, policies, processes, and structures through which an organization is directed and controlled to achieve its objectives.
@@ -0,0 +1,8 @@
+---
+title: Inherent Risk
+status: 
+tags:
+---
+
+
+Inherent Risk is the level of risk before any controls or mitigation efforts are applied.
@@ -0,0 +1,9 @@
+---
+title: ISO 27001
+status: 
+tags:
+---
+
+
+An international standard specifying the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System.
+Uses approaches from Gemara Layer 1
@@ -0,0 +1,9 @@
+---
+title: Mapping
+status: 
+tags: fundamental
+---
+
+
+The process and subsequent result of identifying correlated entries across different documents, or internal to a document — such as mapping controls to threats or threats to capabilities in a control catalog. 
+One entry may map to multiple others with varying strength levels, indicating how effective the source will satisfy the requirements of the target.
@@ -0,0 +1,9 @@
+---
+title: NIST 800-53
+status: 
+tags:
+---
+
+
+A publication by the National Institute of Standards and Technology that provides a comprehensive catalog of security and privacy controls for U.S. federal information systems.  
+Uses approaches from Gemara Layer 1
@@ -0,0 +1,9 @@
+---
+title: NIST CSF
+status: 
+tags: acronym
+---
+
+
+The National Institute of Standards and Technology Cybersecurity Framework is a set of voluntary guidelines and best practices to help organizations manage cybersecurity risk.
+Uses approaches from Gemara Layer 1
@@ -0,0 +1,9 @@
+---
+title: OSCAL
+status: 
+tags: acronym
+---
+
+
+The Open Security Controls Assessment Language. 
+A set of standardized, machine-readable formats (XML, JSON, YAML) for expressing and exchanging security control and assessment information, developed and governed by the United States' National Institute of Standards and Technology (NIST).
@@ -0,0 +1,10 @@
+---
+title: OSPS Baseline
+status: 
+tags:
+---
+
+
+A set of minimum security requirements for open-source projects, established by the OpenSSF (Open Source Security Foundation). 
+It provides a clear baseline of practices to improve the security posture of open-source software.  
+Adheres to Gemara Layer 2
@@ -0,0 +1,9 @@
+---
+title: Policy as Code (PaC)
+status: 
+tags: acronym
+---
+
+
+The practice of managing security and compliance policies using a high-level, declarative programming language. 
+This allows policies to be version-controlled, tested, and automatically enforced as part of the development lifecycle.