Logoskills for everything
Agent Skill
2/7/2026

oscal-control-mapper

Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.

E
eucann
3GitHub Stars
1Views
npx skills add euCann/OSCAL-GRC-SKILLS

SKILL.md

Nameoscal-control-mapper
DescriptionCreate and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.

name: oscal-control-mapper description: Create and analyze OSCAL Control Mapping documents to establish formal relationships between controls across different frameworks (NIST 800-53, ISO 27001, CIS, PCI-DSS, etc.). Use this skill to document control equivalencies, gaps, and harmonization for multi-framework compliance.

OSCAL Control Mapper Skill

Create and analyze OSCAL 1.2.0 Control Mapping documents to establish formal, machine-readable relationships between security controls across different frameworks.

When to Use This Skill

Use this skill when you need to:

  • Map controls between different frameworks (NIST 800-53 ↔ ISO 27001)
  • Document control equivalencies and relationships
  • Identify gaps when transitioning between frameworks
  • Create harmonized control sets for multi-framework compliance
  • Generate mapping documentation for auditors
  • Analyze existing control mapping documents

⛔ Authoritative Data Requirement

Control mapping requires authoritative catalogs for both source and target frameworks.

What This Skill Does (Safe)

  • Creates OSCAL Control Mapping document structure
  • Defines relationship types (equal, subset, superset, intersects, not-equal)
  • Documents mapping rationale and notes
  • Validates mapping document structure

What Requires Authoritative Sources

ElementSource Needed
Source control IDsSource catalog (e.g., NIST 800-53)
Target control IDsTarget catalog (e.g., ISO 27001)
Control text/requirementsBoth catalogs

When Creating Mappings

To create a control mapping, I need:
• Source framework catalog (e.g., NIST 800-53 Rev 5)
• Target framework catalog (e.g., ISO 27001:2022)
• Your mapping analysis or documented equivalencies

I will NOT generate mappings from training data — only from authoritative sources.

What is the Control Mapping Model?

New in OSCAL 1.2.0 (December 2025), the Control Mapping model provides a standardized way to express relationships between controls in different frameworks.

Key Concepts

ConceptDescription
Control MappingDocument defining relationships between controls
Mapping EntrySingle relationship between source and target control(s)
Relationship TypeNature of the mapping (equal, subset, superset, etc.)
Mapping CollectionGrouped set of related mappings

Relationship Types

TypeDescriptionExample
equalControls are functionally equivalentNIST AC-2 = ISO 27001 A.9.2.1
subsetSource is narrower than targetNIST AC-2(1) ⊂ ISO 27001 A.9.2.1
supersetSource is broader than targetNIST AC-2 ⊃ ISO 27001 A.9.2.1
intersectsPartial overlap between controlsNIST SC-7 ∩ ISO 27001 A.13.1.1
not-equalControls address different requirementsNIST AC-1 ≠ ISO 27001 A.5.1.1

Control Mapping Structure

control-mappings:
  uuid: [unique-id]
  metadata:
    title: "NIST 800-53 to ISO 27001 Mapping"
    version: "1.0"
    oscal-version: "1.2.0"
    last-modified: "2026-01-20T00:00:00Z"
  
  # Define the frameworks being mapped
  import-control-schemes:
    - href: "#nist-800-53-rev5"
      scheme: "nist-800-53-rev5"
    - href: "#iso-27001-2022"
      scheme: "iso-27001-2022"
  
  # Mapping entries
  control-mapping-set:
    - uuid: [set-uuid]
      title: "Access Control Mappings"
      description: "Mappings for access control requirements"
      
      control-mappings:
        - uuid: [mapping-uuid]
          source:
            control-id: "ac-2"
            scheme: "nist-800-53-rev5"
          
          target:
            - control-id: "a.9.2.1"
              scheme: "iso-27001-2022"
          
          relationship: "equal"
          
          remarks: |
            Both controls require account management procedures
            including creation, modification, and removal.

How to Create Control Mappings

Step 1: Obtain Required Catalogs

You need OSCAL catalogs for both frameworks:

  • Use the oscal-catalog-provider skill for NIST 800-53, FedRAMP
  • Request ISO, CIS, or other framework catalogs from the user

Step 2: Define Mapping Document Metadata

{
  "control-mappings": {
    "uuid": "[generate-uuid]",
    "metadata": {
      "title": "Framework A to Framework B Control Mapping",
      "version": "1.0",
      "oscal-version": "1.2.0",
      "last-modified": "[current-date]",
      "roles": [
        {
          "id": "mapper",
          "title": "Control Mapping Analyst"
        }
      ],
      "parties": [
        {
          "uuid": "[party-uuid]",
          "type": "organization",
          "name": "Your Organization"
        }
      ]
    }
  }
}

Step 3: Import Control Schemes

Define the frameworks being mapped:

"import-control-schemes": [
  {
    "href": "https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json",
    "scheme": "nist-800-53-rev5"
  },
  {
    "href": "#iso-27001-catalog",
    "scheme": "iso-27001-2022"
  }
]

Step 4: Create Mapping Sets

Group related mappings logically:

"control-mapping-set": [
  {
    "uuid": "[set-uuid]",
    "title": "Access Control Mappings",
    "description": "Mappings for access control domain",
    "control-mappings": [
      // Individual mappings here
    ]
  }
]

Step 5: Define Individual Mappings

For each control relationship:

{
  "uuid": "[mapping-uuid]",
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "equal",
  "remarks": "Both require account management lifecycle procedures"
}

Step 6: Handle Complex Mappings

One-to-Many Mapping

{
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    },
    {
      "control-id": "a.9.2.2",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "superset"
}

Many-to-One Mapping

Create separate mapping entries for each source control pointing to the same target.

Partial Coverage

{
  "source": {
    "control-id": "sc-7",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.13.1.1",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "intersects",
  "remarks": "NIST SC-7 covers boundary protection broadly; ISO A.13.1.1 focuses on network controls. Partial overlap."
}

Analyzing Existing Mappings

When analyzing a control mapping document:

Step 1: Parse the Document

Use the oscal-parser skill to read the mapping document.

Step 2: Validate Structure

CRITICAL: When generating control mappings, always validate:

  1. UUID Validation

    • All UUIDs are RFC 4122 compliant (format: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d)
    • No duplicate UUIDs within document
    • Never leave UUID placeholders like [generate-uuid] in output

  2. Control Reference Validation

    • All source control-id values exist in source catalog
    • All target control-id values exist in target catalog
    • No orphaned or invalid control references

  3. Relationship Type Validation

    • Only use valid relationship types: equal, subset, superset, intersects, not-equal
    • Relationship type matches actual control comparison

  4. Metadata Completeness

    • Required fields present: title, version, oscal-version, last-modified
    • OSCAL version is 1.2.0 (Control Mapping model introduced in 1.2.0)

  5. Schema Validation

    • Run oscal-validator skill on generated mapping document
    • Validate against OSCAL Control Mapping JSON schema: https://raw.githubusercontent.com/usnistgov/OSCAL/v1.2.0/json/schema/oscal_control-mappings_schema.json

  6. Structural Requirements

    • import-control-schemes includes both source and target
    • Each mapping entry has valid source and at least one target
    • Control mapping sets properly organized

Step 3: Generate Analysis Report

# Control Mapping Analysis

**Source:** NIST 800-53 Rev 5
**Target:** ISO 27001:2022
**Total Mappings:** 145

## Relationship Distribution

- Equal: 78 (53.8%)
- Subset: 23 (15.9%)
- Superset: 31 (21.4%)
- Intersects: 13 (9.0%)
- Not-equal: 0 (0%)

## Coverage Analysis

### NIST 800-53 Coverage
- Total controls: 323
- Mapped controls: 245 (75.9%)
- Unmapped controls: 78 (24.1%)

### ISO 27001 Coverage
- Total controls: 93
- Mapped controls: 89 (95.7%)
- Unmapped controls: 4 (4.3%)

## Gaps Identified

### Unmapped NIST Controls
- AC-25: Reference Monitor
- SC-47: Alternate Communications Paths
- [...]

### Unmapped ISO Controls
- A.6.1.1: Information Security Roles
- [...]

Step 4: Identify Mapping Quality Issues

IssueDescription
Orphaned mappingsReferences to non-existent control IDs
Bidirectional conflictsA→B (equal) but B→A (subset)
Coverage gapsLarge numbers of unmapped controls
Relationship mismatchesQuestionable relationship types

Common Use Cases

1. Multi-Framework Compliance

Scenario: Organization must comply with both FedRAMP and ISO 27001.

Approach:

  1. Create mapping: FedRAMP Moderate → ISO 27001
  2. Identify overlapping controls (implement once)
  3. Identify ISO-only controls (additional requirements)
  4. Generate combined control set

2. Framework Migration

Scenario: Moving from NIST 800-53 Rev 4 → Rev 5.

Approach:

  1. Create mapping: Rev 4 → Rev 5
  2. Identify deprecated controls
  3. Identify new requirements
  4. Plan implementation updates

3. Vendor Control Correlation

Scenario: Map cloud provider controls to your baseline.

Approach:

  1. Import vendor component definition
  2. Create mapping: Vendor controls → NIST 800-53
  3. Identify responsibility model (inherited vs. hybrid vs. customer)
  4. Document coverage and gaps

4. Regulatory Harmonization

Scenario: Create unified control set for HIPAA, PCI-DSS, SOC 2.

Approach:

  1. Create mappings for each framework pair
  2. Identify common control core
  3. Document framework-specific additions
  4. Generate harmonized control catalog

Output Format

Mapping Summary Report

CONTROL MAPPING SUMMARY
=======================
Document: nist-to-iso-mapping.json
Source: NIST 800-53 Rev 5 (323 controls)
Target: ISO 27001:2022 (93 controls)
Version: 1.0
Last Updated: 2026-01-20

MAPPING STATISTICS
------------------
Total Mappings: 145
• Equal: 78 (53.8%)
• Subset: 23 (15.9%)
• Superset: 31 (21.4%)
• Intersects: 13 (9.0%)

COVERAGE
--------
Source Coverage: 245/323 (75.9%)
Target Coverage: 89/93 (95.7%)

TOP GAPS
--------
Unmapped Source Controls: 78
• Access Control: 12
• System Communications: 15
• Supply Chain: 8
[...]

Unmapped Target Controls: 4
• A.6.1.1, A.7.1.1, A.8.2.1, A.15.1.1

QUALITY
-------
✓ No orphaned references
✓ All UUIDs unique
⚠ 3 potential bidirectional conflicts detected

Example Mapping Entry

{
  "uuid": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d",
  "source": {
    "control-id": "ac-2",
    "scheme": "nist-800-53-rev5"
  },
  "target": [
    {
      "control-id": "a.9.2.1",
      "scheme": "iso-27001-2022"
    },
    {
      "control-id": "a.9.2.5",
      "scheme": "iso-27001-2022"
    }
  ],
  "relationship": "superset",
  "props": [
    {
      "name": "mapping-confidence",
      "value": "high"
    }
  ],
  "remarks": "NIST AC-2 comprehensively covers account management including provisioning (ISO A.9.2.1) and privileged access (ISO A.9.2.5). The NIST control is broader in scope."
}

Best Practices

  1. Document Rationale: Always include remarks explaining mapping decisions
  2. Use Authoritative Sources: Never map from memory or training data
  3. Validate Bidirectionally: Check mappings make sense from both perspectives
  4. Review Coverage: Identify and document gaps explicitly
  5. Version Control: Track mapping versions as frameworks evolve
  6. Expert Review: Have subject matter experts validate critical mappings
  7. Maintain Consistency: Use consistent relationship type definitions
  8. Update Regularly: Review when frameworks release new versions
  9. Always Validate Output: Run validation checks before delivering mapping documents
  10. Use Valid UUIDs: Generate proper RFC 4122 UUIDs, never use placeholders

Integration with Other Skills

SkillUse With Control Mapper
oscal-catalog-providerFetch source/target catalogs
oscal-parserRead existing mapping documents
oscal-validatorValidate mapping document structure
control-implementation-generatorGenerate unified implementation guidance
compliance-report-generatorReport on multi-framework compliance
gap-analyzerIdentify coverage gaps

Limitations

  • Semantic Understanding: Mappings require human judgment; AI cannot definitively declare controls "equal"
  • Framework Updates: Mappings become stale when frameworks are revised
  • Context Dependency: Mapping appropriateness may vary by organizational context
  • Tool Support: OSCAL 1.2.0 Control Mapping model is new; tool support is emerging

Error Handling

ErrorCauseSolution
Invalid control-idControl doesn't exist in catalogVerify against authoritative catalog
Unknown schemeFramework not recognizedUse standard scheme identifiers
Relationship conflictBidirectional mappings inconsistentReview and reconcile relationships
Missing catalogimport-control-schemes href brokenProvide valid catalog references

Additional Resources

Version History

  • v1.0 (2026-01-20) - Initial skill for OSCAL 1.2.0 Control Mapping model
Skills Info
Original Name:oscal-control-mapperAuthor:eucann
Download
View on GitHub