Agent skill

oscal-control-mapper

Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.

View SKILL.md on GitHub Repository
Stars 6
Forks 1

Install this agent skill to your Project

npx add-skill https://github.com/euCann/OSCAL-GRC-SKILLS/tree/main/skills/oscal-control-mapper

SKILL.md

OSCAL Control Mapper Skill

Create and analyze OSCAL 1.2.0 Control Mapping documents to establish formal, machine-readable relationships between security controls across different frameworks.

When to Use This Skill

Use this skill when you need to:

  • Map controls between different frameworks (NIST 800-53 ↔ ISO 27001)
  • Document control equivalencies and relationships
  • Identify gaps when transitioning between frameworks
  • Create harmonized control sets for multi-framework compliance
  • Generate mapping documentation for auditors
  • Analyze existing control mapping documents

⛔ Authoritative Data Requirement

Control mapping requires authoritative catalogs for both source and target frameworks.

What This Skill Does (Safe)

  • Creates OSCAL Control Mapping document structure
  • Defines relationship types (equal, subset, superset, intersects, not-equal)
  • Documents mapping rationale and notes
  • Validates mapping document structure

What Requires Authoritative Sources

Element Source Needed
Source control IDs Source catalog (e.g., NIST 800-53)
Target control IDs Target catalog (e.g., ISO 27001)
Control text/requirements Both catalogs

When Creating Mappings

To create a control mapping, I need:
• Source framework catalog (e.g., NIST 800-53 Rev 5)
• Target framework catalog (e.g., ISO 27001:2022)
• Your mapping analysis or documented equivalencies

I will NOT generate mappings from training data — only from authoritative sources.

What is the Control Mapping Model?

New in OSCAL 1.2.0 (December 2025), the Control Mapping model provides a standardized way to express relationships between controls in different frameworks.

Key Concepts

Concept Description
Control Mapping Document defining relationships between controls
Mapping Entry Single relationship between source and target control(s)
Relationship Type Nature of the mapping (equal, subset, superset, etc.)
Mapping Collection Grouped set of related mappings

Relationship Types

Type Description Example
equal Controls are functionally equivalent NIST AC-2 = ISO 27001 A.9.2.1
subset Source is narrower than target NIST AC-2(1) ⊂ ISO 27001 A.9.2.1
superset Source is broader than target NIST AC-2 ⊃ ISO 27001 A.9.2.1
intersects Partial overlap between controls NIST SC-7 ∩ ISO 27001 A.13.1.1
not-equal Controls address different requirements NIST AC-1 ≠ ISO 27001 A.5.1.1

Control Mapping Structure

yaml
control-mappings:
  uuid: [unique-id]
  metadata:
    title: "NIST 800-53 to ISO 27001 Mapping"
    version: "1.0"
    oscal-version: "1.2.0"
    last-modified: "2026-01-20T00:00:00Z"
  
  # Define the frameworks being mapped
  import-control-schemes:
    - href: "#nist-800-53-rev5"
      scheme: "nist-800-53-rev5"
    - href: "#iso-27001-2022"
      scheme: "iso-27001-2022"
  
  # Mapping entries
  control-mapping-set:
    - uuid: [set-uuid]
      title: "Access Control Mappings"
      description: "Mappings for access control requirements"
      
      control-mappings:
        - uuid: [mapping-uuid]
          source:
            control-id: "ac-2"
            scheme: "nist-800-53-rev5"
          
          target:
            - control-id: "a.9.2.1"
              scheme: "iso-27001-2022"
          
          relationship: "equal"
          
          remarks: |
            Both controls require account management procedures
            including creation, modification, and removal.

How to Create Control Mappings

Step 1: Obtain Required Catalogs

You need OSCAL catalogs for both frameworks:

  • Use the oscal-catalog-provider skill for NIST 800-53, FedRAMP
  • Request ISO, CIS, or other framework catalogs from the user

Step 2: Define Mapping Document Metadata

json
{
  "control-mappings": {
    "uuid": "[generate-uuid]",
    "metadata": {
      "title": "Framework A to Framework B Control Mapping",
      "version": "1.0",
      "oscal-version": "1.2.0",
      "last-modified": "[current-date]",
      "roles": [
        {
          "id": "mapper",
          "title": "Control Mapping Analyst"
        }
      ],
      "parties": [
        {
          "uuid": "[party-uuid]",
          "type": "organization",
          "name": "Your Organization"
        }
      ]
    }
  }
}

Step 3: Import Control Schemes

Define the frameworks being mapped:

json
"import-control-schemes": [
  {
    "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json",
    "scheme": "nist-800-53-rev5"
  },
  {
    "href": "#iso-27001-catalog",
    "scheme": "iso-27001-2022"
  }
]

Step 4: Create Mapping Sets

Group related mappings logically:

json
"control-mapping-set": [
  {
    "uuid": "[set-uuid]",
    "title": "Access Control Mappings",
    "description": "Mappings for access control domain",
    "control-mappings": [
      // Individual mappings here
    ]
  }
]

Step 5: Define Individual Mappings

For each control relationship:

json
{
  "uuid": "[mapping-uuid]",
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "equal",
  "remarks": "Both require account management lifecycle procedures"
}

Step 6: Handle Complex Mappings

One-to-Many Mapping

json
{
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    },
    {
      "control-id": "a.9.2.2",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "superset"
}

Many-to-One Mapping

Create separate mapping entries for each source control pointing to the same target.

Partial Coverage

json
{
  "source": {
    "control-id": "sc-7",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.13.1.1",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "intersects",
  "remarks": "NIST SC-7 covers boundary protection broadly; ISO A.13.1.1 focuses on network controls. Partial overlap."
}

Analyzing Existing Mappings

When analyzing a control mapping document:

Step 1: Parse the Document

Use the oscal-parser skill to read the mapping document.

Step 2: Validate Structure

CRITICAL: When generating control mappings, always validate:

  1. UUID Validation

    • All UUIDs are RFC 4122 compliant (format: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d)
    • No duplicate UUIDs within document
    • Never leave UUID placeholders like [generate-uuid] in output

  2. Control Reference Validation

    • All source control-id values exist in source catalog
    • All target control-id values exist in target catalog
    • No orphaned or invalid control references

  3. Relationship Type Validation

    • Only use valid relationship types: equal, subset, superset, intersects, not-equal
    • Relationship type matches actual control comparison

  4. Metadata Completeness

    • Required fields present: title, version, oscal-version, last-modified
    • OSCAL version is 1.2.0 (Control Mapping model introduced in 1.2.0)

  5. Schema Validation

    • Run oscal-validator skill on generated mapping document
    • Validate against OSCAL Control Mapping JSON schema: https://raw.githubusercontent.com/usnistgov/OSCAL/v1.2.0/json/schema/oscal_control-mappings_schema.json

  6. Structural Requirements

    • import-control-schemes includes both source and target
    • Each mapping entry has valid source and at least one target
    • Control mapping sets properly organized

Step 3: Generate Analysis Report

markdown
# Control Mapping Analysis

**Source:** NIST 800-53 Rev 5
**Target:** ISO 27001:2022
**Total Mappings:** 145

## Relationship Distribution

- Equal: 78 (53.8%)
- Subset: 23 (15.9%)
- Superset: 31 (21.4%)
- Intersects: 13 (9.0%)
- Not-equal: 0 (0%)

## Coverage Analysis

### NIST 800-53 Coverage
- Total controls: 323
- Mapped controls: 245 (75.9%)
- Unmapped controls: 78 (24.1%)

### ISO 27001 Coverage
- Total controls: 93
- Mapped controls: 89 (95.7%)
- Unmapped controls: 4 (4.3%)

## Gaps Identified

### Unmapped NIST Controls
- AC-25: Reference Monitor
- SC-47: Alternate Communications Paths
- [...]

### Unmapped ISO Controls
- A.6.1.1: Information Security Roles
- [...]

Step 4: Identify Mapping Quality Issues

Issue Description
Orphaned mappings References to non-existent control IDs
Bidirectional conflicts A→B (equal) but B→A (subset)
Coverage gaps Large numbers of unmapped controls
Relationship mismatches Questionable relationship types

Common Use Cases

1. Multi-Framework Compliance

Scenario: Organization must comply with both FedRAMP and ISO 27001.

Approach:

  1. Create mapping: FedRAMP Moderate → ISO 27001
  2. Identify overlapping controls (implement once)
  3. Identify ISO-only controls (additional requirements)
  4. Generate combined control set

2. Framework Migration

Scenario: Moving from NIST 800-53 Rev 4 → Rev 5.

Approach:

  1. Create mapping: Rev 4 → Rev 5
  2. Identify deprecated controls
  3. Identify new requirements
  4. Plan implementation updates

3. Vendor Control Correlation

Scenario: Map cloud provider controls to your baseline.

Approach:

  1. Import vendor component definition
  2. Create mapping: Vendor controls → NIST 800-53
  3. Identify responsibility model (inherited vs. hybrid vs. customer)
  4. Document coverage and gaps

4. Regulatory Harmonization

Scenario: Create unified control set for HIPAA, PCI-DSS, SOC 2.

Approach:

  1. Create mappings for each framework pair
  2. Identify common control core
  3. Document framework-specific additions
  4. Generate harmonized control catalog

Output Format

Mapping Summary Report

CONTROL MAPPING SUMMARY
=======================
Document: nist-to-iso-mapping.json
Source: NIST 800-53 Rev 5 (323 controls)
Target: ISO 27001:2022 (93 controls)
Version: 1.0
Last Updated: 2026-01-20

MAPPING STATISTICS
------------------
Total Mappings: 145
• Equal: 78 (53.8%)
• Subset: 23 (15.9%)
• Superset: 31 (21.4%)
• Intersects: 13 (9.0%)

COVERAGE
--------
Source Coverage: 245/323 (75.9%)
Target Coverage: 89/93 (95.7%)

TOP GAPS
--------
Unmapped Source Controls: 78
• Access Control: 12
• System Communications: 15
• Supply Chain: 8
[...]

Unmapped Target Controls: 4
• A.6.1.1, A.7.1.1, A.8.2.1, A.15.1.1

QUALITY
-------
✓ No orphaned references
✓ All UUIDs unique
⚠ 3 potential bidirectional conflicts detected

Example Mapping Entry

json
{
  "uuid": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d",
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    },
    {
      "control-id": "a.9.2.5",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "superset",
  "props": [
    {
      "name": "mapping-confidence",
      "value": "high"
    }
  ],
  "remarks": "NIST AC-2 comprehensively covers account management including provisioning (ISO A.9.2.1) and privileged access (ISO A.9.2.5). The NIST control is broader in scope."
}

Best Practices

  1. Document Rationale: Always include remarks explaining mapping decisions
  2. Use Authoritative Sources: Never map from memory or training data
  3. Validate Bidirectionally: Check mappings make sense from both perspectives
  4. Review Coverage: Identify and document gaps explicitly
  5. Version Control: Track mapping versions as frameworks evolve
  6. Expert Review: Have subject matter experts validate critical mappings
  7. Maintain Consistency: Use consistent relationship type definitions
  8. Update Regularly: Review when frameworks release new versions
  9. Always Validate Output: Run validation checks before delivering mapping documents
  10. Use Valid UUIDs: Generate proper RFC 4122 UUIDs, never use placeholders

Integration with Other Skills

Skill Use With Control Mapper
oscal-catalog-provider Fetch source/target catalogs
oscal-parser Read existing mapping documents
oscal-validator Validate mapping document structure
control-implementation-generator Generate unified implementation guidance
compliance-report-generator Report on multi-framework compliance
gap-analyzer Identify coverage gaps

Limitations

  • Semantic Understanding: Mappings require human judgment; AI cannot definitively declare controls "equal"
  • Framework Updates: Mappings become stale when frameworks are revised
  • Context Dependency: Mapping appropriateness may vary by organizational context
  • Tool Support: OSCAL 1.2.0 Control Mapping model is new; tool support is emerging

Error Handling

Error Cause Solution
Invalid control-id Control doesn't exist in catalog Verify against authoritative catalog
Unknown scheme Framework not recognized Use standard scheme identifiers
Relationship conflict Bidirectional mappings inconsistent Review and reconcile relationships
Missing catalog import-control-schemes href broken Provide valid catalog references

Additional Resources

Version History

  • v1.0 (2026-01-20) - Initial skill for OSCAL 1.2.0 Control Mapping model

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

euCann/OSCAL-GRC-SKILLS

oscal-validator

Validate OSCAL documents for structural integrity, schema compliance, and OSCAL-specific requirements. Use this skill to check if OSCAL documents are properly formatted and meet NIST OSCAL specifications before processing.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

control-implementation-generator

Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

oscal-visualizer

Create visual diagrams and representations of OSCAL documents including control hierarchies, component relationships, implementation flows, and SSP overviews. Inspired by oscal-diagrams and community visualization tools.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

oscal-text-converter

Convert OSCAL documents between formats (JSON, YAML, XML) and to human-readable formats like Markdown or plain text. Use for document transformation, reporting, and making OSCAL data accessible to non-technical stakeholders.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

controls-extractor

Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.

6 1
Explore
euCann/OSCAL-GRC-SKILLS

workflow-orchestrator

Orchestrate complex multi-step OSCAL compliance workflows by combining multiple skills. Use this skill for end-to-end compliance automation like FedRAMP package reviews, continuous monitoring, and gap assessments.

6 1
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results