Agent Skills: OSCAL Control Mapper Skill

OSCAL Control Mapper Skill

Create and analyze OSCAL 1.2.0 Control Mapping documents to establish formal, machine-readable relationships between security controls across different frameworks.

When to Use This Skill

Use this skill when you need to:

• Map controls between different frameworks (NIST 800-53 ↔ ISO 27001)
• Document control equivalencies and relationships
• Identify gaps when transitioning between frameworks
• Create harmonized control sets for multi-framework compliance
• Generate mapping documentation for auditors
• Analyze existing control mapping documents

⛔ Authoritative Data Requirement

Control mapping requires authoritative catalogs for both source and target frameworks.

What This Skill Does (Safe)

• Creates OSCAL Control Mapping document structure
• Defines relationship types (equal, subset, superset, intersects, not-equal)
• Documents mapping rationale and notes
• Validates mapping document structure

What Requires Authoritative Sources

| Element | Source Needed | |---------|---------------| | Source control IDs | Source catalog (e.g., NIST 800-53) | | Target control IDs | Target catalog (e.g., ISO 27001) | | Control text/requirements | Both catalogs |

When Creating Mappings

To create a control mapping, I need:
• Source framework catalog (e.g., NIST 800-53 Rev 5)
• Target framework catalog (e.g., ISO 27001:2022)
• Your mapping analysis or documented equivalencies

I will NOT generate mappings from training data — only from authoritative sources.

What is the Control Mapping Model?

New in OSCAL 1.2.0 (December 2025), the Control Mapping model provides a standardized way to express relationships between controls in different frameworks.

Key Concepts

| Concept | Description | |---------|-------------| | Control Mapping | Document defining relationships between controls | | Mapping Entry | Single relationship between source and target control(s) | | Relationship Type | Nature of the mapping (equal, subset, superset, etc.) | | Mapping Collection | Grouped set of related mappings |

Relationship Types

| Type | Description | Example | |------|-------------|---------| | equal | Controls are functionally equivalent | NIST AC-2 = ISO 27001 A.9.2.1 | | subset | Source is narrower than target | NIST AC-2(1) ⊂ ISO 27001 A.9.2.1 | | superset | Source is broader than target | NIST AC-2 ⊃ ISO 27001 A.9.2.1 | | intersects | Partial overlap between controls | NIST SC-7 ∩ ISO 27001 A.13.1.1 | | not-equal | Controls address different requirements | NIST AC-1 ≠ ISO 27001 A.5.1.1 |

Control Mapping Structure

control-mappings:
  uuid: [unique-id]
  metadata:
    title: "NIST 800-53 to ISO 27001 Mapping"
    version: "1.0"
    oscal-version: "1.2.0"
    last-modified: "2026-01-20T00:00:00Z"
  
  # Define the frameworks being mapped
  import-control-schemes:
    - href: "#nist-800-53-rev5"
      scheme: "nist-800-53-rev5"
    - href: "#iso-27001-2022"
      scheme: "iso-27001-2022"
  
  # Mapping entries
  control-mapping-set:
    - uuid: [set-uuid]
      title: "Access Control Mappings"
      description: "Mappings for access control requirements"
      
      control-mappings:
        - uuid: [mapping-uuid]
          source:
            control-id: "ac-2"
            scheme: "nist-800-53-rev5"
          
          target:
            - control-id: "a.9.2.1"
              scheme: "iso-27001-2022"
          
          relationship: "equal"
          
          remarks: |
            Both controls require account management procedures
            including creation, modification, and removal.

How to Create Control Mappings

Step 1: Obtain Required Catalogs

You need OSCAL catalogs for both frameworks:

• Use the oscal-catalog-provider skill for NIST 800-53, FedRAMP
• Request ISO, CIS, or other framework catalogs from the user

Step 2: Define Mapping Document Metadata

{
  "control-mappings": {
    "uuid": "[generate-uuid]",
    "metadata": {
      "title": "Framework A to Framework B Control Mapping",
      "version": "1.0",
      "oscal-version": "1.2.0",
      "last-modified": "[current-date]",
      "roles": [
        {
          "id": "mapper",
          "title": "Control Mapping Analyst"
        }
      ],
      "parties": [
        {
          "uuid": "[party-uuid]",
          "type": "organization",
          "name": "Your Organization"
        }
      ]
    }
  }
}

Step 3: Import Control Schemes

Define the frameworks being mapped:

"import-control-schemes": [
  {
    "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json",
    "scheme": "nist-800-53-rev5"
  },
  {
    "href": "#iso-27001-catalog",
    "scheme": "iso-27001-2022"
  }
]

Step 4: Create Mapping Sets

Group related mappings logically:

"control-mapping-set": [
  {
    "uuid": "[set-uuid]",
    "title": "Access Control Mappings",
    "description": "Mappings for access control domain",
    "control-mappings": [
      // Individual mappings here
    ]
  }
]

Step 5: Define Individual Mappings

For each control relationship:

{
  "uuid": "[mapping-uuid]",
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "equal",
  "remarks": "Both require account management lifecycle procedures"
}

Step 6: Handle Complex Mappings

One-to-Many Mapping

{
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    },
    {
      "control-id": "a.9.2.2",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "superset"
}

Many-to-One Mapping

Create separate mapping entries for each source control pointing to the same target.

Partial Coverage

{
  "source": {
    "control-id": "sc-7",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.13.1.1",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "intersects",
  "remarks": "NIST SC-7 covers boundary protection broadly; ISO A.13.1.1 focuses on network controls. Partial overlap."
}

Analyzing Existing Mappings

When analyzing a control mapping document:

Step 1: Parse the Document

Use the oscal-parser skill to read the mapping document.

Step 2: Validate Structure

CRITICAL: When generating control mappings, always validate:

1. UUID Validation

   • All UUIDs are RFC 4122 compliant (format: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d)
   • No duplicate UUIDs within document
   • Never leave UUID placeholders like [generate-uuid] in output

2. Control Reference Validation

   • All source control-id values exist in source catalog
   • All target control-id values exist in target catalog
   • No orphaned or invalid control references

3. Relationship Type Validation

   • Only use valid relationship types: equal, subset, superset, intersects, not-equal
   • Relationship type matches actual control comparison

4. Metadata Completeness

   • Required fields present: title, version, oscal-version, last-modified
   • OSCAL version is 1.2.0 (Control Mapping model introduced in 1.2.0)

5. Schema Validation

   • Run oscal-validator skill on generated mapping document
   • Validate against OSCAL Control Mapping JSON schema: https://raw.githubusercontent.com/usnistgov/OSCAL/v1.2.0/json/schema/oscal_control-mappings_schema.json

6. Structural Requirements

   • import-control-schemes includes both source and target
   • Each mapping entry has valid source and at least one target
   • Control mapping sets properly organized

Step 3: Generate Analysis Report

# Control Mapping Analysis

**Source:** NIST 800-53 Rev 5
**Target:** ISO 27001:2022
**Total Mappings:** 145

## Relationship Distribution

- Equal: 78 (53.8%)
- Subset: 23 (15.9%)
- Superset: 31 (21.4%)
- Intersects: 13 (9.0%)
- Not-equal: 0 (0%)

## Coverage Analysis

### NIST 800-53 Coverage
- Total controls: 323
- Mapped controls: 245 (75.9%)
- Unmapped controls: 78 (24.1%)

### ISO 27001 Coverage
- Total controls: 93
- Mapped controls: 89 (95.7%)
- Unmapped controls: 4 (4.3%)

## Gaps Identified

### Unmapped NIST Controls
- AC-25: Reference Monitor
- SC-47: Alternate Communications Paths
- [...]

### Unmapped ISO Controls
- A.6.1.1: Information Security Roles
- [...]

Step 4: Identify Mapping Quality Issues

| Issue | Description | |-------|-------------| | Orphaned mappings | References to non-existent control IDs | | Bidirectional conflicts | A→B (equal) but B→A (subset) | | Coverage gaps | Large numbers of unmapped controls | | Relationship mismatches | Questionable relationship types |

Common Use Cases

1. Multi-Framework Compliance

Scenario: Organization must comply with both FedRAMP and ISO 27001.

Approach:

1. Create mapping: FedRAMP Moderate → ISO 27001
2. Identify overlapping controls (implement once)
3. Identify ISO-only controls (additional requirements)
4. Generate combined control set

2. Framework Migration

Scenario: Moving from NIST 800-53 Rev 4 → Rev 5.

Approach:

1. Create mapping: Rev 4 → Rev 5
2. Identify deprecated controls
3. Identify new requirements
4. Plan implementation updates

3. Vendor Control Correlation

Scenario: Map cloud provider controls to your baseline.

Approach:

1. Import vendor component definition
2. Create mapping: Vendor controls → NIST 800-53
3. Identify responsibility model (inherited vs. hybrid vs. customer)
4. Document coverage and gaps

4. Regulatory Harmonization

Scenario: Create unified control set for HIPAA, PCI-DSS, SOC 2.

Approach:

1. Create mappings for each framework pair
2. Identify common control core
3. Document framework-specific additions
4. Generate harmonized control catalog

Output Format

Mapping Summary Report

CONTROL MAPPING SUMMARY
=======================
Document: nist-to-iso-mapping.json
Source: NIST 800-53 Rev 5 (323 controls)
Target: ISO 27001:2022 (93 controls)
Version: 1.0
Last Updated: 2026-01-20

MAPPING STATISTICS
------------------
Total Mappings: 145
• Equal: 78 (53.8%)
• Subset: 23 (15.9%)
• Superset: 31 (21.4%)
• Intersects: 13 (9.0%)

COVERAGE
--------
Source Coverage: 245/323 (75.9%)
Target Coverage: 89/93 (95.7%)

TOP GAPS
--------
Unmapped Source Controls: 78
• Access Control: 12
• System Communications: 15
• Supply Chain: 8
[...]

Unmapped Target Controls: 4
• A.6.1.1, A.7.1.1, A.8.2.1, A.15.1.1

QUALITY
-------
✓ No orphaned references
✓ All UUIDs unique
⚠ 3 potential bidirectional conflicts detected

Example Mapping Entry

{
  "uuid": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d",
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    },
    {
      "control-id": "a.9.2.5",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "superset",
  "props": [
    {
      "name": "mapping-confidence",
      "value": "high"
    }
  ],
  "remarks": "NIST AC-2 comprehensively covers account management including provisioning (ISO A.9.2.1) and privileged access (ISO A.9.2.5). The NIST control is broader in scope."
}

Best Practices

1. Document Rationale: Always include remarks explaining mapping decisions
2. Use Authoritative Sources: Never map from memory or training data
3. Validate Bidirectionally: Check mappings make sense from both perspectives
4. Review Coverage: Identify and document gaps explicitly
5. Version Control: Track mapping versions as frameworks evolve
6. Expert Review: Have subject matter experts validate critical mappings
7. Maintain Consistency: Use consistent relationship type definitions
8. Update Regularly: Review when frameworks release new versions
9. Always Validate Output: Run validation checks before delivering mapping documents
10. Use Valid UUIDs: Generate proper RFC 4122 UUIDs, never use placeholders

Integration with Other Skills

| Skill | Use With Control Mapper | |-------|-------------------------| | oscal-catalog-provider | Fetch source/target catalogs | | oscal-parser | Read existing mapping documents | | oscal-validator | Validate mapping document structure | | control-implementation-generator | Generate unified implementation guidance | | compliance-report-generator | Report on multi-framework compliance | | gap-analyzer | Identify coverage gaps |

Limitations

• Semantic Understanding: Mappings require human judgment; AI cannot definitively declare controls "equal"
• Framework Updates: Mappings become stale when frameworks are revised
• Context Dependency: Mapping appropriateness may vary by organizational context
• Tool Support: OSCAL 1.2.0 Control Mapping model is new; tool support is emerging

Error Handling

| Error | Cause | Solution | |-------|-------|----------| | Invalid control-id | Control doesn't exist in catalog | Verify against authoritative catalog | | Unknown scheme | Framework not recognized | Use standard scheme identifiers | | Relationship conflict | Bidirectional mappings inconsistent | Review and reconcile relationships | | Missing catalog | import-control-schemes href broken | Provide valid catalog references |

Additional Resources

• OSCAL Control Mapping Model Specification
• NIST SP 800-53B - Control Baselines
• ISO/IEC 27001:2022 - Information Security Management
• NIST-to-ISO Official Mapping (if available)

Version History

• v1.0 (2026-01-20) - Initial skill for OSCAL 1.2.0 Control Mapping model