Workflow Orchestrator Skill
Orchestrate complex, multi-step compliance workflows that combine multiple skills for comprehensive OSCAL processing and analysis.
When to Use This Skill
Use this skill when you need to:
- •Perform end-to-end compliance assessments
- •Chain multiple analysis steps together
- •Automate repetitive compliance workflows
- •Execute continuous monitoring checks
- •Process compliance packages comprehensively
⛔ Authoritative Data Requirement
Workflows operate on user-provided documents and chain other skills together.
Required Documents Per Workflow
| Workflow | Required Documents |
|---|---|
| FedRAMP Review | SSP, POA&M, Baseline Profile |
| Gap Analysis | Baseline Catalog + SSP |
| Continuous Monitoring | Current SSP, Previous SSP, POA&M |
| SSP Review | SSP + Baseline Profile |
| Multi-Framework Mapping | Source catalog + Target mapping document |
Inherited Requirements
Each skill invoked in a workflow inherits its own authoritative data requirements. If a workflow step needs a baseline catalog, the workflow will stop and request it.
Available Workflows
| Workflow | Purpose | Skills Used |
|---|---|---|
| FedRAMP Review | Review authorization package | Parser, Validator, Extractor, Risk Assessor |
| Gap Analysis | Identify missing controls | Parser, Extractor, Mapper, Report Generator |
| Continuous Monitoring | Regular compliance check | Parser, Validator, Risk Assessor, Report Generator |
| SSP Review | Validate SSP completeness | Parser, Validator, Extractor, Evidence Collector |
| Multi-Framework Mapping | Map across standards | Parser, Extractor, Mapper, Report Generator |
Workflow Components
Tasks
Individual steps that execute a skill:
task:
id: parse-ssp
name: Parse SSP Document
skill: oscal-parser
parameters:
file: fedramp_ssp.json
depends_on: []
Dependencies
Tasks can depend on other tasks:
task:
id: extract-controls
name: Extract Controls
skill: controls-extractor
depends_on:
- parse-ssp # Must complete first
Artifacts
Outputs passed between tasks:
artifacts:
- name: parsed_data
from: parse-ssp
to: extract-controls
Validation Gates
CRITICAL: Workflows that generate OSCAL documents MUST include validation gates.
task:
id: validate-output
name: Validate Generated OSCAL
skill: oscal-validator
depends_on:
- generate-component
validation_checks:
- uuid_format
- metadata_complete
- schema_valid
- references_valid
Required Validation Tasks:
- •After any generation task, add validation task
- •Use
oscal-validatorfor basic checks - •Use model-specific validators (e.g.,
oscal-ssp-validator) for detailed checks - •Fail workflow if validation fails
Example with Validation:
workflow:
- task: generate-component-def
skill: component-definition-builder
- task: validate-component # ← REQUIRED
skill: oscal-validator
parameters:
document: output-from-generate-component-def
stop_on_error: true
- task: next-step
skill: ...
depends_on: [validate-component] # Only proceeds if valid
Predefined Workflows
FedRAMP Package Review
Purpose: Comprehensive review of FedRAMP authorization package
Steps:
- •Parse Documents - Parse SSP, SAR, POA&M
- •Validate Structure - Check all documents for validity
- •Extract Controls - Get all control implementations
- •Check Completeness - Verify all baseline controls addressed
- •Assess Risks - Identify and score risks
- •Generate Report - Create review findings
Output:
FEDRAMP PACKAGE REVIEW ====================== System: [Name] Baseline: [Moderate] Review Date: [Date] Document Validation: - SSP: ✅ Valid - SAR: ✅ Valid - POA&M: ⚠️ 2 issues Control Coverage: - Required: 325 - Documented: 320 (98.5%) - Missing: 5 Risk Summary: - High Risks: 3 - Moderate Risks: 8 - POA&M Items: 15 Recommendation: [READY / NOT READY]
Gap Analysis Workflow
Purpose: Identify compliance gaps against a framework
Steps:
- •Parse Current State - Parse existing SSP/documentation
- •Extract Implemented Controls - Get what's implemented
- •Load Target Baseline - Get required controls
- •Compare - Find differences
- •Map to Other Frameworks - Cross-reference if needed
- •Generate Gap Report - Document findings
Output:
GAP ANALYSIS REPORT ================== Current: NIST 800-53 Low Target: NIST 800-53 Moderate New Controls Required: 125 Already Implemented: 200 Estimated Effort: 480 hours Priority Gaps: 1. SI-4 - Security Monitoring (HIGH) 2. CA-7 - Continuous Monitoring (HIGH) 3. IR-4 - Incident Handling (MEDIUM)
Continuous Monitoring Workflow
Purpose: Regular automated compliance check
Steps:
- •Parse Latest Documents - Get current state
- •Validate All Documents - Check for issues
- •Check for Changes - Compare to baseline
- •Assess New Risks - Score any changes
- •Update POA&M - Track any issues
- •Generate Status Report - Monthly report
Frequency: Daily/Weekly/Monthly
How to Execute Workflows
Step 1: Select Workflow
Choose appropriate workflow for the task.
Step 2: Gather Inputs
Collect required documents:
- •OSCAL files (SSP, SAR, POA&M, etc.)
- •Baseline/profile references
- •Configuration parameters
Step 3: Execute Tasks
Run each task in dependency order:
- •Check dependencies are satisfied
- •Execute the skill
- •Collect outputs/artifacts
- •Pass to dependent tasks
Step 4: Handle Errors
If a task fails:
- •Log the error
- •Determine if workflow can continue
- •Skip dependent tasks if needed
- •Include in final report
Step 5: Compile Results
Aggregate outputs from all tasks into comprehensive report.
Custom Workflow Definition
Create custom workflows:
workflow:
id: custom-review
name: Quarterly Compliance Review
description: Q4 compliance status assessment
tasks:
- id: parse-ssp
skill: oscal-parser
params:
file: current_ssp.json
- id: validate
skill: oscal-validator
depends_on: [parse-ssp]
- id: extract
skill: controls-extractor
depends_on: [parse-ssp]
- id: assess-risk
skill: risk-assessor
depends_on: [extract]
- id: report
skill: compliance-report-generator
depends_on: [validate, extract, assess-risk]
params:
format: markdown
type: executive-summary
output:
format: markdown
destination: reports/q4-review.md
Workflow Status Tracking
| Status | Meaning |
|---|---|
| Pending | Not started |
| Running | In progress |
| Completed | Successfully finished |
| Failed | Error encountered |
| Cancelled | Manually stopped |
Example Usage
When asked "Review this FedRAMP package for readiness":
- •Initialize FedRAMP Review workflow
- •Parse all provided documents (SSP, SAR, POA&M)
- •Validate each document structure
- •Extract and count controls
- •Compare against FedRAMP Moderate baseline
- •Identify gaps and risks
- •Score overall readiness
- •Generate comprehensive review report
- •Provide go/no-go recommendation