| name | control-implementation-generator |
| description | Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans. |
Control Implementation Generator Skill
Generate comprehensive implementation guidance, technical procedures, and deployment plans for security controls based on system context.
When to Use This Skill
Use this skill when you need to:
- Create control implementation narratives for SSPs
- Generate technical implementation steps
- Build implementation timelines
- Identify tools and resources needed
- Create system-specific guidance
⛔ Authoritative Data Requirement
What Requires Authoritative Sources
| Requirement | Source Needed |
|---|---|
| Control text/definition | OSCAL catalog document |
| Control parameters | Profile with parameter settings |
| Baseline requirements | FedRAMP/NIST baseline profile |
| Vendor-specific implementation | Vendor documentation |
What You CAN Generate (Templates & Methodology)
- Narrative structure and format
- Implementation approach patterns (based on user's stated technology)
- Timeline templates
- Effort estimation frameworks
- General best practices for stated platforms
What You CANNOT Generate
- Specific control requirement text (must cite from catalog)
- Parameter values (must come from profile or organization)
- Vendor configuration details without documentation
- Compliance claims without evidence
Safe vs Unsafe Examples
✅ Safe: "For AC-2 in your AWS environment, the typical approach involves AWS IAM for identity management combined with..."
⛔ Unsafe: "AC-2 requires organizations to define and document account types within 30 days..." (← This specific requirement must come from the catalog)
If Control Definition Needed
To generate accurate implementation guidance for [control], I need:
• The control definition from your OSCAL catalog
• Your baseline profile (for parameter values)
• Your technology stack (you've stated: [tech])
I can provide implementation templates and patterns, but the specific
control requirements must come from your authoritative catalog.
Implementation Status Options
| Status | Description | SSP Usage |
|---|---|---|
| Implemented | Fully in place | Describe how |
| Partially Implemented | Some aspects complete | Describe what's done, what's remaining |
| Planned | Scheduled for implementation | Describe timeline |
| Alternative | Different approach meeting intent | Describe alternative |
| Not Applicable | Control doesn't apply | Provide justification |
Implementation Methods
| Method | Description | When to Use |
|---|---|---|
| Automated | Technology-enforced | Technical controls |
| Manual | Human-performed | Procedural controls |
| Hybrid | Combination | Complex controls |
| Inherited | Provided by another system | Shared services |
System Types
| Type | Characteristics | Implementation Focus |
|---|---|---|
| Cloud Service | AWS, Azure, GCP | API, IAM, native tools |
| On-Premises | Traditional datacenter | Network, physical |
| Hybrid | Mixed environment | Integration, consistency |
| SaaS | Software service | Configuration, access |
How to Generate Implementation Guidance
Step 1: Understand the Control
Parse the control requirement:
- Read the control statement
- Identify key requirements
- Note any parameters
- Review guidance section
Step 2: Assess System Context
Consider:
- System type (cloud, on-prem, hybrid)
- Technology stack
- Existing capabilities
- Organizational constraints
Step 3: Determine Implementation Method
Based on control type and system:
- Technical controls → Automated
- Policy controls → Manual/Hybrid
- Shared services → Inherited
Step 4: Generate Implementation Steps
For each control, provide:
implementation:
control_id: AC-2
status: implemented
method: hybrid
description: |
Account management is implemented through Azure Active Directory
for identity management, combined with automated provisioning
workflows and quarterly access reviews.
technical_steps:
- Configure Azure AD as identity provider
- Implement automated user provisioning via SCIM
- Configure access review campaigns (quarterly)
- Enable Privileged Identity Management (PIM)
- Set up termination automation via HR integration
tools_required:
- Azure Active Directory Premium P2
- Azure AD Connect
- ServiceNow (or HR system)
responsible_roles:
- IAM Administrator
- HR Business Partner
- Application Owners
evidence:
- Azure AD configuration export
- Access review completion reports
- Provisioning workflow documentation
Implementation Narrative Templates
For Policy Controls (e.g., AC-1)
[Organization] has developed, documented, and disseminated an
access control policy that:
a. Addresses purpose, scope, roles, responsibilities, and compliance
b. Is consistent with applicable laws and regulations
c. Is reviewed and updated [frequency]
The policy is maintained in [location] and communicated to all
personnel via [method]. The [role] is responsible for policy
maintenance and updates.
For Technical Controls (e.g., IA-2)
The system implements multi-factor authentication through
[solution] for all user access. Authentication factors include:
- Something you know: Password meeting complexity requirements
- Something you have: [Authenticator app / Hardware token / SMS]
Configuration: [Specific settings]
Enforcement: [How it's enforced]
Exceptions: [Any approved exceptions]
For Hybrid Controls (e.g., AC-2)
Account management is implemented through a combination of:
Technical Controls:
- [Identity system] manages user accounts
- Automated provisioning via [method]
- [Tool] enforces access policies
Procedural Controls:
- Access requests submitted via [process]
- Manager approval required for all access
- Quarterly access reviews conducted by [role]
Implementation Effort Estimation
| Complexity | Hours | Description |
|---|---|---|
| Low | 1-8 | Configuration change |
| Medium | 8-40 | New tool/process |
| High | 40-160 | Major implementation |
| Very High | 160+ | Program-level effort |
Implementation Plan Structure
CONTROL IMPLEMENTATION PLAN
===========================
Control: CM-6 (Configuration Settings)
System: Production Web Environment
Timeline: Q2 2024
Phase 1: Planning (Week 1-2)
- Define baseline configurations
- Identify configuration management tools
- Create change management process
Phase 2: Implementation (Week 3-6)
- Deploy configuration management tool
- Apply baseline configurations
- Test and validate settings
Phase 3: Monitoring (Week 7-8)
- Configure drift detection
- Set up alerting
- Document procedures
Resources Required:
- Security Engineer: 40 hours
- Systems Administrator: 60 hours
- Tool licensing: [Cost]
Dependencies:
- CM-2 (Baseline Configuration) must be complete
- Change management process approved
Common Implementation Patterns
Cloud (AWS Example)
| Control | AWS Implementation |
|---|---|
| AC-2 | IAM + AWS SSO + Organizations |
| AU-2 | CloudTrail + CloudWatch Logs |
| CM-2 | Config Rules + Systems Manager |
| SC-7 | VPC + Security Groups + WAF |
Azure Example
| Control | Azure Implementation |
|---|---|
| AC-2 | Azure AD + PIM |
| AU-2 | Azure Monitor + Log Analytics |
| CM-2 | Azure Policy + Automation |
| SC-7 | NSG + Azure Firewall + Front Door |
Example Usage
When asked "How should I implement IA-2 for a cloud system?":
- Parse IA-2 requirements (identification and authentication)
- Assess system type (cloud)
- Identify cloud-native options:
- AWS: Cognito, IAM Identity Center
- Azure: Azure AD, Conditional Access
- GCP: Cloud Identity, IAP
- Generate implementation steps
- Specify MFA requirements
- Create implementation narrative
- Estimate effort and timeline