AgentSkillsCN

oscal-compliance

在 CI 中应用 TCS-001 进行合约验证、Dagger 模拟、蓝图验收测试,以及 OSCAL/合规性相关工件的生成。

SKILL.md
--- frontmatter
name: oscal-compliance
description: OSCAL compliance framework vocabulary, concepts, and Harmony integration patterns for compliance-as-code features.

OSCAL Compliance Framework

Use this skill when working with compliance-as-code features, OSCAL documents, or integrating with OSCAL Compass tools (Trestle, C2P).

When to Use

  • Implementing or extending compliance features in Harmony
  • Understanding OSCAL document types and relationships
  • Mapping Harmony primitives to OSCAL concepts
  • Working with Trestle, C2P, or other OSCAL tools
  • Building compliance dashboards or SSP generators
  • Adding CapabilityCompliance blocks to capabilities

OSCAL Glossary

TermDefinition
CatalogA collection of security controls (e.g., NIST 800-53, ISO 27001). The authoritative source of control definitions.
ProfileA selection and tailoring of controls from one or more catalogs. Defines which controls apply to a specific environment (e.g., FedRAMP Moderate).
Component DefinitionDescribes how a component (software, service, policy) implements controls. Maps to Harmony Capabilities.
System Security Plan (SSP)Documents how a system implements all applicable controls. The primary compliance artifact for auditors.
Assessment PlanDefines how to evaluate control implementation.
Assessment ResultsFindings from executing an assessment plan.
Plan of Action & Milestones (POA&M)Tracks remediation of control gaps.

Harmony-OSCAL Mapping

Harmony ConceptOSCAL EquivalentNotes
CapabilityComponent DefinitionEach capability declares which controls it satisfies via CapabilityCompliance
BlueprintSystemA blueprint composes capabilities into a deployable system
TenantAuthorization BoundaryTenant config determines which profile and enforcement level apply
CertificationAssessment ResultsAggregated pass/fail results from capability tests
Agent Decision RecordAssessment ActivityCaptures compliance decisions made during execution

Control ID Format

NIST controls follow the pattern: {FAMILY}-{NUMBER}({ENHANCEMENT})

Examples:

  • AC-2 — Account Management
  • AC-6(1) — Least Privilege: Authorize Access to Security Functions
  • AU-3 — Content of Audit Records
  • SC-28(1) — Protection of Information at Rest: Cryptographic Protection

CapabilityCompliance Schema

typescript
interface CapabilityCompliance {
  // Controls this capability helps satisfy
  satisfiesControls: string[];  // e.g., ["AC-2", "AC-6(1)"]
  
  // Controls that MUST be satisfied before this capability can execute
  requiresControls?: string[];  // e.g., ["IA-2"]
  
  // Link to SSP implementation narrative
  implementationRef?: string;
  
  // Evidence artifacts produced
  producesEvidence?: string[];
  
  // Version for staleness detection
  mappingVersion: number;
}

Enforcement Levels

LevelBehavior
ADVISORYLog gaps, proceed without interruption
WARNINGLog gaps, require acknowledgment, then proceed
BLOCKINGHalt execution, require remediation or approval

Related Tools

Compliance Trestle

Python tool for OSCAL document authoring and transformation.

Compliance to Policy (C2P)

Maps OSCAL controls to Kubernetes policies (Kyverno, OPA Gatekeeper).

Instructions

  1. When adding compliance metadata to a capability, use the CapabilityCompliance schema in the security block.
  2. Control IDs should reference the appropriate NIST/OSCAL control family.
  3. Increment mappingVersion whenever satisfiesControls or requiresControls changes.
  4. For enforcement logic, see ADR-001 in docs/adr/.

References