Claude-skill-registry controls-extractor

Extract and analyze security controls from OSCAL catalogs, profiles, and SSPs. Use this skill to get detailed information about control hierarchies, statements, parameters, and implementation status for compliance analysis.

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/controls-extractor" ~/.claude/skills/majiayu000-claude-skill-registry-controls-extractor && rm -rf "$T"

manifest: skills/data/controls-extractor/SKILL.md

Controls Extractor Skill

Extract, analyze, and report on security controls from OSCAL documents including catalogs, profiles, and system security plans.

When to Use This Skill

Use this skill when you need to:

List all controls in a catalog or profile
Extract control statements and guidance
Analyze control families and hierarchies
Find controls by ID, family, or keyword
Get control statistics and coverage metrics
Identify control enhancements

⛔ Authoritative Data Requirement

Control extraction works only on user-provided OSCAL documents.

What This Skill Does

Parses and extracts data from OSCAL documents you provide
Analyzes structure and relationships within your documents
Summarizes and reports on what's IN your documents

What This Skill Does NOT Do

Generate control lists from training knowledge
Provide control definitions without a catalog document
Assume what controls exist in a baseline you haven't provided

Required Input

Task	Required Document
List controls	Catalog or Profile JSON/YAML/XML
Get control text	Catalog with the control definitions
Analyze SSP controls	SSP document
Compare baseline	Both baseline profile AND SSP

If User Asks Without Providing Document

I need the OSCAL document to extract controls from.

For NIST 800-53 controls, you can:
1. Upload the catalog file, or
2. I can fetch from: https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json

I cannot list controls from memory — compliance requires authoritative sources.

Control Structure

OSCAL security controls have this hierarchy:

Control Family (Group)
└── Control (e.g., AC-1)
    ├── Statement (requirement text)
    ├── Guidance (implementation guidance)
    ├── Parameters (configurable values)
    ├── Parts (additional sections)
    └── Enhancements (sub-controls like AC-1(1))

Control Families (NIST 800-53)

Family	Name	Description
AC	Access Control	User access management
AT	Awareness & Training	Security training
AU	Audit & Accountability	Logging and monitoring
CA	Assessment & Authorization	Security assessments
CM	Configuration Management	System configurations
CP	Contingency Planning	Disaster recovery
IA	Identification & Authentication	User identity
IR	Incident Response	Security incidents
MA	Maintenance	System maintenance
MP	Media Protection	Media handling
PE	Physical & Environmental	Physical security
PL	Planning	Security planning
PM	Program Management	Security program
PS	Personnel Security	Personnel controls
RA	Risk Assessment	Risk management
SA	System Acquisition	Development security
SC	System & Communications	Network security
SI	System & Information Integrity	Data integrity

How to Extract Controls

Step 1: Identify Document Type

Catalog: Contains control definitions
Profile: Contains control selections/customizations
SSP: Contains control implementations

Step 2: Navigate to Controls

From Catalog:

catalog → groups → controls

From Profile:

profile → imports → include-controls

From SSP:

system-security-plan → control-implementation → implemented-requirements

Step 3: Extract Control Details

For each control, extract:

id: Control identifier (e.g., "AC-1")
title: Human-readable name
class: Control classification
parts: Statement, guidance, etc.
parameters: Configurable values
properties: Baseline levels, etc.
controls: Enhancements (nested)

Step 4: Extract Parts

Control parts include:

statement: The actual requirement
guidance: Implementation guidance
objective: Assessment objectives
assessment: Assessment methods

To extract statement text:

Find part with
```
name="statement"
```
Get
```
prose
```
field for text
If part has sub-parts, extract each

Control Statistics

When analyzing controls, calculate:

Total control count
Controls by family
Enhancement count
Baseline distribution (LOW/MOD/HIGH)
Parameter count

Filtering Controls

By Family

Find all controls where ID starts with family prefix (e.g., "AC-")

By Baseline

Check properties for

baseline-impact

values:

LOW
MODERATE
HIGH

By Status (in SSP)

Check implementation status:

implemented
partially-implemented
planned
not-applicable

Output Format

When extracting controls, provide:

CONTROLS SUMMARY
================
Total Controls: X
Enhancements: Y

By Family:
- AC (Access Control): N controls
- AU (Audit): N controls
...

Control Details:
- AC-1: Access Control Policy and Procedures
  Statement: [requirement text]
  Guidance: [implementation guidance]
  Enhancements: AC-1(1), AC-1(2)

Example Usage

When asked "What access control requirements are in this catalog?":

Parse the catalog
Filter controls where ID starts with "AC"
For each control:
- Extract ID and title
- Get statement text
- Note any enhancements
Report total count
List each control with key details

When asked "What controls are missing in this SSP?":

Parse the SSP
Identify the imported profile/baseline
Get required controls from baseline
Extract implemented controls from SSP
Compare lists
Report gaps with control IDs and titles