Agent skill
oscal-control-mapper
Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/devops/control-mapper
SKILL.md
OSCAL Control Mapper Skill
Create and analyze OSCAL 1.2.0 Control Mapping documents to establish formal, machine-readable relationships between security controls across different frameworks.
When to Use This Skill
Use this skill when you need to:
- Map controls between different frameworks (NIST 800-53 ↔ ISO 27001)
- Document control equivalencies and relationships
- Identify gaps when transitioning between frameworks
- Create harmonized control sets for multi-framework compliance
- Generate mapping documentation for auditors
- Analyze existing control mapping documents
⛔ Authoritative Data Requirement
Control mapping requires authoritative catalogs for both source and target frameworks.
What This Skill Does (Safe)
- Creates OSCAL Control Mapping document structure
- Defines relationship types (equal, subset, superset, intersects, not-equal)
- Documents mapping rationale and notes
- Validates mapping document structure
What Requires Authoritative Sources
| Element | Source Needed |
|---|---|
| Source control IDs | Source catalog (e.g., NIST 800-53) |
| Target control IDs | Target catalog (e.g., ISO 27001) |
| Control text/requirements | Both catalogs |
When Creating Mappings
To create a control mapping, I need:
• Source framework catalog (e.g., NIST 800-53 Rev 5)
• Target framework catalog (e.g., ISO 27001:2022)
• Your mapping analysis or documented equivalencies
I will NOT generate mappings from training data — only from authoritative sources.
What is the Control Mapping Model?
New in OSCAL 1.2.0 (December 2025), the Control Mapping model provides a standardized way to express relationships between controls in different frameworks.
Key Concepts
| Concept | Description |
|---|---|
| Control Mapping | Document defining relationships between controls |
| Mapping Entry | Single relationship between source and target control(s) |
| Relationship Type | Nature of the mapping (equal, subset, superset, etc.) |
| Mapping Collection | Grouped set of related mappings |
Relationship Types
| Type | Description | Example |
|---|---|---|
equal |
Controls are functionally equivalent | NIST AC-2 = ISO 27001 A.9.2.1 |
subset |
Source is narrower than target | NIST AC-2(1) ⊂ ISO 27001 A.9.2.1 |
superset |
Source is broader than target | NIST AC-2 ⊃ ISO 27001 A.9.2.1 |
intersects |
Partial overlap between controls | NIST SC-7 ∩ ISO 27001 A.13.1.1 |
not-equal |
Controls address different requirements | NIST AC-1 ≠ ISO 27001 A.5.1.1 |
Control Mapping Structure
yaml
control-mappings:
uuid: [unique-id]
metadata:
title: "NIST 800-53 to ISO 27001 Mapping"
version: "1.0"
oscal-version: "1.2.0"
last-modified: "2026-01-20T00:00:00Z"
# Define the frameworks being mapped
import-control-schemes:
- href: "#nist-800-53-rev5"
scheme: "nist-800-53-rev5"
- href: "#iso-27001-2022"
scheme: "iso-27001-2022"
# Mapping entries
control-mapping-set:
- uuid: [set-uuid]
title: "Access Control Mappings"
description: "Mappings for access control requirements"
control-mappings:
- uuid: [mapping-uuid]
source:
control-id: "ac-2"
scheme: "nist-800-53-rev5"
target:
- control-id: "a.9.2.1"
scheme: "iso-27001-2022"
relationship: "equal"
remarks: |
Both controls require account management procedures
including creation, modification, and removal.
How to Create Control Mappings
Step 1: Obtain Required Catalogs
You need OSCAL catalogs for both frameworks:
- Use the
oscal-catalog-providerskill for NIST 800-53, FedRAMP - Request ISO, CIS, or other framework catalogs from the user
Step 2: Define Mapping Document Metadata
json
{
"control-mappings": {
"uuid": "[generate-uuid]",
"metadata": {
"title": "Framework A to Framework B Control Mapping",
"version": "1.0",
"oscal-version": "1.2.0",
"last-modified": "[current-date]",
"roles": [
{
"id": "mapper",
"title": "Control Mapping Analyst"
}
],
"parties": [
{
"uuid": "[party-uuid]",
"type": "organization",
"name": "Your Organization"
}
]
}
}
}
Step 3: Import Control Schemes
Define the frameworks being mapped:
json
"import-control-schemes": [
{
"href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json",
"scheme": "nist-800-53-rev5"
},
{
"href": "#iso-27001-catalog",
"scheme": "iso-27001-2022"
}
]
Step 4: Create Mapping Sets
Group related mappings logically:
json
"control-mapping-set": [
{
"uuid": "[set-uuid]",
"title": "Access Control Mappings",
"description": "Mappings for access control domain",
"control-mappings": [
// Individual mappings here
]
}
]
Step 5: Define Individual Mappings
For each control relationship:
json
{
"uuid": "[mapping-uuid]",
"source": {
"control-id": "ac-2",
"scheme": "nist-800-53-rev5"
},
"target": [
{
"control-id": "a.9.2.1",
"scheme": "iso-27001-2022"
}
],
"relationship": "equal",
"remarks": "Both require account management lifecycle procedures"
}
Step 6: Handle Complex Mappings
One-to-Many Mapping
json
{
"source": {
"control-id": "ac-2",
"scheme": "nist-800-53-rev5"
},
"target": [
{
"control-id": "a.9.2.1",
"scheme": "iso-27001-2022"
},
{
"control-id": "a.9.2.2",
"scheme": "iso-27001-2022"
}
],
"relationship": "superset"
}
Many-to-One Mapping
Create separate mapping entries for each source control pointing to the same target.
Partial Coverage
json
{
"source": {
"control-id": "sc-7",
"scheme": "nist-800-53-rev5"
},
"target": [
{
"control-id": "a.13.1.1",
"scheme": "iso-27001-2022"
}
],
"relationship": "intersects",
"remarks": "NIST SC-7 covers boundary protection broadly; ISO A.13.1.1 focuses on network controls. Partial overlap."
}
Analyzing Existing Mappings
When analyzing a control mapping document:
Step 1: Parse the Document
Use the oscal-parser skill to read the mapping document.
Step 2: Validate Structure
- Confirm all source and target control IDs exist in referenced catalogs
- Check relationship types are valid
- Verify UUIDs are unique
Step 3: Generate Analysis Report
markdown
# Control Mapping Analysis
**Source:** NIST 800-53 Rev 5
**Target:** ISO 27001:2022
**Total Mappings:** 145
## Relationship Distribution
- Equal: 78 (53.8%)
- Subset: 23 (15.9%)
- Superset: 31 (21.4%)
- Intersects: 13 (9.0%)
- Not-equal: 0 (0%)
## Coverage Analysis
### NIST 800-53 Coverage
- Total controls: 323
- Mapped controls: 245 (75.9%)
- Unmapped controls: 78 (24.1%)
### ISO 27001 Coverage
- Total controls: 93
- Mapped controls: 89 (95.7%)
- Unmapped controls: 4 (4.3%)
## Gaps Identified
### Unmapped NIST Controls
- AC-25: Reference Monitor
- SC-47: Alternate Communications Paths
- [...]
### Unmapped ISO Controls
- A.6.1.1: Information Security Roles
- [...]
Step 4: Identify Mapping Quality Issues
| Issue | Description |
|---|---|
| Orphaned mappings | References to non-existent control IDs |
| Bidirectional conflicts | A→B (equal) but B→A (subset) |
| Coverage gaps | Large numbers of unmapped controls |
| Relationship mismatches | Questionable relationship types |
Common Use Cases
1. Multi-Framework Compliance
Scenario: Organization must comply with both FedRAMP and ISO 27001.
Approach:
- Create mapping: FedRAMP Moderate → ISO 27001
- Identify overlapping controls (implement once)
- Identify ISO-only controls (additional requirements)
- Generate combined control set
2. Framework Migration
Scenario: Moving from NIST 800-53 Rev 4 → Rev 5.
Approach:
- Create mapping: Rev 4 → Rev 5
- Identify deprecated controls
- Identify new requirements
- Plan implementation updates
3. Vendor Control Correlation
Scenario: Map cloud provider controls to your baseline.
Approach:
- Import vendor component definition
- Create mapping: Vendor controls → NIST 800-53
- Identify responsibility model (inherited vs. hybrid vs. customer)
- Document coverage and gaps
4. Regulatory Harmonization
Scenario: Create unified control set for HIPAA, PCI-DSS, SOC 2.
Approach:
- Create mappings for each framework pair
- Identify common control core
- Document framework-specific additions
- Generate harmonized control catalog
Output Format
Mapping Summary Report
CONTROL MAPPING SUMMARY
=======================
Document: nist-to-iso-mapping.json
Source: NIST 800-53 Rev 5 (323 controls)
Target: ISO 27001:2022 (93 controls)
Version: 1.0
Last Updated: 2026-01-20
MAPPING STATISTICS
------------------
Total Mappings: 145
• Equal: 78 (53.8%)
• Subset: 23 (15.9%)
• Superset: 31 (21.4%)
• Intersects: 13 (9.0%)
COVERAGE
--------
Source Coverage: 245/323 (75.9%)
Target Coverage: 89/93 (95.7%)
TOP GAPS
--------
Unmapped Source Controls: 78
• Access Control: 12
• System Communications: 15
• Supply Chain: 8
[...]
Unmapped Target Controls: 4
• A.6.1.1, A.7.1.1, A.8.2.1, A.15.1.1
QUALITY
-------
✓ No orphaned references
✓ All UUIDs unique
⚠ 3 potential bidirectional conflicts detected
Example Mapping Entry
json
{
"uuid": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d",
"source": {
"control-id": "ac-2",
"scheme": "nist-800-53-rev5"
},
"target": [
{
"control-id": "a.9.2.1",
"scheme": "iso-27001-2022"
},
{
"control-id": "a.9.2.5",
"scheme": "iso-27001-2022"
}
],
"relationship": "superset",
"props": [
{
"name": "mapping-confidence",
"value": "high"
}
],
"remarks": "NIST AC-2 comprehensively covers account management including provisioning (ISO A.9.2.1) and privileged access (ISO A.9.2.5). The NIST control is broader in scope."
}
Best Practices
- Document Rationale: Always include remarks explaining mapping decisions
- Use Authoritative Sources: Never map from memory or training data
- Validate Bidirectionally: Check mappings make sense from both perspectives
- Review Coverage: Identify and document gaps explicitly
- Version Control: Track mapping versions as frameworks evolve
- Expert Review: Have subject matter experts validate critical mappings
- Maintain Consistency: Use consistent relationship type definitions
- Update Regularly: Review when frameworks release new versions
Integration with Other Skills
| Skill | Use With Control Mapper |
|---|---|
oscal-catalog-provider |
Fetch source/target catalogs |
oscal-parser |
Read existing mapping documents |
oscal-validator |
Validate mapping document structure |
control-implementation-generator |
Generate unified implementation guidance |
compliance-report-generator |
Report on multi-framework compliance |
gap-analyzer |
Identify coverage gaps |
Limitations
- Semantic Understanding: Mappings require human judgment; AI cannot definitively declare controls "equal"
- Framework Updates: Mappings become stale when frameworks are revised
- Context Dependency: Mapping appropriateness may vary by organizational context
- Tool Support: OSCAL 1.2.0 Control Mapping model is new; tool support is emerging
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Invalid control-id | Control doesn't exist in catalog | Verify against authoritative catalog |
| Unknown scheme | Framework not recognized | Use standard scheme identifiers |
| Relationship conflict | Bidirectional mappings inconsistent | Review and reconcile relationships |
| Missing catalog | import-control-schemes href broken | Provide valid catalog references |
Additional Resources
- OSCAL Control Mapping Model Specification
- NIST SP 800-53B - Control Baselines
- ISO/IEC 27001:2022 - Information Security Management
- NIST-to-ISO Official Mapping (if available)
Version History
- v1.0 (2026-01-20) - Initial skill for OSCAL 1.2.0 Control Mapping model
Didn't find tool you were looking for?