Axis 4: Techniques
OSCAL — Open Security Controls Assessment Language
OSCAL transforms compliance documentation from Word/Excel into machine-readable JSON/YAML formats with four layers:
- Catalogs — Control definitions (NIST 800-53, ISO 27001, BSI IT-Grundschutz)
- Profiles — Organization-specific baselines
- Implementation Layer — System Security Plans, Component Definitions
- Assessment Layer — Assessment Results, POA&M
BSI officially documents: "OSCAL is connectable to international standards." GCBoK defines German compliance taxonomies (GoBD, BSI, GDPR) as OSCAL catalogs — this does not yet exist on the market.
OPA / Rego — Policy as Code
Open Policy Agent with Rego language. Compliance rules are implemented as code that is automatically validated against the Git state.
VPRM — Verifiable Process Reward Model
In the GCBoK context, OPA/Rego acts as VPRM: Guardrails for AI agents arise through deterministic rule sets, not through prompt engineering. This means AI agents are secured not by prompt constraints but by code validation.
GPG Signing
Every compliance-relevant Git commit is GPG-signed. The signature binds:
- Identity (GPG fingerprint = actor)
- Content (commit hash = data)
- Timestamp (commit timestamp = when)
From .v7g.md metadata onward, GPG fingerprints are bound to V7GUIDs — identities remain tamper-proof even if an AI agent manipulates the semantic structure.
uuidV7 — UUID Version 7
RFC 4122-compliant UUID Version 7: time-based, sortable, collision-resistant. The GitCover-specific extension with 14-bit class identifiers turns UUIDs into V7GUIDs (see Concepts).
Git as IdP — Identity Provider
Gitea-based Git repositories as Single Source of Truth (SSoT) for an integrated Identity and Access Management system (IAM). The BSFZ-recognized research project investigates whether Git organizations/teams can represent OAuth2 clients and permissions and manage >1,000 users performantly.
See also: The research project on GitCover.IdP is described in Research Projects.