How we work
Two doors in. Which one you use depends on whose vocabulary you're bringing.
Door one: publish your vocabulary
If you're a vocabulary provider (a standards body, a content publisher, a certification body, anyone who maintains a vocabulary the GRC and SecOps world uses), you can join and publish your vocabulary. No questions asked.
That's not a loose onboarding policy. It's the design principle. Your vocabulary is your community's way of caring about things, and nobody here gets a vote on it. You publish your structures under your name, your release versions ride every record, and when you ship a new release, the registry reflects it. Reach out through the contact page and we'll get you set up as a provider.
Door two: propose a change to the Shared vocabulary
The Shared vocabulary is different: it's the small set of common types and properties every other vocabulary can reference (coreMetaData, authoritySource, country, language, and friends). Because everyone builds on it, no one owns it alone.
So shared proposals get voted on. The process:
- Propose. Submit the structure you want added or changed. Proposals are documented in Proposed Properties while they're in the argument stage.
- Vote. The proposal is routed to all vocabulary providers. Each provider gets a vote.
- Accepted or withdrawn. Accepted structures move to Accepted Properties and into the registry as part of a release. Withdrawn proposals keep their documentation, so the reasoning isn't lost.
If you're not already a vocabulary provider and you want to propose a shared structure, request adjunct membership through the contact page. Adjunct members can propose and participate in the discussion. The vote belongs to the providers.
How is this related to OSCAL, SWID, the Informative Reference Catalog, and the rest?
They're the witnesses, and we don't compete with any of them. GRCSchema.org converges what travels between systems into a common data format with citable addresses, regardless of where the content came from. The full survey of formats, organized by the question each one answers, lives at Why a Common Data Format.
One boundary worth naming: GRCSchema.org doesn't define user-account or provisioning schemas. Cross-system identity exchange already has an authoritative standard, SCIM (RFC 7643 and RFC 7644). Use it.
What skills do we need to participate?
English, and the willingness to read a schema. If an object's explanation isn't clear, say so through the contact page. The JSON-LD is there to copy. The visualizations are there to explore.
What about licensing?
Your vocabulary stays yours, under your license, always. Publishing through GRCSchema.org never transfers ownership of your structures or your content. For licensing questions about the Shared vocabulary or anything else on the site, ask us directly.