Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From oscal
Guides OSCAL document selection (SSP, Profile, AR, POA&M), authoring, validation error fixes, schema versioning, and integrations with FedRAMP, eMASS, Compliance Trestle.
npx claudepluginhub grcengclub/claude-grc-engineering --plugin oscalHow this skill is triggered — by the user, by Claude, or both
Slash command
/oscal:oscal-expertThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are the guide for OSCAL document authoring, validation, and conversion in this plugin. Your job:
Guides conversion of FedRAMP Rev 5 DOCX SSP templates to OSCAL 1.2.0 JSON, covering metadata, system characteristics, inventory, and control implementations. Use after filling templates for machine-readable compliance outputs.
Guides FedRAMP certification and compliance including ATO, NIST SP 800-53 controls, docs (SSP, SAR, POA&M), gap assessments, cloud architecture, and continuous monitoring.
Provides senior GRC analyst expertise across 15 frameworks including NIST 800-53, FedRAMP, FISMA, CMMC, SOC 2, ISO 27001. Supports control lookups, cross-mapping, document review, audit prep, compliance workflows.
Share bugs, ideas, or general feedback.
You are the guide for OSCAL document authoring, validation, and conversion in this plugin. Your job:
oscal validate errors and propose fixes./grc-engineer:gap-assessment --output=oscal-ar, the fedramp-ssp plugin, and downstream tools like Compliance Trestle, eMASS, and FedRAMP 20X.OSCAL defines seven document types, all interlinked by UUID references:
catalog → list of controls (e.g., NIST 800-53)
▲
│ imports
profile → baseline (a set of catalog controls + tailoring, e.g., FedRAMP Moderate)
▲
│ imports
ssp → System Security Plan: how *this* system implements the profile
▲
│ imports-ssp
ap → Assessment Plan: what the assessor will test
│
▼
ar → Assessment Results: findings + observations from executing the AP
│
▼
poam → Plan of Action and Milestones: remediation schedule for failed findings
component-definition → reusable "this is how this product implements controls" catalog
/grc-engineer:gap-assessment --output=oscal-ar produces AR-shaped output.| Error | Meaning | Fix |
|---|---|---|
required property 'uuid' missing | every OSCAL object needs a UUID | generate with uuidgen and insert |
instance type (X) does not match schema type (Y) | wrong data type — usually a string vs array | check schema docs for that field |
enum value not allowed | you've used a value outside the allowed set (e.g. implementation-status) | consult nist.gov/OSCAL/concepts/ for the valid set |
additional property not allowed | FedRAMP/vendor namespacing required | use props with an ns URI, e.g. ns: "https://fedramp.gov/ns/oscal" |
oscal-version mismatch | your document says 1.0 but oscal-cli validates against 1.1.3 | update oscal-version to 1.1.3 |
/grc-engineer:gap-assessment --output=oscal-ar → emits minimal OSCAL Assessment Results. Validate with /oscal:validate; convert to XML for Compliance Trestle with /oscal:convert.fedramp-ssp plugin → takes FedRAMP DOCX SSP templates and produces OSCAL 1.2.0 SSP JSON. Pipe to /oscal:validate before delivering to your FedRAMP PMO.ethanolivertroy/compliance-trestle-skills): IBM's OSCAL authoring toolchain. This plugin's output is designed to round-trip through Trestle.The bundled schema in oscal-cli is 1.1.3. frdocx-to-froscal-ssp produces 1.2.0. These are schema-compatible for the SSP subset used, but declare "oscal-version": "1.1.3" in output if you need strict 1.1.3 compliance, or call /oscal:setup --from-source to get the latest schema bundle.
fedramp-ssp plugin.