ReddRadar
Agent skill
oscal-validator
Validate OSCAL documents for structural integrity, schema compliance, and OSCAL-specific requirements. Use this skill to check if OSCAL documents are properly formatted and meet NIST OSCAL specifications before processing.
Install this agent skill to your Project
npx add-skill https://github.com/euCann/OSCAL-GRC-SKILLS/tree/main/skills/oscal-validator
SKILL.md
OSCAL Validator Skill
Validate OSCAL documents against NIST schemas and perform structural integrity checks to ensure compliance data quality.
When to Use This Skill
Use this skill when you need to:
- Verify an OSCAL document is properly formatted
- Check for missing required fields
- Validate UUIDs and cross-references
- Ensure metadata completeness
- Identify structural issues before further processing
✅ Data Source Principle
This skill validates documents you provide against structural rules and OSCAL schema requirements. Validation logic is safe — it checks format and syntax, not compliance content.
Note: For baseline completeness validation (e.g., "does this SSP cover all FedRAMP Moderate controls?"), you must also provide the baseline profile/catalog.
Validation Severity Levels
| Level | Meaning | Action Required |
|---|---|---|
| ERROR | Document is invalid | Must fix before use |
| WARNING | Potential issues | Should review |
| INFO | Suggestions | Optional improvements |
Validation Rules
Structure Validation (STRUCT)
| Rule | Description |
|---|---|
| STRUCT-001 | Document must not be empty or null |
| STRUCT-002 | Document must have a root element |
| STRUCT-003 | Root element must be a valid OSCAL model type |
Metadata Validation (META)
| Rule | Description |
|---|---|
| META-001 | Metadata section is required |
| META-002 | Title is required |
| META-003 | Last-modified timestamp is required |
| META-004 | Version is required |
| META-005 | OSCAL version should match current spec |
UUID Validation (UUID)
| Rule | Description |
|---|---|
| UUID-001 | Document UUID must be present |
| UUID-002 | UUIDs must be valid RFC 4122 format |
| UUID-003 | UUIDs must be unique within document |
Reference Validation (REF)
| Rule | Description |
|---|---|
| REF-001 | Internal references must resolve |
| REF-002 | Control references must exist |
| REF-003 | Party references must resolve |
How to Validate an OSCAL Document
Step 1: Check Basic Structure
- Verify document is not empty
- Confirm root element exists
- Validate root element is a valid OSCAL type
Step 2: Validate Metadata
- Check for required
metadatasection - Verify
titleis present and non-empty - Confirm
last-modifiedis valid ISO timestamp - Check
versionis present - Validate
oscal-versionmatches expected format
Step 3: Validate UUIDs
- Check document-level UUID exists
- Validate UUID format (8-4-4-4-12 hexadecimal)
- Build list of all UUIDs
- Check for duplicates
Step 4: Validate References
- Find all internal references (e.g.,
#uuid-value) - Verify each reference resolves to existing element
- Check control-id references against imported catalogs
- Validate party-uuid references
Step 5: Model-Specific Validation
For Catalogs:
- Groups should have controls
- Controls should have statements
- Parameters should have values or selections
For SSPs:
- Import-profile must reference valid profile
- System-characteristics must include system-ids
- Control-implementation must address all imported controls
For Component Definitions:
- Components must have titles
- Control implementations must reference valid controls
Validation Report Format
Provide validation results as:
VALIDATION REPORT
=================
Document: [filename]
Model Type: [type]
Valid: [YES/NO]
Issues Found:
- [SEVERITY] [RULE-ID]: [Message] at [location]
Summary:
- Errors: X
- Warnings: Y
- Info: Z
Common Issues and Fixes
| Issue | Cause | Fix |
|---|---|---|
| Missing metadata | Incomplete document | Add required metadata section |
| Invalid UUID | Malformed identifier | Generate new RFC 4122 UUID |
| Unresolved reference | Broken link | Update reference or add target |
| Missing timestamp | Incomplete metadata | Add ISO 8601 timestamp |
Example Usage
When asked "Validate this SSP for compliance":
- Parse the document
- Run all validation checks
- Collect issues by severity
- Report findings with specific locations
- Provide actionable fix recommendations
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
euCann/OSCAL-GRC-SKILLS
oscal-control-mapper
Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.
euCann/OSCAL-GRC-SKILLS
control-implementation-generator
Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans.
euCann/OSCAL-GRC-SKILLS
oscal-visualizer
Create visual diagrams and representations of OSCAL documents including control hierarchies, component relationships, implementation flows, and SSP overviews. Inspired by oscal-diagrams and community visualization tools.
euCann/OSCAL-GRC-SKILLS
oscal-text-converter
Convert OSCAL documents between formats (JSON, YAML, XML) and to human-readable formats like Markdown or plain text. Use for document transformation, reporting, and making OSCAL data accessible to non-technical stakeholders.
euCann/OSCAL-GRC-SKILLS
controls-extractor
Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.
euCann/OSCAL-GRC-SKILLS
workflow-orchestrator
Orchestrate complex multi-step OSCAL compliance workflows by combining multiple skills. Use this skill for end-to-end compliance automation like FedRAMP package reviews, continuous monitoring, and gap assessments.
Didn't find tool you were looking for?