How we work

This document provides an overview of GRCschema’s process for developing and changing GRC schemas.

Schema states

There are four states to every object in the schema, each correlating with the directory the object’s definition will be found in

  • Proposed - a proposed change for any object is in the works. During this phase, the discussion about the object is in play. Discussions for each object can be found in the Community Forum maintained by the UCF team (for now).
  • Voting - the proposed object is now up for a vote. Each object up for a vote will be documented in GRCschema.org’s proposed properties section. Each object up for a vote will have links for voting and seeing the status of the vote, as found within the Message Board:
  • Accepted - the proposed object is now accepted as a part of some release version.
  • Withdrawn objects will be removed, but the documentation surrounding them will be maintained in the docs site.
  • NIST SP 800-70,
  • NIST’s Informative Reference Catalog,
  • NIST’s Open Security Controls Assessment Language (OSCAL),
  • TagVault.org’s Software Identification Tags (SWID Tags),
  • the Unified Compliance Framework, and
  • SIGLEX, a Special Interest Group on the Lexicon of the Association for Computational Linguistics?

GRCschema.org is a way of converging these together into a workable Common Data Format with a productive API back end that facilitates adding and extracting content from a central repository—regardless of where the content came from. As schema objects get approved, they will be translated into API calls hosted on various API marketplaces. Anyone with a valid API key can access the existing content.

What skills do we need to participate?

English - it’s in English, and no, it won’t be translated any time soon. If the explanations of an object aren’t clear, there’s a way for you to post a comment in the community. If a grouping isn’t clear - it’s the same thing. If you want to suggest changes to a proposed object, you can do so in our voting process. If you want to copy the JSON-LD, it’s there for you. If you want to visualize it, that’s there too for you to explore as you see fit.

What license do we need to apply this?

Admittedly, the Unified Compliance team, among others, have several patents that read on this (see their patent page here. They have graciously made their patents available to use by subscribers to GRCSChema.org. Please reference their statement below:

Please be advised that some of these data structures are likely covered by one or more of the patents, as indicated on the website. You may use these data structures as long as they conform to those set forth and defined by elements designated as “Things” within either schema.org or GRCSCchema.org. If you have questions, please contact Dorian Cougias, the CEO and founder of Unified Compliance, at dcougias@unifiedcompliance.com