Advanced OSCAL Validator Skill
Perform comprehensive OSCAL document validation using advanced patterns inspired by community tools including IBM Trestle, oscal-pydantic, and Defense Unicorns' Lula.
When to Use This Skill
Use this skill when you need to:
- Perform thorough validation beyond basic structure
- Validate against NIST OSCAL JSON schemas
- Check business rules and best practices
- Validate cross-references and links
- Ensure FedRAMP-specific requirements are met
⛔ Authoritative Data Requirement
Validation checks user-provided documents against structural rules.
What This Skill Does (Safe)
- Validates OSCAL structure and syntax
- Checks UUID formats and references
- Verifies required fields are present
- Confirms cross-references resolve
- Applies business rule logic to YOUR document
What Requires Authoritative Sources
| Validation Type | Requires | |-----------------|----------| | Baseline completeness | The baseline profile being validated against | | Control reference validation | The catalog that controls reference | | FedRAMP-specific rules | FedRAMP baseline |
For Baseline Validation
To validate SSP completeness against a baseline, I need both:
1. Your SSP document (provided)
2. The baseline profile it should meet (e.g., FedRAMP Moderate)
I cannot determine if controls are missing without the authoritative baseline.
Validation Levels
| Level | Description | Checks | |-------|-------------|--------| | Schema | JSON schema compliance | Structure, types, required fields | | Semantic | Business logic | UUIDs, references, dates | | Quality | Best practices | Completeness, clarity | | Framework | FedRAMP/NIST specific | Baseline compliance |
Advanced Validation Categories
Schema Validation
Validate against official NIST OSCAL JSON schemas:
- Catalog schema
- Profile schema
- SSP schema
- Component definition schema
- Assessment schemas
UUID Validation
- Format: RFC 4122 compliant
- Uniqueness: No duplicates within document
- References: All UUID refs resolve
Cross-Reference Validation
- Control references exist in imported catalogs
- Party references resolve within document
- Component references are valid
- Resource links are accessible
Business Rule Validation
| Rule | Description | |------|-------------| | BIZ-001 | SSP must import a profile | | BIZ-002 | All baseline controls must be addressed | | BIZ-003 | Implementation status required for each control | | BIZ-004 | Responsible parties must be defined | | BIZ-005 | System characteristics must be complete |
FedRAMP-Specific Validation
- All required control families present
- POA&M references valid
- Required attachments present
- Naming conventions followed
Validation Report Structure
ADVANCED VALIDATION REPORT
==========================
Document: ssp.json
Type: System Security Plan
Schema Version: 1.2.0
Validation Date: 2024-01-15
SUMMARY
-------
Schema Valid: ✅ Yes
Semantically Valid: ⚠️ Warnings
Quality Score: 85/100
SCHEMA VALIDATION
-----------------
Status: PASS
- Structure: Valid
- Required Fields: All present
- Data Types: Correct
UUID VALIDATION
---------------
Total UUIDs: 245
Unique: 245 ✅
Invalid Format: 0 ✅
Orphaned References: 2 ⚠️
- #uuid-abc123 not found
- #uuid-def456 not found
CROSS-REFERENCE VALIDATION
--------------------------
Control References: 320/325 valid
Missing: AC-1(1), CM-7(1), SI-4(2), ...
Party References: 12/12 valid ✅
Component References: 45/45 valid ✅
BUSINESS RULES
--------------
✅ BIZ-001: Profile imported
⚠️ BIZ-002: 5 controls not addressed
✅ BIZ-003: All have implementation status
✅ BIZ-004: Responsible parties defined
⚠️ BIZ-005: System boundary incomplete
QUALITY CHECKS
--------------
- Implementation narratives: 95% complete
- Evidence references: 80% complete
- Parameter values: 100% set
- Remarks clarity: Good
RECOMMENDATIONS
---------------
1. Add missing control implementations
2. Resolve orphaned UUID references
3. Complete system boundary description
How to Perform Advanced Validation
Step 1: Schema Validation
- Identify document type from root element
- Fetch appropriate NIST schema
- Validate document against schema
- Collect all schema violations
Step 2: UUID Analysis
- Extract all UUIDs from document
- Validate format (8-4-4-4-12 hex)
- Check for duplicates
- Build reference graph
- Find orphaned references
Step 3: Cross-Reference Check
- Extract all internal references (#uuid-...)
- Extract all control-id references
- Resolve each reference
- Report unresolved references
Step 4: Business Rule Evaluation
Apply business rules based on document type:
For SSP:
- Verify profile import exists
- Check all baseline controls addressed
- Validate implementation statements present
- Confirm responsible parties assigned
For Component Definition:
- Verify component has title
- Check control implementations reference valid controls
- Validate capability descriptions
Step 5: Quality Assessment
Score based on:
- Completeness of narratives
- Presence of evidence references
- Parameter value coverage
- Clarity and specificity
Validation Patterns from Community
From IBM Trestle
- Workspace-based validation
- Model assembly validation
- Profile resolution checking
From oscal-pydantic
- Type-safe validation
- Field-level constraints
- Nested object validation
From Lula
- Control validation automation
- Policy-as-code patterns
- Continuous validation
Common Validation Issues
| Issue | Severity | Fix | |-------|----------|-----| | Missing metadata.title | ERROR | Add title | | Invalid UUID format | ERROR | Regenerate UUID | | Orphaned reference | WARNING | Update or remove | | Missing implementation | WARNING | Add narrative | | Empty remarks | INFO | Add context |
Example Usage
When asked "Thoroughly validate this SSP":
- Parse the SSP document
- Validate against OSCAL SSP schema
- Check all UUIDs for format and uniqueness
- Resolve all cross-references
- Apply SSP business rules
- Score quality metrics
- Generate comprehensive validation report
- Provide prioritized fix recommendations