Agentic AI systems and AI-driven software workflows are evolving quickly, with more people building on top of them. With that shift comes new questions around trust, control, provenance, and secure…
Read More
By Eddie Knight, Hannah Braswell, and Jenn PowerÂ
Software development has reached a point where traditional Governance, Risk, and Compliance (GRC) can no longer keep up. Compliance activities often exist only as a separate administrative layer, making it difficult for organizations to prove that security measures are in place long after the work is complete.
To tackle this problem head on, the industry has seen the rise of GRC Engineering and related topics such as policy-as-code or compliance-as-code. Yet, there have been massive alignment gaps pertaining to interoperability between tools, teams, and organizations. At the core, the industry suffers from split-brain attempts to cover related problems without standardizing on philosophies, language, or data schemas.
To enable a global standardization effort by beginning with philosophical alignment, we are excited to announce the publication of Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment.
What’s Inside?
This model provides a structure designed to categorize compliance activities and define their functional interactions. These are activities which are inherent to governance and have existed in practice, but lacked a unified engineering architecture with predictable points of exchange. By decomposing these activities into discrete layers, the model facilitates standardized documentation, shared language, and creates a basis for collaborative maintenance of common resources.
The model stems from the CNCF’s Automated Governance Maturity Model. It also incorporates lessons from prior art, such as NIST’s OSCAL, the FINOS Common Cloud Controls project, and the OpenSSF’s Open Source Project Security Baseline.
Just as the OSI Model gave us a common language for networking, Gemara provides a seven-layer architecture, detailing separation of concerns for the GRC stack:
- The Definition Layers (1-3): These layers define what “good security” actually looks like for an organization.
- The Pivot Point (4): This is where policy requirements meet real-world operational activities.
- The Measurement Layers (5-7): These cover the techniques used to evaluate, enforce, and audit how well you’re sticking to those security definitions.
This structure ensures every stakeholder (and tool) has a clear place in the system. For teams looking to treat GRC as an engineering discipline rather than a checklist, the Gemara model offers a practical way forward.
Join Us
The Gemara Project is an open source initiative stewarded by the OpenSSF with founding maintainers from Sonatype, Red Hat, and more.
- Learn about the model [Link]
- Explore the schemas and SDKs on available on GitHub [Link]Â
- Join the ORBIT Working Group [Link]
- Explore OpenSSF Membership [Link]
About the Authors
Jenn Power is a Principal Product Security Engineer at Red Hat where she leads upstream collaboration and cross-industry initiatives centered on automated governance and security data standardization. She serves as a Tech Lead for CNCF TAG Security and Compliance, a member of the ORBIT Working Group, and a maintainer of the OpenSSF Gemara project.
Hannah Braswell is an Associate Product Security Engineer at Red Hat, where she focuses on compliance automation and developing enablement tooling for compliance analysts. With a B.S. in Computer Engineering from NC State University, she brings a deep background in microarchitecture and embedded systems to her work in the open-source ecosystem. Hannah currently serves as the Community Manager for the OpenSSF Gemara project, driving collaboration and security enablement across the community.
Eddie Knight is a Software and Cloud Engineer with a background in banking technology. When he isn’t playing with his 3-year-old son, he combines his passion and job duties by working to improve the security of open source software. Eddie currently helps lead several security and compliance initiatives across the CNCF, OpenSSF, and FINOS.
Roman Zhukov is a cybersecurity expert, engineer, and leader with over 17 years of hands-on experience securing complex systems and software products at scale. At Red Hat, Roman leads open source security strategy, upstream collaboration, and cross-industry initiatives focused on building trusted ecosystems. He is an active contributor to open source security and co-chair of the OpenSSF Global Cyber Policy WG.
Emily Fox is a visionary security leader whose sustained contributions have profoundly shaped both internal company strategy and the broader open source industry. With over 15 years of experience, she has consistently operated at the intersection of deep technical expertise and strategic leadership, driving critical initiatives in cloud native security, software supply chain integrity, post-quantum cryptography, and zero trust architecture at top-tier organizations including Red Hat, Apple, and the National Security Agency. Her career is marked by a rare ability to not only architect complex, cutting-edge solutions but also to lead global communities, influence industry standards, and mentor the next generation of technologists.
Planning to attend KubeCon + Cloud Native Con Europe in March? Don’t miss OpenSSF’s co-located 1-day event! This gathering will bring together a diverse community, including software developers, security engineers, public sector experts, CISOs, CIOs, and tech pioneers, to explore challenges and opportunities in modern security. Collaborate with peers and discover the essential tools, knowledge, and strategies needed to ensure a safer, more secure future.
Join us for the first OpenSSF Tech Talk of the year, focusing on agentic artificial intelligence (AI) security.
OpenSSF has released a new Compiler Annotations Guide for C and C++ to help developers improve memory safety, diagnostics, and overall software security by using compiler-supported annotations. The guide explains how annotations in GCC and Clang/LLVM can make code intent explicit, strengthen static analysis, reduce false positives, and enable more effective compile-time and run-time protections. As memory-safety issues continue to drive a significant share of vulnerabilities in C and C++ systems, the guide offers practical, real-world guidance for applying low-friction hardening techniques that improve security without requiring large-scale rewrites of existing codebases. 
Security Slam 2026 is a 30-day security hygiene challenge running from February 20 to March 20, culminating in an awards ceremony at KubeCon + CloudNativeCon Europe. Hosted by OpenSSF in partnership with CNCF TAG Security & Compliance and Sonatype, the event encourages projects to use practical security tools, including OpenSSF resources, to strengthen their security posture based on their maturity level. Participants can earn recognition, badges, and plaques for completing milestones, reinforcing a community-driven effort to improve open source software security at scale. 
At FOSDEM 2026, the CRA in Practice DevRoom brought together open source and industry leaders to turn the EU Cyber Resilience Act from policy discussion into practical action. Through case studies and panels, speakers shared concrete approaches to vulnerability management, SBOMs, VEX, risk assessment, and the steward role. 
On February 2, OpenSSF convened the Package Manager Security Forum, bringing together maintainers and registry operators from major ecosystems to address shared challenges in package repository security. Discussions highlighted common concerns around identity and account security, governance and abuse handling, transparency, and long-term sustainability. The session reinforced that package ecosystem risks are interconnected and that improving security requires cross-ecosystem coordination, shared frameworks, and continued collaboration through OpenSSF’s neutral convening role.
Is your open source project meeting the “minimum definition” of security? The OpenSSF has officially integrated the 
