AgentSkillsCN

controls-extractor

从OSCAL目录、概要与SSP中提取并分析安全控制。通过此技能,可获取关于控制层级、控制声明、参数设置以及实施状态的详细信息,从而开展合规性分析。

SKILL.md
--- frontmatter
name: controls-extractor
description: Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.

Controls Extractor Skill

Extract, analyze, and report on security controls from OSCAL documents including catalogs, profiles, and system security plans.

When to Use This Skill

Use this skill when you need to:

  • List all controls in a catalog or profile
  • Extract control statements and guidance
  • Analyze control families and hierarchies
  • Find controls by ID, family, or keyword
  • Get control statistics and coverage metrics
  • Identify control enhancements

⛔ Authoritative Data Requirement

Control extraction works only on user-provided OSCAL documents.

What This Skill Does

  • Parses and extracts data from OSCAL documents you provide
  • Analyzes structure and relationships within your documents
  • Summarizes and reports on what's IN your documents

What This Skill Does NOT Do

  • Generate control lists from training knowledge
  • Provide control definitions without a catalog document
  • Assume what controls exist in a baseline you haven't provided

Required Input

TaskRequired Document
List controlsCatalog or Profile JSON/YAML/XML
Get control textCatalog with the control definitions
Analyze SSP controlsSSP document
Compare baselineBoth baseline profile AND SSP

If User Asks Without Providing Document

code
I need the OSCAL document to extract controls from.

For NIST 800-53 controls, you can:
1. Upload the catalog file, or
2. I can fetch from: https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json

I cannot list controls from memory — compliance requires authoritative sources.

Control Structure

OSCAL security controls have this hierarchy:

code
Control Family (Group)
└── Control (e.g., AC-1)
    ├── Statement (requirement text)
    ├── Guidance (implementation guidance)
    ├── Parameters (configurable values)
    ├── Parts (additional sections)
    └── Enhancements (sub-controls like AC-1(1))

Control Families (NIST 800-53)

FamilyNameDescription
ACAccess ControlUser access management
ATAwareness & TrainingSecurity training
AUAudit & AccountabilityLogging and monitoring
CAAssessment & AuthorizationSecurity assessments
CMConfiguration ManagementSystem configurations
CPContingency PlanningDisaster recovery
IAIdentification & AuthenticationUser identity
IRIncident ResponseSecurity incidents
MAMaintenanceSystem maintenance
MPMedia ProtectionMedia handling
PEPhysical & EnvironmentalPhysical security
PLPlanningSecurity planning
PMProgram ManagementSecurity program
PSPersonnel SecurityPersonnel controls
RARisk AssessmentRisk management
SASystem AcquisitionDevelopment security
SCSystem & CommunicationsNetwork security
SISystem & Information IntegrityData integrity

How to Extract Controls

Step 1: Identify Document Type

  • Catalog: Contains control definitions
  • Profile: Contains control selections/customizations
  • SSP: Contains control implementations

Step 2: Navigate to Controls

From Catalog:

code
catalog → groups → controls

From Profile:

code
profile → imports → include-controls

From SSP:

code
system-security-plan → control-implementation → implemented-requirements

Step 3: Extract Control Details

For each control, extract:

  • id: Control identifier (e.g., "AC-1")
  • title: Human-readable name
  • class: Control classification
  • parts: Statement, guidance, etc.
  • parameters: Configurable values
  • properties: Baseline levels, etc.
  • controls: Enhancements (nested)

Step 4: Extract Parts

Control parts include:

  • statement: The actual requirement
  • guidance: Implementation guidance
  • objective: Assessment objectives
  • assessment: Assessment methods

To extract statement text:

  1. Find part with name="statement"
  2. Get prose field for text
  3. If part has sub-parts, extract each

Control Statistics

When analyzing controls, calculate:

  • Total control count
  • Controls by family
  • Enhancement count
  • Baseline distribution (LOW/MOD/HIGH)
  • Parameter count

Filtering Controls

By Family

Find all controls where ID starts with family prefix (e.g., "AC-")

By Baseline

Check properties for baseline-impact values:

  • LOW
  • MODERATE
  • HIGH

By Status (in SSP)

Check implementation status:

  • implemented
  • partially-implemented
  • planned
  • not-applicable

Output Format

When extracting controls, provide:

code
CONTROLS SUMMARY
================
Total Controls: X
Enhancements: Y

By Family:
- AC (Access Control): N controls
- AU (Audit): N controls
...

Control Details:
- AC-1: Access Control Policy and Procedures
  Statement: [requirement text]
  Guidance: [implementation guidance]
  Enhancements: AC-1(1), AC-1(2)

Example Usage

When asked "What access control requirements are in this catalog?":

  1. Parse the catalog
  2. Filter controls where ID starts with "AC"
  3. For each control:
    • Extract ID and title
    • Get statement text
    • Note any enhancements
  4. Report total count
  5. List each control with key details

When asked "What controls are missing in this SSP?":

  1. Parse the SSP
  2. Identify the imported profile/baseline
  3. Get required controls from baseline
  4. Extract implemented controls from SSP
  5. Compare lists
  6. Report gaps with control IDs and titles