OSCAL Visualizer Skill
Create visual representations of OSCAL documents to help understand control structures, relationships, and compliance status.
When to Use This Skill
Use this skill when you need to:
- •Visualize control hierarchies and families
- •Show component relationships
- •Display implementation coverage
- •Create SSP overview diagrams
- •Generate assessment flow charts
- •Produce compliance dashboards
✅ Data Source Principle
This skill creates visualizations from documents you provide. All diagram content reflects your OSCAL data — no compliance information is generated from training knowledge.
Diagram Types
| Type | Purpose | Best For |
|---|---|---|
| Control Hierarchy | Show control families and relationships | Catalogs, profiles |
| Component Relationships | Map components to controls | Component definitions |
| Implementation Flow | Show how controls are implemented | SSPs |
| Profile Inheritance | Display profile layering | Profiles |
| SSP Overview | System security summary | SSPs |
| Assessment Flow | Assessment process visualization | SAP, SAR |
Visualization Color Schemes
Control Families
| Family | Color | Hex |
|---|---|---|
| AC (Access Control) | Red | #FF6B6B |
| AU (Audit) | Teal | #4ECDC4 |
| CM (Config Mgmt) | Green | #96CEB4 |
| IA (Auth) | Purple | #DDA0DD |
| SC (Sys/Comm) | Med Purple | #9370DB |
| SI (Integrity) | Turquoise | #00CED1 |
Implementation Status
| Status | Color | Symbol |
|---|---|---|
| Implemented | Green | ✅ |
| Partial | Yellow | ⚠️ |
| Planned | Blue | 🔵 |
| Not Applicable | Gray | ➖ |
| Missing | Red | ❌ |
How to Create Visualizations
Control Hierarchy Diagram
For catalogs and profiles:
code
NIST 800-53 Rev 5 ├── Access Control (AC) [20 controls] │ ├── AC-1: Policy and Procedures │ ├── AC-2: Account Management │ │ ├── AC-2(1): Automated Management │ │ ├── AC-2(2): Automated Temporary Accounts │ │ └── AC-2(3): Disable Accounts │ └── AC-3: Access Enforcement │ └── AC-3(1): Restricted Access ├── Audit and Accountability (AU) [16 controls] │ ├── AU-1: Policy and Procedures │ └── AU-2: Event Logging ...
Component Relationship Diagram
code
┌─────────────────────────────────────────────────┐ │ SYSTEM │ ├─────────────────────────────────────────────────┤ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Azure AD │────│ App Svc │────│ Azure DB │ │ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │ │ │ │ │ │ ┌────┴─────┐ ┌────┴─────┐ ┌────┴─────┐ │ │ │ AC-2,IA-2│ │ SC-7,CM-6│ │ SC-28,AU-2│ │ │ │ IA-5,AU-2│ │ SI-3,SI-4│ │ AC-3,SC-8 │ │ │ └──────────┘ └──────────┘ └──────────┘ │ │ │ └─────────────────────────────────────────────────┘
Implementation Status Heatmap
code
CONTROL IMPLEMENTATION STATUS
=============================
AC AT AU CA CM CP IA IR MA MP PE PL PM PS RA SA SC SI
┌───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┬───┐
Imp │███│███│███│███│███│░░░│███│███│███│███│░░░│███│███│███│███│███│███│███│
Par │░░░│░░░│░░░│░░░│░░░│███│░░░│░░░│░░░│░░░│███│░░░│░░░│░░░│░░░│░░░│░░░│░░░│
Pln │░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│
N/A │░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│░░░│
└───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Legend: ███ = Present ░░░ = None
SSP Overview Diagram
code
┌─────────────────────────────────────────────────────────────┐ │ SYSTEM SECURITY PLAN │ │ [System Name v1.0.0] │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ METADATA │ │ PROFILE │ │ SYSTEM │ │ │ │ │ │ IMPORT │ │ CHARS │ │ │ │ FedRAMP Mod │──────│ NIST 800-53 │──────│ Cloud SaaS │ │ │ │ v2024.01 │ │ Moderate │ │ Boundary │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ │ │ ▼ │ │ ┌───────────────────────────────────────────────────────┐ │ │ │ CONTROL IMPLEMENTATION │ │ │ │ │ │ │ │ Controls: 325 Implemented: 287 (88%) │ │ │ │ Partial: 25 Planned: 10 N/A: 3 │ │ │ │ │ │ │ │ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ │ │ │ │ │AC: 100%│ │AU: 95% │ │CM: 90% │ │SC: 85% │ │ │ │ │ └────────┘ └────────┘ └────────┘ └────────┘ │ │ │ └───────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────┘
Profile Inheritance Diagram
code
┌──────────────────┐
│ NIST 800-53 │
│ (Catalog) │
│ 1189 controls │
└────────┬─────────┘
│
┌──────────────┼──────────────┐
▼ ▼ ▼
┌───────────┐ ┌───────────┐ ┌───────────┐
│ LOW │ │ MODERATE │ │ HIGH │
│ Baseline │ │ Baseline │ │ Baseline │
│ 200 ctrls │ │ 325 ctrls │ │ 421 ctrls │
└─────┬─────┘ └─────┬─────┘ └─────┬─────┘
│ │ │
▼ ▼ ▼
┌───────────┐ ┌───────────┐ ┌───────────┐
│ FedRAMP │ │ FedRAMP │ │ FedRAMP │
│ LOW │ │ MODERATE │ │ HIGH │
│ +tailored │ │ +tailored │ │ +tailored │
└───────────┘ └───────────┘ └───────────┘
Compliance Dashboard View
code
╔═══════════════════════════════════════════════════════════╗ ║ COMPLIANCE DASHBOARD ║ ╠═══════════════════════════════════════════════════════════╣ ║ ║ ║ OVERALL COMPLIANCE RISK LEVEL ║ ║ ┌────────────────┐ ┌────────────────┐ ║ ║ │ 88% │ │ MODERATE │ ║ ║ │ ████████░░ │ │ ▲▲▲░░ │ ║ ║ └────────────────┘ └────────────────┘ ║ ║ ║ ║ CONTROL STATUS POA&M STATUS ║ ║ ┌──────────────────┐ ┌──────────────────┐ ║ ║ │ ✅ Impl: 287 │ │ Open: 15 │ ║ ║ │ ⚠️ Partial: 25 │ │ In Progress: 8 │ ║ ║ │ 🔵 Planned: 10 │ │ Overdue: 3 │ ║ ║ │ ➖ N/A: 3 │ │ Closed (30d): 12 │ ║ ║ └──────────────────┘ └──────────────────┘ ║ ║ ║ ║ FAMILY COVERAGE ║ ║ AC ████████████████████ 100% ║ ║ AU ██████████████████░░ 95% ║ ║ CM ████████████████░░░░ 90% ║ ║ IA ██████████████████░░ 95% ║ ║ SC █████████████████░░░ 85% ║ ║ ║ ╚═══════════════════════════════════════════════════════════╝
Output Formats
| Format | Use Case |
|---|---|
| ASCII | Terminal display, text reports |
| Mermaid | Documentation, GitHub |
| DOT/Graphviz | Complex relationships |
| SVG | Web display |
| Markdown tables | Documentation |
Example Usage
When asked "Visualize the control coverage in this SSP":
- •Parse the SSP document
- •Extract control implementations
- •Group by family
- •Calculate percentages by status
- •Generate appropriate visualization
- •Include legend and summary statistics