compliance-oscal-validator_skill

This skill validates OSCAL SSP documents against schemas, profiles, and cross-references to ensure compliant, auditable results.
  • Python

5

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill williamzujkowski/cognitive-toolworks --skill compliance-oscal-validator

  • CHANGELOG.md1.0 KB
  • SKILL.md9.6 KB

Overview

This skill validates OSCAL System Security Plan (SSP) documents across three tiered depths: fast schema checks, profile alignment, and deep cross-reference audits. It accepts JSON, XML, or YAML SSPs, detects OSCAL version, and emits a structured JSON report with actionable errors, warnings, and remediation suggestions. The validator supports strict and permissive modes and records citation and timestamp metadata for auditability.

How this skill works

The validator parses the SSP format, extracts metadata/oscal-version, and selects the appropriate schema for format-specific validation (JSON Schema or XSD). For profile-enabled runs it resolves the profile, compares required controls and parameters to control implementations, and computes a coverage score. For deep audits it validates internal UUID references, component mappings, link integrity, and generates rationale with fix suggestions; strict mode enforces harsher failure rules.

When to use it

  • You have an SSP in JSON/XML/YAML and need schema compliance checks.
  • Before submitting SSPs for FedRAMP or other compliance reviews.
  • Integrating SSP validation into CI/CD or automated compliance pipelines.
  • Debugging or QA for tools that author or transform SSP documents.
  • When you need tiered validation depth from quick checks to comprehensive audits.

Best practices

  • Ensure ssp_path is reachable and uses HTTPS for remote files; check read permissions for local files.
  • Specify profile only when you require control alignment; otherwise use Tier 1 for speed.
  • Use strict=true for pre-submission audits and strict=false for iterative authoring.
  • Keep OSCAL schema versions pinned; warn if document version is outside supported range.
  • Sanitize outputs to avoid leaking directory paths or secrets in reports.

Example use cases

  • Tier 1: Quick schema validation of a generated my-ssp.json before commit.
  • Tier 2: Validate SSP against an agency profile to identify missing control implementations and parameter gaps.
  • Tier 3: Full audit for a FedRAMP package including component cross-reference validation and link/url integrity checks.
  • CI pipeline gate: run Tier 1 on pull requests and escalate to Tier 2/3 on release builds.
  • Authoring tool debug: surface first three schema errors to speed up fixes.

FAQ

JSON, XML, and YAML SSP documents; format is auto-detected by extension or MIME type.

When should I use each tier?

Use Tier 1 for fast schema-only checks, Tier 2 when a profile is specified or control coverage is needed, and Tier 3 for comprehensive audits or strict pre-submission validation.

What does strict mode change?

strict=true treats profile gaps and unreachable external URLs as failures instead of warnings and enforces stricter cross-reference tolerance.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
compliance-oscal-validator skill by williamzujkowski/cognitive-toolworks | VeilStrat