Claude Code Plugins

Community-maintained marketplace

Feedback

advanced-oscal-validator

@euCann/OSCAL-GRC-SKILLS
0
0

Perform comprehensive OSCAL validation using community-inspired patterns including JSON schema validation, business rule validation, cross-reference checking, and best practices from IBM Trestle, oscal-pydantic, and Lula. Use for thorough document quality assurance.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name advanced-oscal-validator
description Perform comprehensive OSCAL validation using community-inspired patterns including JSON schema validation, business rule validation, cross-reference checking, and best practices from IBM Trestle, oscal-pydantic, and Lula. Use for thorough document quality assurance.

Advanced OSCAL Validator Skill

Perform comprehensive OSCAL document validation using advanced patterns inspired by community tools including IBM Trestle, oscal-pydantic, and Defense Unicorns' Lula.

When to Use This Skill

Use this skill when you need to:

  • Perform thorough validation beyond basic structure
  • Validate against NIST OSCAL JSON schemas
  • Check business rules and best practices
  • Validate cross-references and links
  • Ensure FedRAMP-specific requirements are met

⛔ Authoritative Data Requirement

Validation checks user-provided documents against structural rules.

What This Skill Does (Safe)

  • Validates OSCAL structure and syntax
  • Checks UUID formats and references
  • Verifies required fields are present
  • Confirms cross-references resolve
  • Applies business rule logic to YOUR document

What Requires Authoritative Sources

Validation Type Requires
Baseline completeness The baseline profile being validated against
Control reference validation The catalog that controls reference
FedRAMP-specific rules FedRAMP baseline

For Baseline Validation

To validate SSP completeness against a baseline, I need both:
1. Your SSP document (provided)
2. The baseline profile it should meet (e.g., FedRAMP Moderate)

I cannot determine if controls are missing without the authoritative baseline.

Validation Levels

Level Description Checks
Schema JSON schema compliance Structure, types, required fields
Semantic Business logic UUIDs, references, dates
Quality Best practices Completeness, clarity
Framework FedRAMP/NIST specific Baseline compliance

Advanced Validation Categories

Schema Validation

Validate against official NIST OSCAL JSON schemas:

  • Catalog schema
  • Profile schema
  • SSP schema
  • Component definition schema
  • Assessment schemas

UUID Validation

  • Format: RFC 4122 compliant
  • Uniqueness: No duplicates within document
  • References: All UUID refs resolve

Cross-Reference Validation

  • Control references exist in imported catalogs
  • Party references resolve within document
  • Component references are valid
  • Resource links are accessible

Business Rule Validation

Rule Description
BIZ-001 SSP must import a profile
BIZ-002 All baseline controls must be addressed
BIZ-003 Implementation status required for each control
BIZ-004 Responsible parties must be defined
BIZ-005 System characteristics must be complete

FedRAMP-Specific Validation

  • All required control families present
  • POA&M references valid
  • Required attachments present
  • Naming conventions followed

Validation Report Structure

ADVANCED VALIDATION REPORT
==========================
Document: ssp.json
Type: System Security Plan
Schema Version: 1.1.2
Validation Date: 2024-01-15

SUMMARY
-------
Schema Valid: ✅ Yes
Semantically Valid: ⚠️ Warnings
Quality Score: 85/100

SCHEMA VALIDATION
-----------------
Status: PASS
- Structure: Valid
- Required Fields: All present
- Data Types: Correct

UUID VALIDATION
---------------
Total UUIDs: 245
Unique: 245 ✅
Invalid Format: 0 ✅
Orphaned References: 2 ⚠️
  - #uuid-abc123 not found
  - #uuid-def456 not found

CROSS-REFERENCE VALIDATION
--------------------------
Control References: 320/325 valid
  Missing: AC-1(1), CM-7(1), SI-4(2), ...
  
Party References: 12/12 valid ✅
Component References: 45/45 valid ✅

BUSINESS RULES
--------------
✅ BIZ-001: Profile imported
⚠️ BIZ-002: 5 controls not addressed
✅ BIZ-003: All have implementation status
✅ BIZ-004: Responsible parties defined
⚠️ BIZ-005: System boundary incomplete

QUALITY CHECKS
--------------
- Implementation narratives: 95% complete
- Evidence references: 80% complete
- Parameter values: 100% set
- Remarks clarity: Good

RECOMMENDATIONS
---------------
1. Add missing control implementations
2. Resolve orphaned UUID references
3. Complete system boundary description

How to Perform Advanced Validation

Step 1: Schema Validation

  1. Identify document type from root element
  2. Fetch appropriate NIST schema
  3. Validate document against schema
  4. Collect all schema violations

Step 2: UUID Analysis

  1. Extract all UUIDs from document
  2. Validate format (8-4-4-4-12 hex)
  3. Check for duplicates
  4. Build reference graph
  5. Find orphaned references

Step 3: Cross-Reference Check

  1. Extract all internal references (#uuid-...)
  2. Extract all control-id references
  3. Resolve each reference
  4. Report unresolved references

Step 4: Business Rule Evaluation

Apply business rules based on document type:

For SSP:

  • Verify profile import exists
  • Check all baseline controls addressed
  • Validate implementation statements present
  • Confirm responsible parties assigned

For Component Definition:

  • Verify component has title
  • Check control implementations reference valid controls
  • Validate capability descriptions

Step 5: Quality Assessment

Score based on:

  • Completeness of narratives
  • Presence of evidence references
  • Parameter value coverage
  • Clarity and specificity

Validation Patterns from Community

From IBM Trestle

  • Workspace-based validation
  • Model assembly validation
  • Profile resolution checking

From oscal-pydantic

  • Type-safe validation
  • Field-level constraints
  • Nested object validation

From Lula

  • Control validation automation
  • Policy-as-code patterns
  • Continuous validation

Common Validation Issues

Issue Severity Fix
Missing metadata.title ERROR Add title
Invalid UUID format ERROR Regenerate UUID
Orphaned reference WARNING Update or remove
Missing implementation WARNING Add narrative
Empty remarks INFO Add context

Example Usage

When asked "Thoroughly validate this SSP":

  1. Parse the SSP document
  2. Validate against OSCAL SSP schema
  3. Check all UUIDs for format and uniqueness
  4. Resolve all cross-references
  5. Apply SSP business rules
  6. Score quality metrics
  7. Generate comprehensive validation report
  8. Provide prioritized fix recommendations