Claude-skill-registry oscal-control-mapper
Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/control-mapper" ~/.claude/skills/majiayu000-claude-skill-registry-oscal-control-mapper && rm -rf "$T"
manifest:
skills/data/control-mapper/SKILL.mdsource content
OSCAL Control Mapper Skill
Create and analyze OSCAL 1.2.0 Control Mapping documents to establish formal, machine-readable relationships between security controls across different frameworks.
When to Use This Skill
Use this skill when you need to:
- Map controls between different frameworks (NIST 800-53 ↔ ISO 27001)
- Document control equivalencies and relationships
- Identify gaps when transitioning between frameworks
- Create harmonized control sets for multi-framework compliance
- Generate mapping documentation for auditors
- Analyze existing control mapping documents
⛔ Authoritative Data Requirement
Control mapping requires authoritative catalogs for both source and target frameworks.
What This Skill Does (Safe)
- Creates OSCAL Control Mapping document structure
- Defines relationship types (equal, subset, superset, intersects, not-equal)
- Documents mapping rationale and notes
- Validates mapping document structure
What Requires Authoritative Sources
| Element | Source Needed |
|---|---|
| Source control IDs | Source catalog (e.g., NIST 800-53) |
| Target control IDs | Target catalog (e.g., ISO 27001) |
| Control text/requirements | Both catalogs |
When Creating Mappings
To create a control mapping, I need: • Source framework catalog (e.g., NIST 800-53 Rev 5) • Target framework catalog (e.g., ISO 27001:2022) • Your mapping analysis or documented equivalencies I will NOT generate mappings from training data — only from authoritative sources.
What is the Control Mapping Model?
New in OSCAL 1.2.0 (December 2025), the Control Mapping model provides a standardized way to express relationships between controls in different frameworks.
Key Concepts
| Concept | Description |
|---|---|
| Control Mapping | Document defining relationships between controls |
| Mapping Entry | Single relationship between source and target control(s) |
| Relationship Type | Nature of the mapping (equal, subset, superset, etc.) |
| Mapping Collection | Grouped set of related mappings |
Relationship Types
| Type | Description | Example |
|---|---|---|
| Controls are functionally equivalent | NIST AC-2 = ISO 27001 A.9.2.1 |
| Source is narrower than target | NIST AC-2(1) ⊂ ISO 27001 A.9.2.1 |
| Source is broader than target | NIST AC-2 ⊃ ISO 27001 A.9.2.1 |
| Partial overlap between controls | NIST SC-7 ∩ ISO 27001 A.13.1.1 |
| Controls address different requirements | NIST AC-1 ≠ ISO 27001 A.5.1.1 |
Control Mapping Structure
control-mappings: uuid: [unique-id] metadata: title: "NIST 800-53 to ISO 27001 Mapping" version: "1.0" oscal-version: "1.2.0" last-modified: "2026-01-20T00:00:00Z" # Define the frameworks being mapped import-control-schemes: - href: "#nist-800-53-rev5" scheme: "nist-800-53-rev5" - href: "#iso-27001-2022" scheme: "iso-27001-2022" # Mapping entries control-mapping-set: - uuid: [set-uuid] title: "Access Control Mappings" description: "Mappings for access control requirements" control-mappings: - uuid: [mapping-uuid] source: control-id: "ac-2" scheme: "nist-800-53-rev5" target: - control-id: "a.9.2.1" scheme: "iso-27001-2022" relationship: "equal" remarks: | Both controls require account management procedures including creation, modification, and removal.
How to Create Control Mappings
Step 1: Obtain Required Catalogs
You need OSCAL catalogs for both frameworks:
- Use the
skill for NIST 800-53, FedRAMPoscal-catalog-provider - Request ISO, CIS, or other framework catalogs from the user
Step 2: Define Mapping Document Metadata
{ "control-mappings": { "uuid": "[generate-uuid]", "metadata": { "title": "Framework A to Framework B Control Mapping", "version": "1.0", "oscal-version": "1.2.0", "last-modified": "[current-date]", "roles": [ { "id": "mapper", "title": "Control Mapping Analyst" } ], "parties": [ { "uuid": "[party-uuid]", "type": "organization", "name": "Your Organization" } ] } } }
Step 3: Import Control Schemes
Define the frameworks being mapped:
"import-control-schemes": [ { "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json", "scheme": "nist-800-53-rev5" }, { "href": "#iso-27001-catalog", "scheme": "iso-27001-2022" } ]
Step 4: Create Mapping Sets
Group related mappings logically:
"control-mapping-set": [ { "uuid": "[set-uuid]", "title": "Access Control Mappings", "description": "Mappings for access control domain", "control-mappings": [ // Individual mappings here ] } ]
Step 5: Define Individual Mappings
For each control relationship:
{ "uuid": "[mapping-uuid]", "source": { "control-id": "ac-2", "scheme": "nist-800-53-rev5" }, "target": [ { "control-id": "a.9.2.1", "scheme": "iso-27001-2022" } ], "relationship": "equal", "remarks": "Both require account management lifecycle procedures" }
Step 6: Handle Complex Mappings
One-to-Many Mapping
{ "source": { "control-id": "ac-2", "scheme": "nist-800-53-rev5" }, "target": [ { "control-id": "a.9.2.1", "scheme": "iso-27001-2022" }, { "control-id": "a.9.2.2", "scheme": "iso-27001-2022" } ], "relationship": "superset" }
Many-to-One Mapping
Create separate mapping entries for each source control pointing to the same target.
Partial Coverage
{ "source": { "control-id": "sc-7", "scheme": "nist-800-53-rev5" }, "target": [ { "control-id": "a.13.1.1", "scheme": "iso-27001-2022" } ], "relationship": "intersects", "remarks": "NIST SC-7 covers boundary protection broadly; ISO A.13.1.1 focuses on network controls. Partial overlap." }
Analyzing Existing Mappings
When analyzing a control mapping document:
Step 1: Parse the Document
Use the
oscal-parserStep 2: Validate Structure
- Confirm all source and target control IDs exist in referenced catalogs
- Check relationship types are valid
- Verify UUIDs are unique
Step 3: Generate Analysis Report
# Control Mapping Analysis **Source:** NIST 800-53 Rev 5 **Target:** ISO 27001:2022 **Total Mappings:** 145 ## Relationship Distribution - Equal: 78 (53.8%) - Subset: 23 (15.9%) - Superset: 31 (21.4%) - Intersects: 13 (9.0%) - Not-equal: 0 (0%) ## Coverage Analysis ### NIST 800-53 Coverage - Total controls: 323 - Mapped controls: 245 (75.9%) - Unmapped controls: 78 (24.1%) ### ISO 27001 Coverage - Total controls: 93 - Mapped controls: 89 (95.7%) - Unmapped controls: 4 (4.3%) ## Gaps Identified ### Unmapped NIST Controls - AC-25: Reference Monitor - SC-47: Alternate Communications Paths - [...] ### Unmapped ISO Controls - A.6.1.1: Information Security Roles - [...]
Step 4: Identify Mapping Quality Issues
| Issue | Description |
|---|---|
| Orphaned mappings | References to non-existent control IDs |
| Bidirectional conflicts | A→B (equal) but B→A (subset) |
| Coverage gaps | Large numbers of unmapped controls |
| Relationship mismatches | Questionable relationship types |
Common Use Cases
1. Multi-Framework Compliance
Scenario: Organization must comply with both FedRAMP and ISO 27001.
Approach:
- Create mapping: FedRAMP Moderate → ISO 27001
- Identify overlapping controls (implement once)
- Identify ISO-only controls (additional requirements)
- Generate combined control set
2. Framework Migration
Scenario: Moving from NIST 800-53 Rev 4 → Rev 5.
Approach:
- Create mapping: Rev 4 → Rev 5
- Identify deprecated controls
- Identify new requirements
- Plan implementation updates
3. Vendor Control Correlation
Scenario: Map cloud provider controls to your baseline.
Approach:
- Import vendor component definition
- Create mapping: Vendor controls → NIST 800-53
- Identify responsibility model (inherited vs. hybrid vs. customer)
- Document coverage and gaps
4. Regulatory Harmonization
Scenario: Create unified control set for HIPAA, PCI-DSS, SOC 2.
Approach:
- Create mappings for each framework pair
- Identify common control core
- Document framework-specific additions
- Generate harmonized control catalog
Output Format
Mapping Summary Report
CONTROL MAPPING SUMMARY ======================= Document: nist-to-iso-mapping.json Source: NIST 800-53 Rev 5 (323 controls) Target: ISO 27001:2022 (93 controls) Version: 1.0 Last Updated: 2026-01-20 MAPPING STATISTICS ------------------ Total Mappings: 145 • Equal: 78 (53.8%) • Subset: 23 (15.9%) • Superset: 31 (21.4%) • Intersects: 13 (9.0%) COVERAGE -------- Source Coverage: 245/323 (75.9%) Target Coverage: 89/93 (95.7%) TOP GAPS -------- Unmapped Source Controls: 78 • Access Control: 12 • System Communications: 15 • Supply Chain: 8 [...] Unmapped Target Controls: 4 • A.6.1.1, A.7.1.1, A.8.2.1, A.15.1.1 QUALITY ------- ✓ No orphaned references ✓ All UUIDs unique ⚠ 3 potential bidirectional conflicts detected
Example Mapping Entry
{ "uuid": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d", "source": { "control-id": "ac-2", "scheme": "nist-800-53-rev5" }, "target": [ { "control-id": "a.9.2.1", "scheme": "iso-27001-2022" }, { "control-id": "a.9.2.5", "scheme": "iso-27001-2022" } ], "relationship": "superset", "props": [ { "name": "mapping-confidence", "value": "high" } ], "remarks": "NIST AC-2 comprehensively covers account management including provisioning (ISO A.9.2.1) and privileged access (ISO A.9.2.5). The NIST control is broader in scope." }
Best Practices
- Document Rationale: Always include remarks explaining mapping decisions
- Use Authoritative Sources: Never map from memory or training data
- Validate Bidirectionally: Check mappings make sense from both perspectives
- Review Coverage: Identify and document gaps explicitly
- Version Control: Track mapping versions as frameworks evolve
- Expert Review: Have subject matter experts validate critical mappings
- Maintain Consistency: Use consistent relationship type definitions
- Update Regularly: Review when frameworks release new versions
Integration with Other Skills
| Skill | Use With Control Mapper |
|---|---|
| Fetch source/target catalogs |
| Read existing mapping documents |
| Validate mapping document structure |
| Generate unified implementation guidance |
| Report on multi-framework compliance |
| Identify coverage gaps |
Limitations
- Semantic Understanding: Mappings require human judgment; AI cannot definitively declare controls "equal"
- Framework Updates: Mappings become stale when frameworks are revised
- Context Dependency: Mapping appropriateness may vary by organizational context
- Tool Support: OSCAL 1.2.0 Control Mapping model is new; tool support is emerging
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Invalid control-id | Control doesn't exist in catalog | Verify against authoritative catalog |
| Unknown scheme | Framework not recognized | Use standard scheme identifiers |
| Relationship conflict | Bidirectional mappings inconsistent | Review and reconcile relationships |
| Missing catalog | import-control-schemes href broken | Provide valid catalog references |
Additional Resources
- OSCAL Control Mapping Model Specification
- NIST SP 800-53B - Control Baselines
- ISO/IEC 27001:2022 - Information Security Management
- NIST-to-ISO Official Mapping (if available)
Version History
- v1.0 (2026-01-20) - Initial skill for OSCAL 1.2.0 Control Mapping model