AgentSkillsCN

trestle-oscal-models

了解 OSCAL 模型的类型、它们之间的关系,以及在 Compliance Trestle 中的管理方式。适用于用户询问 OSCAL 文档、模型类型、目录、概要、SSP、组件定义,或不同合规模型之间如何相互关联时使用。

SKILL.md
--- frontmatter
name: trestle-oscal-models
description: >-
  Knowledge about OSCAL model types, their relationships, and how they are managed in Compliance Trestle.
  Use when users ask about OSCAL documents, model types, catalogs, profiles, SSPs, component definitions,
  or how different compliance models relate to each other.
allowed-tools: Bash, Read, Glob, Grep

OSCAL Model Types in Trestle

The 7 OSCAL Model Types

Model TypeCLI NameDirectoryDescription
Catalogcatalogcatalogs/Collection of security controls (e.g., NIST 800-53)
Profileprofileprofiles/Selection and modification of controls from catalogs
Component Definitioncomponent-definitioncomponent-definitions/How a component implements controls
System Security Plansystem-security-plansystem-security-plans/Complete system security documentation
Assessment Planassessment-planassessment-plans/Plan for assessing security controls
Assessment Resultsassessment-resultsassessment-results/Results of security assessment
POA&Mplan-of-action-and-milestonesplan-of-action-and-milestones/Remediation tracking

Model Relationships

code
Catalog (controls)
    ↓ imports
Profile (selects + modifies controls)
    ↓ resolved profile catalog
Component Definition (how components implement controls)
    ↓ combined
System Security Plan (complete system documentation)
    ↓ assessed by
Assessment Plan → Assessment Results → POA&M

The Catalog → Profile → SSP Chain

  1. Catalog defines controls (e.g., NIST 800-53 has ~1000 controls)
  2. Profile imports controls from catalogs/profiles, selects subset, modifies parameters
  3. Resolved Profile Catalog is the effective set of controls after profile modifications
  4. Component Definition describes how specific components address controls
  5. SSP combines profile + component definitions into implementation documentation

Profile Imports

A profile can import from:

  • One or more catalogs
  • One or more other profiles
  • A mix of catalogs and profiles

Each import selects specific controls and can modify parameters and add content.

Common OSCAL Fields

All models share:

  • uuid - Unique identifier
  • metadata - Title, version, last-modified, oscal-version, roles, parties
  • back-matter - Resources, citations, attachments

File Formats

  • JSON (default): .json
  • YAML: .yaml or .yml
  • Within one model directory, don't mix formats

Element Paths

Trestle uses dot-notation to address elements within models:

  • catalog.metadata - The metadata of a catalog
  • catalog.groups.*.controls.* - All controls in all groups
  • catalog.groups.0.controls.3 - Specific control (0-indexed)

Rules:

  • Paths are relative to the file being operated on
  • Use * wildcard for arrays (quote on *nix shells)
  • Array syntax can be skipped: catalog.controls.control = catalog.groups.controls.control

Trestle Operations on Models

OperationCommandDescription
Createtrestle create -t <type> -o <name>Create bare-bones sample model
Importtrestle import -f <file> -o <name>Import existing OSCAL file
Splittrestle split -f <file> -e <elements>Decompose into sub-files
Mergetrestle merge -e <elements>Reassemble split files
Describetrestle describe -f <file> -e <element>Inspect model structure
Validatetrestle validate -f <file> or -t <type> -n <name> or -aCheck model integrity
Assembletrestle assemble <type> -n <name>Combine split parts to dist/
Replicatetrestle replicate <type> -n <name> -o <new>Copy/rename model

SSP Special Concepts

  • This System component: Default component in every SSP (name: "This System")
  • By-Component responses: Implementation prose organized by component
  • Rules and Parameters: Embedded in component definition properties, propagated to SSP
  • Implementation Status: Tracked per-component per-control
  • Leveraged SSPs: Inheritance from provider systems

Persona Ownership

Each OSCAL model type has a primary owner persona responsible for authoring and maintaining it:

Model TypePrimary PersonaTrestle CommandsNotes
CatalogRegulatorscatalog-generate, catalog-assembleSource of truth for controls
ProfileCompliance Officers / CISOprofile-generate, profile-assembleTailored baselines with org guidance
Component Definition (Service)Control Providers (vendors)csv-to-oscal-cd, component-generate/assembleMaps controls to product rules
Component Definition (Validation)Control Assessors (PVP vendors)csv-to-oscal-cd (with Check_Id)Maps rules to automated checks
System Security PlanSystem Owners / CIOssp-generate, ssp-assembleCombines profile + compdefs
Assessment PlanAssessors / CISOcreate, split, mergeDefines assessment scope
Assessment ResultsAssessors / PVP toolsxccdf-result-to-oscal-ar, tanium-result-to-oscal-arScan findings
POA&MSystem Ownerscreate, split, mergeRemediation tracking

In real organizations, one person may fill multiple persona roles. The ownership mapping is logical (separation of duties), not necessarily physical (one person per artifact).

Component Definition: The Bridge Artifact

The component definition plays a unique bridging role in the OSCAL model chain. It connects regulatory controls (governance layer) to automated assessment (technical layer) through two distinct component types:

Layer 1 — Service Components (Control-to-Rule)

Service components declare which technology-specific rules implement a regulation control:

  • Authored by product vendors and service providers
  • Maps: Control (e.g., AC-2) --> Rule (e.g., rule-account-types) --> Parameter (e.g., timeout=15min)
  • Created via CSV spreadsheet (csv-to-oscal-cd with Component_Type=Service)
  • Prose responses added via markdown (component-generate / component-assemble)

Layer 2 — Validation Components (Rule-to-Check)

Validation components declare which PVP checks validate a rule:

  • Authored by assessment tool vendors and compliance engineers
  • Maps: Rule (e.g., rule-account-types) --> Check_Id (e.g., test_github.GitHubOrgs.test_members_is_not_empty)
  • Created via CSV spreadsheet (csv-to-oscal-cd with Component_Type=Validation and Check_Id column)
  • Consumed by C2P (Compliance-to-Policy) to bridge to runtime assessment

End-to-End Traceability

Together, the two layers create the full compliance automation chain:

code
Regulation Control (NIST AC-2)
    --> Service Rule (rule-account-types)
        --> Validation Check (test_github.GitHubOrgs.test_members)
            --> Assessment Result (pass/fail)
                --> Control Posture (satisfied/not-satisfied)

This traceability enables automated posture computation: given PVP results, map backward through component definitions to determine control-level compliance status.

For full pipeline details, see the trestle-compliance-pipeline skill.