ReddRadar
Agent skill
compliance-report-generator
Generate compliance reports from OSCAL assessment results, SSPs, and POA&Ms in various formats. Use this skill to create audit-ready documentation, executive summaries, and detailed compliance status reports.
Install this agent skill to your Project
npx add-skill https://github.com/euCann/OSCAL-GRC-SKILLS/tree/main/skills/compliance-report-generator
SKILL.md
Compliance Report Generator Skill
Generate professional compliance reports from OSCAL documents for audits, management reviews, and continuous monitoring.
When to Use This Skill
Use this skill when you need to:
- Create audit-ready compliance documentation
- Generate executive summary reports
- Produce detailed control implementation reports
- Create POA&M status reports
- Build compliance dashboards data
⛔ Authoritative Data Requirement
Compliance reports are generated only from user-provided documents.
What This Skill Does
- Formats data FROM documents you provide into professional reports
- Calculates metrics based on YOUR document content
- Structures output for auditors and leadership
What This Skill Does NOT Do
- Generate compliance status from training knowledge
- Make up control implementation data
- Assume compliance percentages without source documents
Required Inputs
| Report Type | Required Documents |
|---|---|
| Compliance Status | SSP |
| Gap Analysis | Baseline Profile + SSP |
| Assessment Report | SAR (Assessment Results) |
| POA&M Report | POA&M document |
All Data Comes From Your Documents
To generate a compliance report, I need:
• Your SSP, POA&M, or assessment results document
• [For gap analysis] Your baseline profile
All metrics and status information will come directly from these
documents. I will not generate compliance data from assumptions.
Report Types
| Type | Audience | Content |
|---|---|---|
| Executive Summary | Leadership | High-level metrics, risks, status |
| Compliance Status | Auditors | Control-by-control status |
| Assessment Report | Security Team | Detailed findings |
| POA&M Report | Program Managers | Remediation tracking |
| Gap Analysis | Implementers | Missing controls, recommendations |
Report Formats
- Markdown - Portable, version-controllable
- HTML - Interactive, shareable
- JSON - Machine-readable, API-friendly
- Text - Simple, universal
Report Components
Executive Summary
- Overall compliance percentage
- Risk level summary
- Key findings (top 3-5)
- Trend comparison
- Next steps
Compliance Metrics
Total Controls: 325
Implemented: 287 (88%)
Partially Implemented: 25 (8%)
Planned: 10 (3%)
Not Applicable: 3 (1%)
Control Status Table
| Control | Title | Status | Evidence | Notes |
|---|---|---|---|---|
| AC-1 | Policy | ✅ Implemented | DOC-001 | Complete |
| AC-2 | Account Mgmt | ⚠️ Partial | DOC-002 | MFA pending |
Findings Summary
| Severity | Count | Description |
|---|---|---|
| Critical | 2 | Immediate action required |
| High | 5 | 30-day remediation |
| Moderate | 12 | 60-day remediation |
| Low | 8 | Monitor and address |
How to Generate Reports
Step 1: Gather Data
From the OSCAL document, extract:
- Metadata (system name, date, version)
- Control implementations
- Assessment results (if available)
- POA&M items (if available)
Step 2: Calculate Metrics
Compute:
- Implementation percentages by status
- Controls by family
- Findings by severity
- Trend data (if historical data available)
Step 3: Structure Content
For Executive Summary:
- System identification
- Overall compliance score
- Risk level
- Top findings
- Recommendations
For Detailed Report:
- Introduction and scope
- Methodology
- Compliance by control family
- Detailed findings
- Evidence references
- Recommendations
- Appendices
Step 4: Format Output
Markdown Format:
# Compliance Assessment Report
## Executive Summary
**System:** Cloud Infrastructure
**Assessment Date:** 2024-01-15
**Overall Compliance:** 88%
**Risk Level:** Moderate
## Key Findings
1. **MFA Not Fully Deployed** (HIGH)
- Impact: Credential theft risk
- Recommendation: Deploy MFA to all users by Q1
2. **Log Retention Below Policy** (MODERATE)
- Impact: Forensic capability limited
- Recommendation: Extend retention to 90 days
Document-Specific Reports
From SSP
- System description
- Control implementation status
- Responsible parties
- Implementation narratives
From Assessment Results
- Assessment findings
- Risk determinations
- Evidence collected
- Assessor observations
From POA&M
- Open findings
- Remediation status
- Milestone tracking
- Resource allocation
Compliance Score Calculation
Compliance Score = (Implemented + (Partial × 0.5)) / (Total - Not_Applicable) × 100
Example:
- Implemented: 280
- Partial: 20
- Planned: 10
- N/A: 15
- Total: 325
Score = (280 + (20 × 0.5)) / (325 - 15) × 100 = 93.5%
Report Templates
FedRAMP Status Report
AUTHORIZATION STATUS REPORT
===========================
System: [Name]
Authorization Date: [Date]
Sponsor: [Agency]
Current Status: [Authorized/In Progress]
Continuous Monitoring: [Active/Issues]
Control Summary:
- Baseline: [Moderate/High]
- Total Controls: [N]
- Implemented: [N] ([%])
POA&M Summary:
- Open Items: [N]
- Overdue: [N]
- Closed (30 days): [N]
ISO 27001 Compliance Report
ISO 27001 COMPLIANCE REPORT
===========================
Organization: [Name]
Scope: [Description]
Report Date: [Date]
Statement of Applicability:
- Applicable Controls: [N]
- Implemented: [N] ([%])
- Excluded: [N] (with justification)
By Domain:
- A.5 Information Security Policies: [%]
- A.6 Organization of Information Security: [%]
...
Example Usage
When asked "Generate a compliance report for this SSP":
- Parse the SSP document
- Extract metadata and system info
- Count controls by implementation status
- Calculate compliance percentage
- Identify top risks and gaps
- Generate formatted report
- Include recommendations
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
euCann/OSCAL-GRC-SKILLS
oscal-control-mapper
Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.
euCann/OSCAL-GRC-SKILLS
oscal-validator
Validate OSCAL documents for structural integrity, schema compliance, and OSCAL-specific requirements. Use this skill to check if OSCAL documents are properly formatted and meet NIST OSCAL specifications before processing.
euCann/OSCAL-GRC-SKILLS
control-implementation-generator
Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans.
euCann/OSCAL-GRC-SKILLS
oscal-visualizer
Create visual diagrams and representations of OSCAL documents including control hierarchies, component relationships, implementation flows, and SSP overviews. Inspired by oscal-diagrams and community visualization tools.
euCann/OSCAL-GRC-SKILLS
oscal-text-converter
Convert OSCAL documents between formats (JSON, YAML, XML) and to human-readable formats like Markdown or plain text. Use for document transformation, reporting, and making OSCAL data accessible to non-technical stakeholders.
euCann/OSCAL-GRC-SKILLS
controls-extractor
Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.
Didn't find tool you were looking for?