Agent skill

controls-extractor

Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.

View SKILL.md on GitHub Repository
Stars 6
Forks 1

Install this agent skill to your Project

npx add-skill https://github.com/euCann/OSCAL-GRC-SKILLS/tree/main/skills/controls-extractor

SKILL.md

Controls Extractor Skill

Extract, analyze, and report on security controls from OSCAL documents including catalogs, profiles, and system security plans.

When to Use This Skill

Use this skill when you need to:

  • List all controls in a catalog or profile
  • Extract control statements and guidance
  • Analyze control families and hierarchies
  • Find controls by ID, family, or keyword
  • Get control statistics and coverage metrics
  • Identify control enhancements

⛔ Authoritative Data Requirement

Control extraction works only on user-provided OSCAL documents.

What This Skill Does

  • Parses and extracts data from OSCAL documents you provide
  • Analyzes structure and relationships within your documents
  • Summarizes and reports on what's IN your documents

What This Skill Does NOT Do

  • Generate control lists from training knowledge
  • Provide control definitions without a catalog document
  • Assume what controls exist in a baseline you haven't provided

Required Input

Task Required Document
List controls Catalog or Profile JSON/YAML/XML
Get control text Catalog with the control definitions
Analyze SSP controls SSP document
Compare baseline Both baseline profile AND SSP

If User Asks Without Providing Document

I need the OSCAL document to extract controls from.

For NIST 800-53 controls, you can:
1. Upload the catalog file, or
2. I can fetch from: https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json

I cannot list controls from memory — compliance requires authoritative sources.

Control Structure

OSCAL security controls have this hierarchy:

Control Family (Group)
└── Control (e.g., AC-1)
    ├── Statement (requirement text)
    ├── Guidance (implementation guidance)
    ├── Parameters (configurable values)
    ├── Parts (additional sections)
    └── Enhancements (sub-controls like AC-1(1))

Control Families (NIST 800-53)

Family Name Description
AC Access Control User access management
AT Awareness & Training Security training
AU Audit & Accountability Logging and monitoring
CA Assessment & Authorization Security assessments
CM Configuration Management System configurations
CP Contingency Planning Disaster recovery
IA Identification & Authentication User identity
IR Incident Response Security incidents
MA Maintenance System maintenance
MP Media Protection Media handling
PE Physical & Environmental Physical security
PL Planning Security planning
PM Program Management Security program
PS Personnel Security Personnel controls
RA Risk Assessment Risk management
SA System Acquisition Development security
SC System & Communications Network security
SI System & Information Integrity Data integrity

How to Extract Controls

Step 1: Identify Document Type

  • Catalog: Contains control definitions
  • Profile: Contains control selections/customizations
  • SSP: Contains control implementations

Step 2: Navigate to Controls

From Catalog:

catalog → groups → controls

From Profile:

profile → imports → include-controls

From SSP:

system-security-plan → control-implementation → implemented-requirements

Step 3: Extract Control Details

For each control, extract:

  • id: Control identifier (e.g., "AC-1")
  • title: Human-readable name
  • class: Control classification
  • parts: Statement, guidance, etc.
  • parameters: Configurable values
  • properties: Baseline levels, etc.
  • controls: Enhancements (nested)

Step 4: Extract Parts

Control parts include:

  • statement: The actual requirement
  • guidance: Implementation guidance
  • objective: Assessment objectives
  • assessment: Assessment methods

To extract statement text:

  1. Find part with name="statement"
  2. Get prose field for text
  3. If part has sub-parts, extract each

Control Statistics

When analyzing controls, calculate:

  • Total control count
  • Controls by family
  • Enhancement count
  • Baseline distribution (LOW/MOD/HIGH)
  • Parameter count

Filtering Controls

By Family

Find all controls where ID starts with family prefix (e.g., "AC-")

By Baseline

Check properties for baseline-impact values:

  • LOW
  • MODERATE
  • HIGH

By Status (in SSP)

Check implementation status:

  • implemented
  • partially-implemented
  • planned
  • not-applicable

Output Format

When extracting controls, provide:

CONTROLS SUMMARY
================
Total Controls: X
Enhancements: Y

By Family:
- AC (Access Control): N controls
- AU (Audit): N controls
...

Control Details:
- AC-1: Access Control Policy and Procedures
  Statement: [requirement text]
  Guidance: [implementation guidance]
  Enhancements: AC-1(1), AC-1(2)

Example Usage

When asked "What access control requirements are in this catalog?":

  1. Parse the catalog
  2. Filter controls where ID starts with "AC"
  3. For each control:
    • Extract ID and title
    • Get statement text
    • Note any enhancements
  4. Report total count
  5. List each control with key details

When asked "What controls are missing in this SSP?":

  1. Parse the SSP
  2. Identify the imported profile/baseline
  3. Get required controls from baseline
  4. Extract implemented controls from SSP
  5. Compare lists
  6. Report gaps with control IDs and titles

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

euCann/OSCAL-GRC-SKILLS

oscal-control-mapper

Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

oscal-validator

Validate OSCAL documents for structural integrity, schema compliance, and OSCAL-specific requirements. Use this skill to check if OSCAL documents are properly formatted and meet NIST OSCAL specifications before processing.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

control-implementation-generator

Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

oscal-visualizer

Create visual diagrams and representations of OSCAL documents including control hierarchies, component relationships, implementation flows, and SSP overviews. Inspired by oscal-diagrams and community visualization tools.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

oscal-text-converter

Convert OSCAL documents between formats (JSON, YAML, XML) and to human-readable formats like Markdown or plain text. Use for document transformation, reporting, and making OSCAL data accessible to non-technical stakeholders.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

workflow-orchestrator

Orchestrate complex multi-step OSCAL compliance workflows by combining multiple skills. Use this skill for end-to-end compliance automation like FedRAMP package reviews, continuous monitoring, and gap assessments.

6 1
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results