askill
controls-extractor

controls-extractorSafety 100Repository

Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.

controls-extractormajiayu000
0 stars
1.2k downloads
Updated 2/5/2026

Package Files

Loading files...
SKILL.md

Controls Extractor Skill

Extract, analyze, and report on security controls from OSCAL documents including catalogs, profiles, and system security plans.

When to Use This Skill

Use this skill when you need to:

  • List all controls in a catalog or profile
  • Extract control statements and guidance
  • Analyze control families and hierarchies
  • Find controls by ID, family, or keyword
  • Get control statistics and coverage metrics
  • Identify control enhancements

⛔ Authoritative Data Requirement

Control extraction works only on user-provided OSCAL documents.

What This Skill Does

  • Parses and extracts data from OSCAL documents you provide
  • Analyzes structure and relationships within your documents
  • Summarizes and reports on what's IN your documents

What This Skill Does NOT Do

  • Generate control lists from training knowledge
  • Provide control definitions without a catalog document
  • Assume what controls exist in a baseline you haven't provided

Required Input

TaskRequired Document
List controlsCatalog or Profile JSON/YAML/XML
Get control textCatalog with the control definitions
Analyze SSP controlsSSP document
Compare baselineBoth baseline profile AND SSP

If User Asks Without Providing Document

I need the OSCAL document to extract controls from.

For NIST 800-53 controls, you can:
1. Upload the catalog file, or
2. I can fetch from: https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json

I cannot list controls from memory — compliance requires authoritative sources.

Control Structure

OSCAL security controls have this hierarchy:

Control Family (Group)
└── Control (e.g., AC-1)
    ├── Statement (requirement text)
    ├── Guidance (implementation guidance)
    ├── Parameters (configurable values)
    ├── Parts (additional sections)
    └── Enhancements (sub-controls like AC-1(1))

Control Families (NIST 800-53)

FamilyNameDescription
ACAccess ControlUser access management
ATAwareness & TrainingSecurity training
AUAudit & AccountabilityLogging and monitoring
CAAssessment & AuthorizationSecurity assessments
CMConfiguration ManagementSystem configurations
CPContingency PlanningDisaster recovery
IAIdentification & AuthenticationUser identity
IRIncident ResponseSecurity incidents
MAMaintenanceSystem maintenance
MPMedia ProtectionMedia handling
PEPhysical & EnvironmentalPhysical security
PLPlanningSecurity planning
PMProgram ManagementSecurity program
PSPersonnel SecurityPersonnel controls
RARisk AssessmentRisk management
SASystem AcquisitionDevelopment security
SCSystem & CommunicationsNetwork security
SISystem & Information IntegrityData integrity

How to Extract Controls

Step 1: Identify Document Type

  • Catalog: Contains control definitions
  • Profile: Contains control selections/customizations
  • SSP: Contains control implementations

Step 2: Navigate to Controls

From Catalog:

catalog → groups → controls

From Profile:

profile → imports → include-controls

From SSP:

system-security-plan → control-implementation → implemented-requirements

Step 3: Extract Control Details

For each control, extract:

  • id: Control identifier (e.g., "AC-1")
  • title: Human-readable name
  • class: Control classification
  • parts: Statement, guidance, etc.
  • parameters: Configurable values
  • properties: Baseline levels, etc.
  • controls: Enhancements (nested)

Step 4: Extract Parts

Control parts include:

  • statement: The actual requirement
  • guidance: Implementation guidance
  • objective: Assessment objectives
  • assessment: Assessment methods

To extract statement text:

  1. Find part with name="statement"
  2. Get prose field for text
  3. If part has sub-parts, extract each

Control Statistics

When analyzing controls, calculate:

  • Total control count
  • Controls by family
  • Enhancement count
  • Baseline distribution (LOW/MOD/HIGH)
  • Parameter count

Filtering Controls

By Family

Find all controls where ID starts with family prefix (e.g., "AC-")

By Baseline

Check properties for baseline-impact values:

  • LOW
  • MODERATE
  • HIGH

By Status (in SSP)

Check implementation status:

  • implemented
  • partially-implemented
  • planned
  • not-applicable

Output Format

When extracting controls, provide:

CONTROLS SUMMARY
================
Total Controls: X
Enhancements: Y

By Family:
- AC (Access Control): N controls
- AU (Audit): N controls
...

Control Details:
- AC-1: Access Control Policy and Procedures
  Statement: [requirement text]
  Guidance: [implementation guidance]
  Enhancements: AC-1(1), AC-1(2)

Example Usage

When asked "What access control requirements are in this catalog?":

  1. Parse the catalog
  2. Filter controls where ID starts with "AC"
  3. For each control:
    • Extract ID and title
    • Get statement text
    • Note any enhancements
  4. Report total count
  5. List each control with key details

When asked "What controls are missing in this SSP?":

  1. Parse the SSP
  2. Identify the imported profile/baseline
  3. Get required controls from baseline
  4. Extract implemented controls from SSP
  5. Compare lists
  6. Report gaps with control IDs and titles

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

95/100Analyzed 2/12/2026

A high-quality, comprehensive skill for processing OSCAL security documents. It includes clear triggers, structured extraction steps, and critical safety guardrails regarding data authority.

100
95
90
95
95

Metadata

Licenseunknown
Version-
Updated2/5/2026
Publishermajiayu000

Tags

observabilitysecurity