Control Implementation Generator Skill

Generate comprehensive implementation guidance, technical procedures, and deployment plans for security controls based on system context.

When to Use This Skill

Use this skill when you need to:

• Create control implementation narratives for SSPs
• Generate technical implementation steps
• Build implementation timelines
• Identify tools and resources needed
• Create system-specific guidance

---

⛔ Authoritative Data Requirement

What Requires Authoritative Sources

Requirement	Source Needed
Control text/definition	OSCAL catalog document
Control parameters	Profile with parameter settings
Baseline requirements	FedRAMP/NIST baseline profile
Vendor-specific implementation	Vendor documentation

What You CAN Generate (Templates & Methodology)

• Narrative structure and format
• Implementation approach patterns (based on user's stated technology)
• Timeline templates
• Effort estimation frameworks
• General best practices for stated platforms

What You CANNOT Generate

• Specific control requirement text (must cite from catalog)
• Parameter values (must come from profile or organization)
• Vendor configuration details without documentation
• Compliance claims without evidence

Safe vs Unsafe Examples

✅ Safe: "For AC-2 in your AWS environment, the typical approach involves AWS IAM for identity management combined with..."

⛔ Unsafe: "AC-2 requires organizations to define and document account types within 30 days..." (← This specific requirement must come from the catalog)

If Control Definition Needed

To generate accurate implementation guidance for [control], I need:
• The control definition from your OSCAL catalog
• Your baseline profile (for parameter values)
• Your technology stack (you've stated: [tech])

I can provide implementation templates and patterns, but the specific
control requirements must come from your authoritative catalog.

---

Implementation Status Options

Status	Description	SSP Usage
Implemented	Fully in place	Describe how
Partially Implemented	Some aspects complete	Describe what's done, what's remaining
Planned	Scheduled for implementation	Describe timeline
Alternative	Different approach meeting intent	Describe alternative
Not Applicable	Control doesn't apply	Provide justification

Implementation Methods

Method	Description	When to Use
Automated	Technology-enforced	Technical controls
Manual	Human-performed	Procedural controls
Hybrid	Combination	Complex controls
Inherited	Provided by another system	Shared services

System Types

Type	Characteristics	Implementation Focus
Cloud Service	AWS, Azure, GCP	API, IAM, native tools
On-Premises	Traditional datacenter	Network, physical
Hybrid	Mixed environment	Integration, consistency
SaaS	Software service	Configuration, access

How to Generate Implementation Guidance

Step 1: Understand the Control

Parse the control requirement:

1. Read the control statement
2. Identify key requirements
3. Note any parameters
4. Review guidance section

Step 2: Assess System Context

Consider:

• System type (cloud, on-prem, hybrid)
• Technology stack
• Existing capabilities
• Organizational constraints

Step 3: Determine Implementation Method

Based on control type and system:

• Technical controls → Automated
• Policy controls → Manual/Hybrid
• Shared services → Inherited

Step 4: Generate Implementation Steps

For each control, provide:

implementation:
  control_id: AC-2
  status: implemented
  method: hybrid
  
  description: |
    Account management is implemented through Azure Active Directory
    for identity management, combined with automated provisioning
    workflows and quarterly access reviews.
  
  technical_steps:
    - Configure Azure AD as identity provider
    - Implement automated user provisioning via SCIM
    - Configure access review campaigns (quarterly)
    - Enable Privileged Identity Management (PIM)
    - Set up termination automation via HR integration
  
  tools_required:
    - Azure Active Directory Premium P2
    - Azure AD Connect
    - ServiceNow (or HR system)
  
  responsible_roles:
    - IAM Administrator
    - HR Business Partner
    - Application Owners
  
  evidence:
    - Azure AD configuration export
    - Access review completion reports
    - Provisioning workflow documentation

Implementation Narrative Templates

For Policy Controls (e.g., AC-1)

[Organization] has developed, documented, and disseminated an 
access control policy that:
a. Addresses purpose, scope, roles, responsibilities, and compliance
b. Is consistent with applicable laws and regulations
c. Is reviewed and updated [frequency]

The policy is maintained in [location] and communicated to all 
personnel via [method]. The [role] is responsible for policy 
maintenance and updates.

For Technical Controls (e.g., IA-2)

The system implements multi-factor authentication through 
[solution] for all user access. Authentication factors include:
- Something you know: Password meeting complexity requirements
- Something you have: [Authenticator app / Hardware token / SMS]

Configuration: [Specific settings]
Enforcement: [How it's enforced]
Exceptions: [Any approved exceptions]

For Hybrid Controls (e.g., AC-2)

Account management is implemented through a combination of:

Technical Controls:
- [Identity system] manages user accounts
- Automated provisioning via [method]
- [Tool] enforces access policies

Procedural Controls:
- Access requests submitted via [process]
- Manager approval required for all access
- Quarterly access reviews conducted by [role]

Implementation Effort Estimation

Complexity	Hours	Description
Low	1-8	Configuration change
Medium	8-40	New tool/process
High	40-160	Major implementation
Very High	160+	Program-level effort

Implementation Plan Structure

CONTROL IMPLEMENTATION PLAN
===========================
Control: CM-6 (Configuration Settings)
System: Production Web Environment
Timeline: Q2 2024

Phase 1: Planning (Week 1-2)
- Define baseline configurations
- Identify configuration management tools
- Create change management process

Phase 2: Implementation (Week 3-6)
- Deploy configuration management tool
- Apply baseline configurations
- Test and validate settings

Phase 3: Monitoring (Week 7-8)
- Configure drift detection
- Set up alerting
- Document procedures

Resources Required:
- Security Engineer: 40 hours
- Systems Administrator: 60 hours
- Tool licensing: [Cost]

Dependencies:
- CM-2 (Baseline Configuration) must be complete
- Change management process approved

Common Implementation Patterns

Cloud (AWS Example)

Control	AWS Implementation
AC-2	IAM + AWS SSO + Organizations
AU-2	CloudTrail + CloudWatch Logs
CM-2	Config Rules + Systems Manager
SC-7	VPC + Security Groups + WAF

Azure Example

Control	Azure Implementation
AC-2	Azure AD + PIM
AU-2	Azure Monitor + Log Analytics
CM-2	Azure Policy + Automation
SC-7	NSG + Azure Firewall + Front Door

Example Usage

When asked "How should I implement IA-2 for a cloud system?":

1. Parse IA-2 requirements (identification and authentication)
2. Assess system type (cloud)
3. Identify cloud-native options:
   • AWS: Cognito, IAM Identity Center
   • Azure: Azure AD, Conditional Access
   • GCP: Cloud Identity, IAP
4. Generate implementation steps
5. Specify MFA requirements
6. Create implementation narrative
7. Estimate effort and timeline