Claude Code Plugins

Community-maintained marketplace

Feedback

controls-extractor

@euCann/OSCAL-GRC-SKILLS
0
0

Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name controls-extractor
description Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.

Controls Extractor Skill

Extract, analyze, and report on security controls from OSCAL documents including catalogs, profiles, and system security plans.

When to Use This Skill

Use this skill when you need to:

  • List all controls in a catalog or profile
  • Extract control statements and guidance
  • Analyze control families and hierarchies
  • Find controls by ID, family, or keyword
  • Get control statistics and coverage metrics
  • Identify control enhancements

⛔ Authoritative Data Requirement

Control extraction works only on user-provided OSCAL documents.

What This Skill Does

  • Parses and extracts data from OSCAL documents you provide
  • Analyzes structure and relationships within your documents
  • Summarizes and reports on what's IN your documents

What This Skill Does NOT Do

  • Generate control lists from training knowledge
  • Provide control definitions without a catalog document
  • Assume what controls exist in a baseline you haven't provided

Required Input

Task Required Document
List controls Catalog or Profile JSON/YAML/XML
Get control text Catalog with the control definitions
Analyze SSP controls SSP document
Compare baseline Both baseline profile AND SSP

If User Asks Without Providing Document

I need the OSCAL document to extract controls from.

For NIST 800-53 controls, you can:
1. Upload the catalog file, or
2. I can fetch from: https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json

I cannot list controls from memory — compliance requires authoritative sources.

Control Structure

OSCAL security controls have this hierarchy:

Control Family (Group)
└── Control (e.g., AC-1)
    ├── Statement (requirement text)
    ├── Guidance (implementation guidance)
    ├── Parameters (configurable values)
    ├── Parts (additional sections)
    └── Enhancements (sub-controls like AC-1(1))

Control Families (NIST 800-53)

Family Name Description
AC Access Control User access management
AT Awareness & Training Security training
AU Audit & Accountability Logging and monitoring
CA Assessment & Authorization Security assessments
CM Configuration Management System configurations
CP Contingency Planning Disaster recovery
IA Identification & Authentication User identity
IR Incident Response Security incidents
MA Maintenance System maintenance
MP Media Protection Media handling
PE Physical & Environmental Physical security
PL Planning Security planning
PM Program Management Security program
PS Personnel Security Personnel controls
RA Risk Assessment Risk management
SA System Acquisition Development security
SC System & Communications Network security
SI System & Information Integrity Data integrity

How to Extract Controls

Step 1: Identify Document Type

  • Catalog: Contains control definitions
  • Profile: Contains control selections/customizations
  • SSP: Contains control implementations

Step 2: Navigate to Controls

From Catalog:

catalog → groups → controls

From Profile:

profile → imports → include-controls

From SSP:

system-security-plan → control-implementation → implemented-requirements

Step 3: Extract Control Details

For each control, extract:

  • id: Control identifier (e.g., "AC-1")
  • title: Human-readable name
  • class: Control classification
  • parts: Statement, guidance, etc.
  • parameters: Configurable values
  • properties: Baseline levels, etc.
  • controls: Enhancements (nested)

Step 4: Extract Parts

Control parts include:

  • statement: The actual requirement
  • guidance: Implementation guidance
  • objective: Assessment objectives
  • assessment: Assessment methods

To extract statement text:

  1. Find part with name="statement"
  2. Get prose field for text
  3. If part has sub-parts, extract each

Control Statistics

When analyzing controls, calculate:

  • Total control count
  • Controls by family
  • Enhancement count
  • Baseline distribution (LOW/MOD/HIGH)
  • Parameter count

Filtering Controls

By Family

Find all controls where ID starts with family prefix (e.g., "AC-")

By Baseline

Check properties for baseline-impact values:

  • LOW
  • MODERATE
  • HIGH

By Status (in SSP)

Check implementation status:

  • implemented
  • partially-implemented
  • planned
  • not-applicable

Output Format

When extracting controls, provide:

CONTROLS SUMMARY
================
Total Controls: X
Enhancements: Y

By Family:
- AC (Access Control): N controls
- AU (Audit): N controls
...

Control Details:
- AC-1: Access Control Policy and Procedures
  Statement: [requirement text]
  Guidance: [implementation guidance]
  Enhancements: AC-1(1), AC-1(2)

Example Usage

When asked "What access control requirements are in this catalog?":

  1. Parse the catalog
  2. Filter controls where ID starts with "AC"
  3. For each control:
    • Extract ID and title
    • Get statement text
    • Note any enhancements
  4. Report total count
  5. List each control with key details

When asked "What controls are missing in this SSP?":

  1. Parse the SSP
  2. Identify the imported profile/baseline
  3. Get required controls from baseline
  4. Extract implemented controls from SSP
  5. Compare lists
  6. Report gaps with control IDs and titles