CybersecurityEnterpriseCIO PulseDevOps

Gemara: The GRC Architecture You Didn’t Know You Built - Hannah Braswell & Jennifer Power, Red Hat

OpenSSF
OpenSSFMay 31, 2026

Why It Matters

By providing a shared architecture and machine-readable schemas, Jamara aims to reduce ambiguity and friction in compliance and risk workflows, enabling faster automated assessments, clearer accountability across teams, and easier integration of security controls into CI/CD. That can lower audit costs, speed remediation, and improve measurable security posture for organizations adopting the model.

Summary

Red Hat engineers Hannah Braswell and Jennifer Power outlined Jamara, an OpenSSF Orbit–stewarded sandbox for an OSI-inspired, seven-layer GRC engineering model that decouples compliance definitions from measurements to enable end-to-end automation. The model separates definition layers (guidance, technical controls, organizational policy), activity layers (development and operations), and measurement layers (evaluation, enforcement, audit), allowing teams to work on specialized layers while sharing a deterministic schema. Jamara implements machine-readable artifacts using a Q (configure, unify, execute) validation language and integrates with standards and tools like OSCAL, the OSPS baseline, and Private Tier to produce evaluable logs and enforceable actions. The project emphasizes common terminology, cross-functional interoperability, and practical tooling to move GRC from manual, fragmented processes toward automated, maintainable workflows.

Original Description

Gemara: The GRC Architecture You Didn’t Know You Built - Hannah Braswell & Jennifer Power, Red Hat
If you’ve ever set a branch protection rule or configured a security scan, you’ve already entered the world of GRC. You may not have realized it at the time, though, because GRC is often seen as a combination of spreadsheets and screenshots. Framing this through Gemara reveals a different reality: these security configurations don't exist in a vacuum; they work within a larger, interconnected architecture.
In this session, we’ll explore OpenSSF's Gemara Model to show you how your existing SDLC workflows can produce the compliance evidence you’ve been looking for. Join us to learn how to stop performing GRC as a chore, and start managing it as the engineering task it already is.

Comments

Want to join the conversation?

Loading comments...