CRML is an open, declarative, engine-agnostic and Control/Attack framework-agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements without forcing you into a specific quantification method, simulation engine, or security-control/threat catalog.

Key features include control effectiveness modeling to quantify how controls reduce risk (including defense-in-depth), median-based parameterization for specifying medians directly for lognormal distributions, multi-currency support for modeling across currencies with automatic conversion, auto-calibration to calibrate distributions from loss data, strict JSON Schema validation that catches errors before simulation, implementation-agnostic design that works with any compliant simulation engine, and human-readable YAML format that's easy to read, review, and audit.

The language enables RaC (Risk as Code) where risk and compliance assumptions become versioned, reviewable artifacts that can be validated and executed consistently across teams and tools. CRML addresses problems where risk models are locked in spreadsheets or proprietary tools, control effectiveness assumptions are documented inconsistently, threat and control frameworks change over time without consistent machine-readable formats, and quantification engines differ causing costly rewrites.

CRML supports building Bayesian risk models like QBER, FAIR Monte Carlo engines, and enterprise risk quantification platforms. It makes models portable, assumptions explicit, and results reproducible across different quantification engines including vendor platforms, internal FAIR Monte Carlo, Bayesian QBER, and insurance actuarial models.

The target users include cyber security, compliance, and risk management professionals who need standardized, reproducible risk modeling. The repository ships with two Python packages (crml-lang for language/spec models and crml-engine for reference runtime) and a web UI called CRML Studio built with Next.js.