ReddRadar
Agent skill
advanced-oscal-validator
Perform comprehensive OSCAL validation using community-inspired patterns including JSON schema validation, business rule validation, cross-reference checking, and best practices from IBM Trestle, oscal-pydantic, and Lula. Use for thorough document quality assurance.
Install this agent skill to your Project
npx add-skill https://github.com/euCann/OSCAL-GRC-SKILLS/tree/main/skills/advanced-oscal-validator
SKILL.md
Advanced OSCAL Validator Skill
Perform comprehensive OSCAL document validation using advanced patterns inspired by community tools including IBM Trestle, oscal-pydantic, and Defense Unicorns' Lula.
When to Use This Skill
Use this skill when you need to:
- Perform thorough validation beyond basic structure
- Validate against NIST OSCAL JSON schemas
- Check business rules and best practices
- Validate cross-references and links
- Ensure FedRAMP-specific requirements are met
⛔ Authoritative Data Requirement
Validation checks user-provided documents against structural rules.
What This Skill Does (Safe)
- Validates OSCAL structure and syntax
- Checks UUID formats and references
- Verifies required fields are present
- Confirms cross-references resolve
- Applies business rule logic to YOUR document
What Requires Authoritative Sources
| Validation Type | Requires |
|---|---|
| Baseline completeness | The baseline profile being validated against |
| Control reference validation | The catalog that controls reference |
| FedRAMP-specific rules | FedRAMP baseline |
For Baseline Validation
To validate SSP completeness against a baseline, I need both:
1. Your SSP document (provided)
2. The baseline profile it should meet (e.g., FedRAMP Moderate)
I cannot determine if controls are missing without the authoritative baseline.
Validation Levels
| Level | Description | Checks |
|---|---|---|
| Schema | JSON schema compliance | Structure, types, required fields |
| Semantic | Business logic | UUIDs, references, dates |
| Quality | Best practices | Completeness, clarity |
| Framework | FedRAMP/NIST specific | Baseline compliance |
Advanced Validation Categories
Schema Validation
Validate against official NIST OSCAL JSON schemas:
- Catalog schema
- Profile schema
- SSP schema
- Component definition schema
- Assessment schemas
UUID Validation
- Format: RFC 4122 compliant
- Uniqueness: No duplicates within document
- References: All UUID refs resolve
Cross-Reference Validation
- Control references exist in imported catalogs
- Party references resolve within document
- Component references are valid
- Resource links are accessible
Business Rule Validation
| Rule | Description |
|---|---|
| BIZ-001 | SSP must import a profile |
| BIZ-002 | All baseline controls must be addressed |
| BIZ-003 | Implementation status required for each control |
| BIZ-004 | Responsible parties must be defined |
| BIZ-005 | System characteristics must be complete |
FedRAMP-Specific Validation
- All required control families present
- POA&M references valid
- Required attachments present
- Naming conventions followed
Validation Report Structure
ADVANCED VALIDATION REPORT
==========================
Document: ssp.json
Type: System Security Plan
Schema Version: 1.2.0
Validation Date: 2024-01-15
SUMMARY
-------
Schema Valid: ✅ Yes
Semantically Valid: ⚠️ Warnings
Quality Score: 85/100
SCHEMA VALIDATION
-----------------
Status: PASS
- Structure: Valid
- Required Fields: All present
- Data Types: Correct
UUID VALIDATION
---------------
Total UUIDs: 245
Unique: 245 ✅
Invalid Format: 0 ✅
Orphaned References: 2 ⚠️
- #uuid-abc123 not found
- #uuid-def456 not found
CROSS-REFERENCE VALIDATION
--------------------------
Control References: 320/325 valid
Missing: AC-1(1), CM-7(1), SI-4(2), ...
Party References: 12/12 valid ✅
Component References: 45/45 valid ✅
BUSINESS RULES
--------------
✅ BIZ-001: Profile imported
⚠️ BIZ-002: 5 controls not addressed
✅ BIZ-003: All have implementation status
✅ BIZ-004: Responsible parties defined
⚠️ BIZ-005: System boundary incomplete
QUALITY CHECKS
--------------
- Implementation narratives: 95% complete
- Evidence references: 80% complete
- Parameter values: 100% set
- Remarks clarity: Good
RECOMMENDATIONS
---------------
1. Add missing control implementations
2. Resolve orphaned UUID references
3. Complete system boundary description
How to Perform Advanced Validation
Step 1: Schema Validation
- Identify document type from root element
- Fetch appropriate NIST schema
- Validate document against schema
- Collect all schema violations
Step 2: UUID Analysis
- Extract all UUIDs from document
- Validate format (8-4-4-4-12 hex)
- Check for duplicates
- Build reference graph
- Find orphaned references
Step 3: Cross-Reference Check
- Extract all internal references (#uuid-...)
- Extract all control-id references
- Resolve each reference
- Report unresolved references
Step 4: Business Rule Evaluation
Apply business rules based on document type:
For SSP:
- Verify profile import exists
- Check all baseline controls addressed
- Validate implementation statements present
- Confirm responsible parties assigned
For Component Definition:
- Verify component has title
- Check control implementations reference valid controls
- Validate capability descriptions
Step 5: Quality Assessment
Score based on:
- Completeness of narratives
- Presence of evidence references
- Parameter value coverage
- Clarity and specificity
Validation Patterns from Community
From IBM Trestle
- Workspace-based validation
- Model assembly validation
- Profile resolution checking
From oscal-pydantic
- Type-safe validation
- Field-level constraints
- Nested object validation
From Lula
- Control validation automation
- Policy-as-code patterns
- Continuous validation
Common Validation Issues
| Issue | Severity | Fix |
|---|---|---|
| Missing metadata.title | ERROR | Add title |
| Invalid UUID format | ERROR | Regenerate UUID |
| Orphaned reference | WARNING | Update or remove |
| Missing implementation | WARNING | Add narrative |
| Empty remarks | INFO | Add context |
Example Usage
When asked "Thoroughly validate this SSP":
- Parse the SSP document
- Validate against OSCAL SSP schema
- Check all UUIDs for format and uniqueness
- Resolve all cross-references
- Apply SSP business rules
- Score quality metrics
- Generate comprehensive validation report
- Provide prioritized fix recommendations
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
euCann/OSCAL-GRC-SKILLS
oscal-control-mapper
Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.
euCann/OSCAL-GRC-SKILLS
oscal-validator
Validate OSCAL documents for structural integrity, schema compliance, and OSCAL-specific requirements. Use this skill to check if OSCAL documents are properly formatted and meet NIST OSCAL specifications before processing.
euCann/OSCAL-GRC-SKILLS
control-implementation-generator
Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans.
euCann/OSCAL-GRC-SKILLS
oscal-visualizer
Create visual diagrams and representations of OSCAL documents including control hierarchies, component relationships, implementation flows, and SSP overviews. Inspired by oscal-diagrams and community visualization tools.
euCann/OSCAL-GRC-SKILLS
oscal-text-converter
Convert OSCAL documents between formats (JSON, YAML, XML) and to human-readable formats like Markdown or plain text. Use for document transformation, reporting, and making OSCAL data accessible to non-technical stakeholders.
euCann/OSCAL-GRC-SKILLS
controls-extractor
Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.
Didn't find tool you were looking for?