Agent-Skills.md

Agent Skills: Control Implementation Generator Skill

Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans.

UncategorizedID: euCann/OSCAL-GRC-SKILLS/control-implementation-generator

Repository

euCann/OSCAL-GRC-SKILLS
euCannLicense: MIT
51

Install this agent skill to your local

pnpm dlx add-skill https://github.com/euCann/OSCAL-GRC-SKILLS/tree/HEAD/skills/control-implementation-generator

Skill Files

Browse the full folder contents for control-implementation-generator.

Download Skill

Loading file tree…

skills/control-implementation-generator/SKILL.md

Skill Metadata

Name
control-implementation-generator
Description
Generate detailed control implementation guidance, technical steps, and implementation plans for OSCAL security controls. Use this skill to create implementation narratives, technical procedures, and deployment plans.

Control Implementation Generator Skill

Generate comprehensive implementation guidance, technical procedures, and deployment plans for security controls based on system context.

When to Use This Skill

Use this skill when you need to:

  • Create control implementation narratives for SSPs
  • Generate technical implementation steps
  • Build implementation timelines
  • Identify tools and resources needed
  • Create system-specific guidance

⛔ Authoritative Data Requirement

What Requires Authoritative Sources

| Requirement | Source Needed | |-------------|---------------| | Control text/definition | OSCAL catalog document | | Control parameters | Profile with parameter settings | | Baseline requirements | FedRAMP/NIST baseline profile | | Vendor-specific implementation | Vendor documentation |

What You CAN Generate (Templates & Methodology)

  • Narrative structure and format
  • Implementation approach patterns (based on user's stated technology)
  • Timeline templates
  • Effort estimation frameworks
  • General best practices for stated platforms

What You CANNOT Generate

  • Specific control requirement text (must cite from catalog)
  • Parameter values (must come from profile or organization)
  • Vendor configuration details without documentation
  • Compliance claims without evidence

Safe vs Unsafe Examples

✅ Safe: "For AC-2 in your AWS environment, the typical approach involves AWS IAM for identity management combined with..."

⛔ Unsafe: "AC-2 requires organizations to define and document account types within 30 days..." (← This specific requirement must come from the catalog)

If Control Definition Needed

To generate accurate implementation guidance for [control], I need:
• The control definition from your OSCAL catalog
• Your baseline profile (for parameter values)
• Your technology stack (you've stated: [tech])

I can provide implementation templates and patterns, but the specific
control requirements must come from your authoritative catalog.

Implementation Status Options

| Status | Description | SSP Usage | |--------|-------------|-----------| | Implemented | Fully in place | Describe how | | Partially Implemented | Some aspects complete | Describe what's done, what's remaining | | Planned | Scheduled for implementation | Describe timeline | | Alternative | Different approach meeting intent | Describe alternative | | Not Applicable | Control doesn't apply | Provide justification |

Implementation Methods

| Method | Description | When to Use | |--------|-------------|-------------| | Automated | Technology-enforced | Technical controls | | Manual | Human-performed | Procedural controls | | Hybrid | Combination | Complex controls | | Inherited | Provided by another system | Shared services |

System Types

| Type | Characteristics | Implementation Focus | |------|-----------------|---------------------| | Cloud Service | AWS, Azure, GCP | API, IAM, native tools | | On-Premises | Traditional datacenter | Network, physical | | Hybrid | Mixed environment | Integration, consistency | | SaaS | Software service | Configuration, access |

How to Generate Implementation Guidance

Step 1: Understand the Control

Parse the control requirement:

  1. Read the control statement
  2. Identify key requirements
  3. Note any parameters
  4. Review guidance section

Step 2: Assess System Context

Consider:

  • System type (cloud, on-prem, hybrid)
  • Technology stack
  • Existing capabilities
  • Organizational constraints

Step 3: Determine Implementation Method

Based on control type and system:

  • Technical controls → Automated
  • Policy controls → Manual/Hybrid
  • Shared services → Inherited

Step 4: Generate Implementation Steps

For each control, provide:

implementation:
  control_id: AC-2
  status: implemented
  method: hybrid
  
  description: |
    Account management is implemented through Azure Active Directory
    for identity management, combined with automated provisioning
    workflows and quarterly access reviews.
  
  technical_steps:
    - Configure Azure AD as identity provider
    - Implement automated user provisioning via SCIM
    - Configure access review campaigns (quarterly)
    - Enable Privileged Identity Management (PIM)
    - Set up termination automation via HR integration
  
  tools_required:
    - Azure Active Directory Premium P2
    - Azure AD Connect
    - ServiceNow (or HR system)
  
  responsible_roles:
    - IAM Administrator
    - HR Business Partner
    - Application Owners
  
  evidence:
    - Azure AD configuration export
    - Access review completion reports
    - Provisioning workflow documentation

Implementation Narrative Templates

For Policy Controls (e.g., AC-1)

[Organization] has developed, documented, and disseminated an 
access control policy that:
a. Addresses purpose, scope, roles, responsibilities, and compliance
b. Is consistent with applicable laws and regulations
c. Is reviewed and updated [frequency]

The policy is maintained in [location] and communicated to all 
personnel via [method]. The [role] is responsible for policy 
maintenance and updates.

For Technical Controls (e.g., IA-2)

The system implements multi-factor authentication through 
[solution] for all user access. Authentication factors include:
- Something you know: Password meeting complexity requirements
- Something you have: [Authenticator app / Hardware token / SMS]

Configuration: [Specific settings]
Enforcement: [How it's enforced]
Exceptions: [Any approved exceptions]

For Hybrid Controls (e.g., AC-2)

Account management is implemented through a combination of:

Technical Controls:
- [Identity system] manages user accounts
- Automated provisioning via [method]
- [Tool] enforces access policies

Procedural Controls:
- Access requests submitted via [process]
- Manager approval required for all access
- Quarterly access reviews conducted by [role]

Implementation Effort Estimation

| Complexity | Hours | Description | |------------|-------|-------------| | Low | 1-8 | Configuration change | | Medium | 8-40 | New tool/process | | High | 40-160 | Major implementation | | Very High | 160+ | Program-level effort |

Implementation Plan Structure

CONTROL IMPLEMENTATION PLAN
===========================
Control: CM-6 (Configuration Settings)
System: Production Web Environment
Timeline: Q2 2024

Phase 1: Planning (Week 1-2)
- Define baseline configurations
- Identify configuration management tools
- Create change management process

Phase 2: Implementation (Week 3-6)
- Deploy configuration management tool
- Apply baseline configurations
- Test and validate settings

Phase 3: Monitoring (Week 7-8)
- Configure drift detection
- Set up alerting
- Document procedures

Resources Required:
- Security Engineer: 40 hours
- Systems Administrator: 60 hours
- Tool licensing: [Cost]

Dependencies:
- CM-2 (Baseline Configuration) must be complete
- Change management process approved

Common Implementation Patterns

Cloud (AWS Example)

| Control | AWS Implementation | |---------|-------------------| | AC-2 | IAM + AWS SSO + Organizations | | AU-2 | CloudTrail + CloudWatch Logs | | CM-2 | Config Rules + Systems Manager | | SC-7 | VPC + Security Groups + WAF |

Azure Example

| Control | Azure Implementation | |---------|---------------------| | AC-2 | Azure AD + PIM | | AU-2 | Azure Monitor + Log Analytics | | CM-2 | Azure Policy + Automation | | SC-7 | NSG + Azure Firewall + Front Door |

Validation of Generated OSCAL

IMPORTANT: When generating OSCAL SSP control implementations (not just narratives), validate the output.

If Generating OSCAL Structured Data:

  1. Use Valid UUIDs

    • Generate RFC 4122 compliant UUIDs
    • Format: 550e8400-e29b-41d4-a716-446655440000
    • Ensure uniqueness within document

  2. Include Required Metadata

    {
  "metadata": {
    "title": "Control Implementation",
    "version": "1.0",
    "oscal-version": "1.2.0",
    "last-modified": "2026-01-27T00:00:00Z"
  }
}

  3. Validate Control References

    • All control-id values exist in baseline catalog
    • No invalid or deprecated control IDs

  4. Validate Status Values

    • Only use valid implementation-status values:
      • implemented
      • partial
      • planned
      • alternative
      • not-applicable

  5. Run Validation

    • Use oscal-validator skill to check structure
    • Use oscal-ssp-validator for SSP-specific validation
    • Fix any errors before providing to user

Example Usage

When asked "How should I implement IA-2 for a cloud system?":

  1. Parse IA-2 requirements (identification and authentication)
  2. Assess system type (cloud)
  3. Identify cloud-native options:
    • AWS: Cognito, IAM Identity Center
    • Azure: Azure AD, Conditional Access
    • GCP: Cloud Identity, IAP
  4. Generate implementation steps
  5. Specify MFA requirements
  6. Create implementation narrative
  7. Estimate effort and timeline
  8. If generating OSCAL: Validate output structure