NIST SP 800-53 Compliance Validator

Validate NIST SP 800-53 control implementation with evidence mapping, gap analysis, automated testing, and compliance reporting across 20 control families.

Best use case

NIST SP 800-53 Compliance Validator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Validate NIST SP 800-53 control implementation with evidence mapping, gap analysis, automated testing, and compliance reporting across 20 control families.

Teams using NIST SP 800-53 Compliance Validator should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/compliance-nist-validator/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/cognitive-toolworks/main/skills/compliance-nist-validator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/compliance-nist-validator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How NIST SP 800-53 Compliance Validator Compares

Feature / AgentNIST SP 800-53 Compliance ValidatorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Validate NIST SP 800-53 control implementation with evidence mapping, gap analysis, automated testing, and compliance reporting across 20 control families.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

## Purpose & When-To-Use

Invoke this skill when validating NIST SP 800-53 control implementation, conducting compliance assessments, identifying gaps, or generating evidence-based compliance reports for federal systems, contractors, or organizations adopting NIST frameworks.

**Trigger Conditions:**
- "Validate NIST SP 800-53 compliance for [system]"
- "Generate gap analysis for MODERATE baseline"
- "Map evidence to NIST controls for [control family]"
- "Assess [control family] implementation (e.g., AC, SI, CM)"
- "Create OSCAL SAR for NIST compliance assessment"
- "Automate NIST 800-53 control testing"
- "Continuous monitoring for NIST controls"

**Out of Scope:**
- FedRAMP-specific requirements (use compliance-fedramp-validator)
- OSCAL format conversion without validation (use compliance-oscal-validator)
- General compliance automation (use compliance-automation-engine)

---

## Pre-Checks

1. **Time Normalization:** Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601).
2. **Input Validation:**
   - NIST baseline specified (LOW, MODERATE, HIGH, or custom)
   - System boundaries defined (scope of assessment)
   - Control families or specific controls identified
3. **Documentation Availability:** Verify access to system documentation, configurations, evidence artifacts.
4. **OSCAL Integration:** Check if OSCAL SSP (System Security Plan) exists for evidence mapping.
5. **Assessment Type:** Clarify if initial assessment, periodic re-assessment, or continuous monitoring.

**Abort Conditions:**
- No baseline or control scope specified → emit TODO list with required inputs.
- Zero documentation or evidence → warn that validation will be minimal.

---

## Procedure

### T1: Quick Control Gap Analysis (≤2k tokens)

**Use Case:** Fast path for common scenarios (80% of requests).

**Steps:**
1. **Identify NIST Baseline:** Select applicable baseline controls.

| Baseline | Control Count | Use Case |
|----------|---------------|----------|
| LOW | 125 controls | Low-impact systems (public info) |
| MODERATE | 325 controls | Moderate-impact (most federal systems) |
| HIGH | 421 controls | High-impact (national security, critical infrastructure) |

2. **Sample 5 High-Priority Controls (T1 Fast Check):**

| Control ID | Control Name | Family | Validation Check |
|------------|--------------|--------|------------------|
| AC-2 | Account Management | Access Control | User account policies exist, periodic review evidence |
| SI-2 | Flaw Remediation | System Integrity | Patch management process, vulnerability scan results |
| CM-2 | Baseline Configuration | Configuration Mgmt | Configuration baselines documented, change control |
| IA-2 | Identification & Auth | Identification/Auth | MFA enabled, authentication logs |
| AU-2 | Event Logging | Audit & Accountability | Audit policy configured, log retention evidence |

3. **Quick Gap Score:**
   - **Implemented:** Control fully operational with evidence (Green).
   - **Partial:** Control partially implemented, missing evidence or incomplete (Yellow).
   - **Not Implemented:** Control missing or no evidence (Red).

4. **Top 3 Gaps:** Identify highest-risk missing controls with immediate remediation actions.

**Output:** Baseline mapping, 5-control quick check, gap score, top 3 priorities.

---

### T2: Comprehensive Control Family Assessment (≤6k tokens)

**Use Case:** Full control family validation for production assessments.

**Steps:**

#### 1. NIST SP 800-53 Rev 5.2.0 (20 Control Families)

**Complete Control Families (1,189 controls total):**

| ID | Family Name | Controls | Focus Area |
|----|-------------|----------|------------|
| AC | Access Control | 25 | User access, permissions, least privilege |
| AT | Awareness and Training | 6 | Security training, role-based awareness |
| AU | Audit and Accountability | 16 | Event logging, audit review, log protection |
| CA | Assessment, Authorization, Monitoring | 9 | Security assessments, continuous monitoring, authorization |
| CM | Configuration Management | 14 | Baseline configs, change control, inventory |
| CP | Contingency Planning | 13 | Backup, disaster recovery, alternate processing |
| IA | Identification and Authentication | 12 | MFA, credential management, authenticator management |
| IR | Incident Response | 10 | Incident handling, reporting, testing |
| MA | Maintenance | 6 | System maintenance, remote maintenance, tools |
| MP | Media Protection | 8 | Media sanitization, storage, transport |
| PE | Physical and Environmental Protection | 20 | Physical access, visitor control, environmental controls |
| PL | Planning | 11 | Security planning, architecture, privacy |
| PM | Program Management | 31 | Risk management strategy, governance |
| PS | Personnel Security | 9 | Position categorization, termination, sanctions |
| PT | PII Processing and Transparency | 8 | Privacy controls, consent, data minimization |
| RA | Risk Assessment | 10 | Risk assessments, vulnerability scanning |
| SA | System and Services Acquisition | 23 | SDLC security, supply chain, developer testing |
| SC | System and Communications Protection | 51 | Network security, crypto, transmission integrity |
| SI | System and Information Integrity | 23 | Flaw remediation, malware protection, monitoring |
| SR | Supply Chain Risk Management | 12 | Supply chain risk, supplier assessments, provenance |

**Total:** 1,189 controls across 20 families (NIST SP 800-53 Rev 5.2.0, accessed 2025-10-26T18:38:09-0400).

#### 2. Control Validation Methodology (NIST SP 800-53A)

**Assessment Methods (per NIST SP 800-53A):**

| Method | Description | Evidence Examples |
|--------|-------------|-------------------|
| Examine | Review documentation, policies, procedures | Policies, plans, procedures, configs, logs |
| Interview | Discuss with responsible personnel | Interview notes, attestations, walkthroughs |
| Test | Execute technical validation, scanning, testing | Scan results, penetration tests, automated checks |

**Control Assessment Example (AC-2: Account Management):**

```yaml
control_id: AC-2
control_name: Account Management
family: AC (Access Control)
baseline: MODERATE

assessment_objectives:
  - AC-2a: Organization manages system accounts (types, establish, activate, modify, review, disable, remove)
  - AC-2(1): Automated account management (enhancements)
  - AC-2(2): Automated account removal/disabling

assessment_methods:
  examine:
    - Account management policy and procedures
    - Configuration baselines for account creation
    - Account review logs (periodic review evidence)
  interview:
    - System administrators on account lifecycle
    - HR on termination processes
  test:
    - Automated scan: verify inactive accounts disabled after 90 days
    - Test account creation workflow: verify approval required
    - Verify MFA enforcement for privileged accounts

evidence_artifacts:
  - account_policy.pdf (policy document)
  - user_access_review_2025-Q3.xlsx (quarterly review)
  - qualys_scan_2025-10-15.pdf (automated compliance scan)
  - iam_config_baseline.json (baseline configuration)

validation_result: Implemented (Green)
findings: All assessment objectives met with documented evidence
compliance_score: 100%
```

#### 3. Evidence Mapping Matrix

**Evidence Collection (60-70% of compliance effort - automate for efficiency):**

| Control Family | Evidence Type | Automated Collection | Manual Collection |
|----------------|---------------|----------------------|-------------------|
| AC (Access Control) | IAM configs, user lists, MFA logs | ✅ Config exports, SIEM logs | Policies, interviews |
| SI (System Integrity) | Patch status, vuln scans, AV logs | ✅ Qualys/Nessus scans, SCCM | Patch procedures |
| CM (Config Mgmt) | Config baselines, change logs | ✅ Git commits, Terraform state | Change board minutes |
| AU (Audit/Accountability) | Audit logs, SIEM retention | ✅ Splunk/ELK exports | Log retention policy |
| IA (Identification/Auth) | MFA enrollment, auth logs | ✅ Okta/AD reports | Authentication policy |

**Automation Benefits:**
- **60-80% effort reduction** with automated evidence collection (accessed 2025-10-26T18:38:09-0400).
- Continuous monitoring vs. point-in-time snapshots.
- Real-time compliance dashboards.

#### 4. Gap Analysis & Remediation Planning

**Gap Analysis Workflow:**

1. **For each control in baseline:**
   - Check implementation status: Implemented / Partial / Not Implemented.
   - Verify evidence: Complete / Incomplete / Missing.
   - Calculate control strength: Strong / Weak / None.

2. **Gap Categorization:**

| Gap Type | Description | Remediation Effort |
|----------|-------------|--------------------|
| Implementation Gap | Control not implemented | High (design, deploy, test) |
| Evidence Gap | Control implemented, no evidence | Low (document, collect artifacts) |
| Partial Implementation | Control partially implemented | Medium (complete missing aspects) |
| Enhancement Gap | Base control OK, enhancements missing | Medium (add enhancements) |

3. **Prioritization (Risk-Based):**

```python
# Risk score = (Control Criticality × Impact × Likelihood) / Effort
# Criticality: LOW=1, MODERATE=2, HIGH=3
# Impact: 1-5 (data breach, downtime, regulatory)
# Likelihood: 1-5 (exploitability, threat landscape)
# Effort: hours to remediate

def calculate_priority(control):
    criticality = {"LOW": 1, "MODERATE": 2, "HIGH": 3}[control.baseline]
    impact = control.impact_score  # 1-5
    likelihood = control.likelihood_score  # 1-5
    effort = control.remediation_hours

    risk_score = (criticality * impact * likelihood) / effort
    return risk_score

# Sort gaps by risk_score descending → prioritized remediation list
```

4. **Remediation Plan Example:**

| Priority | Control | Gap Type | Effort | Risk Score | Deadline |
|----------|---------|----------|--------|------------|----------|
| 1 | SI-2 (Flaw Remediation) | Implementation | 40h | 18.0 | 30 days |
| 2 | IA-2(1) (MFA) | Partial | 20h | 15.0 | 45 days |
| 3 | CM-2 (Baseline Config) | Evidence | 8h | 12.0 | 60 days |
| 4 | AC-2(4) (Auto Account Mgmt) | Enhancement | 30h | 10.0 | 90 days |

#### 5. OSCAL Integration (Interoperability with OSCAL Validator)

**OSCAL Artifacts:**

- **SSP (System Security Plan):** Control implementation descriptions, responsible roles.
- **SAP (Security Assessment Plan):** Assessment objectives, methods, schedules.
- **SAR (Security Assessment Report):** Results, findings, recommendations.
- **POA&M (Plan of Action & Milestones):** Remediation plan with milestones.

**Generate OSCAL SAR (Security Assessment Report):**

```json
{
  "assessment-results": {
    "uuid": "550e8400-e29b-41d4-a716-446655440000",
    "metadata": {
      "title": "NIST SP 800-53 Assessment Results",
      "published": "2025-10-26T18:38:09-04:00",
      "version": "1.0",
      "oscal-version": "1.1.2"
    },
    "import-ap": {
      "href": "#assessment-plan-uuid"
    },
    "results": [
      {
        "uuid": "result-uuid-1",
        "title": "AC-2 Account Management Assessment",
        "finding": {
          "uuid": "finding-uuid-1",
          "title": "AC-2 Implemented with Evidence",
          "description": "Account management controls fully implemented.",
          "related-observations": [
            {
              "observation-uuid": "obs-uuid-1",
              "type": "examine",
              "description": "Account management policy reviewed and current."
            },
            {
              "observation-uuid": "obs-uuid-2",
              "type": "test",
              "description": "Automated test: Inactive accounts disabled after 90 days."
            }
          ]
        },
        "risk": {
          "status": "satisfied"
        }
      }
    ],
    "assessment-log": {
      "entries": [
        {
          "title": "Assessment Start",
          "start": "2025-10-15T09:00:00-04:00",
          "end": "2025-10-26T17:00:00-04:00"
        }
      ]
    }
  }
}
```

**OSCAL POA&M for Gaps:**

```json
{
  "plan-of-action-and-milestones": {
    "uuid": "poam-uuid-1",
    "metadata": {
      "title": "NIST SP 800-53 Remediation Plan",
      "published": "2025-10-26T18:38:09-04:00"
    },
    "poam-items": [
      {
        "uuid": "poam-item-1",
        "title": "Implement SI-2 Flaw Remediation",
        "description": "Deploy automated patch management solution.",
        "related-findings": ["finding-uuid-si2"],
        "milestones": [
          {
            "uuid": "milestone-1",
            "title": "Deploy SCCM/Patch Management",
            "description": "Install and configure patch management platform.",
            "target-date": "2025-11-25"
          },
          {
            "uuid": "milestone-2",
            "title": "Test Patch Deployment",
            "description": "Pilot patch deployment to test systems.",
            "target-date": "2025-12-10"
          }
        ]
      }
    ]
  }
}
```

**Output:** Complete control family assessment, evidence mapping, gap analysis, remediation plan, OSCAL SAR/POA&M.

---

### T3: Enterprise-Wide Continuous Monitoring (≤12k tokens)

**Use Case:** Continuous monitoring, multi-system assessments, automated testing at scale.

**Steps:**

#### 1. Continuous Monitoring Architecture

**NIST SP 800-137 Continuous Monitoring Framework:**

1. **Define:** Metrics, assessment frequency, roles.
2. **Establish:** Baseline configuration, continuous monitoring tools.
3. **Implement:** Automated data collection, analysis, reporting.
4. **Analyze:** Correlate findings, trend analysis, risk scoring.
5. **Respond:** Remediation, escalation, risk acceptance.
6. **Review:** Periodic review of monitoring effectiveness.

**Automated Control Testing (60-80% effort reduction):**

| Control Family | Automated Test | Tool/Method | Frequency |
|----------------|----------------|-------------|-----------|
| AC (Access Control) | Inactive account detection | SIEM query, IAM API | Daily |
| SI (System Integrity) | Vulnerability scanning | Qualys, Nessus, Tenable | Weekly |
| CM (Config Management) | Configuration drift detection | Chef InSpec, AWS Config | Continuous |
| AU (Audit/Accountability) | Log collection and retention | Splunk, ELK, SIEM | Continuous |
| IA (Identification/Auth) | MFA enrollment rate | Okta/AD reports | Daily |

**Continuous Monitoring Dashboard:**

```
NIST SP 800-53 Compliance Dashboard (Real-Time)

Overall Compliance Score: 87% (325/375 controls implemented)

Control Families (MODERATE Baseline):
┌─────────────────────────────────────────────────────────────┐
│ AC (Access Control):        ████████░░ 85% (21/25)          │
│ SI (System Integrity):      ███████░░░ 78% (18/23)          │
│ CM (Configuration Mgmt):    ██████████ 92% (13/14)          │
│ AU (Audit/Accountability):  ████████░░ 81% (13/16)          │
│ IA (Identification/Auth):   ██████████ 100% (12/12)         │
└─────────────────────────────────────────────────────────────┘

Recent Findings (Last 7 Days):
❌ SI-2: 15 systems missing critical patches (detected 2025-10-24)
⚠️  AC-2(3): 3 inactive accounts not disabled (detected 2025-10-25)
✅ CM-2: Configuration drift remediated on 10 systems (2025-10-26)

Trending:
↗ Compliance improved 5% from 82% → 87% (last 30 days)
↘ Open findings decreased from 45 → 32 (last 30 days)
```

#### 2. Multi-System Assessment (Enterprise Scale)

**Scenario:** Assess 50 federal systems across 3 data centers.

**Approach:**
- **Standardized Baselines:** Define organization-wide baselines (LOW/MODERATE/HIGH).
- **Centralized Evidence Repository:** Shared evidence library (common controls).
- **Automated Collection:** API integrations with cloud providers, SIEM, CM tools.
- **Parallel Assessments:** Assess systems concurrently (reduce timeline).
- **Rollup Reporting:** Aggregate compliance scores, common gaps, organization-wide trends.

**Common Controls (Inheritance):**

| Control | Common Control Provider | Inheriting Systems |
|---------|-------------------------|---------------------|
| PE-2 (Physical Access) | Data Center Operations | All systems in DC1, DC2, DC3 |
| IR-1 (Incident Response Policy) | CISO Office | All organizational systems |
| CP-1 (Contingency Planning Policy) | Business Continuity Team | All organizational systems |

**Benefit:** Assess common controls once, inherit across all systems (reduce duplication).

#### 3. Advanced Automation (Infrastructure as Code)

**Policy-as-Code Validation:**

```python
# Example: Chef InSpec test for AC-2 (Account Management)
control 'AC-2' do
  impact 1.0
  title 'Account Management'
  desc 'Verify inactive accounts are disabled after 90 days'

  # Check all user accounts
  describe command('lastlog -b 90') do
    its('stdout') { should eq '' }  # No logins in last 90 days
  end

  # Verify accounts are disabled
  users = command('awk -F: \'{print $1}\' /etc/passwd').stdout.split("\n")
  users.each do |user|
    describe user(user) do
      it { should_not be_disabled } if user_last_login(user) < 90.days.ago
    end
  end
end
```

**Infrastructure Scanning:**

```bash
# AWS Config rule for SI-2 (Flaw Remediation)
aws configservice put-config-rule --config-rule '{
  "ConfigRuleName": "ec2-managedinstance-patch-compliance-status-check",
  "Description": "Checks if patches are applied to EC2 instances",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK"
  },
  "Scope": {
    "ComplianceResourceTypes": ["AWS::EC2::Instance"]
  }
}'
```

#### 4. NIST SP 800-53 Rev 5.2.0 (August 2025 Updates)

**Key Updates in Release 5.2.0:**
- **SA-15 (Development Process, Standards, Tools):** Enhanced software update security.
- **SA-11 (Developer Testing):** Improved testing requirements for software security.
- **CM-3 (Configuration Change Control):** Strengthened update deployment management.
- **SI-7 (Software Integrity):** Enhanced integrity verification and validation.

**Executive Order 14306 Compliance:**
- Focus: "Strengthening the Nation's cybersecurity."
- Emphasis: Software supply chain security, update integrity, secure development.

**Output:** Continuous monitoring architecture, multi-system assessment, policy-as-code automation, 5.2.0 compliance.

---

## Decision Rules

1. **Baseline Selection:**
   - If system impact level known → use corresponding baseline (LOW/MODERATE/HIGH).
   - If impact unknown → default to MODERATE (325 controls, most federal systems).
   - If custom controls → validate against full 1,189 control catalog.

2. **Evidence Sufficiency:**
   - **Strong Evidence:** Multiple artifacts from different sources (examine + interview + test).
   - **Weak Evidence:** Single artifact or outdated evidence (>1 year old).
   - **No Evidence:** No documentation or artifacts → control marked "Not Implemented."

3. **Gap Prioritization:**
   - Prioritize by risk score: (Criticality × Impact × Likelihood) / Effort.
   - Critical controls (HIGH baseline) before enhancements.
   - Quick wins (high risk, low effort) prioritized for fast remediation.

4. **Automation Threshold:**
   - If >10 systems → implement continuous monitoring (cost-effective).
   - If evidence collection >100 hours → automate with API integrations.
   - If assessment frequency ≥ quarterly → continuous monitoring required.

5. **OSCAL Integration:**
   - If OSCAL SSP exists → import and validate control descriptions.
   - Generate OSCAL SAR for all assessments (interoperability).
   - If gaps identified → generate OSCAL POA&M with milestones.

**Uncertainty Thresholds:**
- If baseline unclear → request system categorization (FIPS 199).
- If evidence sources unknown → emit TODO list with required artifacts.
- If control scope ambiguous → default to full baseline assessment.

---

## Output Contract

**Required Fields:**

```yaml
baseline:
  - level: "LOW" | "MODERATE" | "HIGH" | "CUSTOM"
    control_count: integer
    control_families: array (AC, SI, CM, etc.)

validation_results:
  - control_id: string (e.g., "AC-2")
    control_name: string
    family: string
    implementation_status: "Implemented" | "Partial" | "Not Implemented"
    evidence_artifacts: array (file names, URLs)
    compliance_score: float (0-100%)
    findings: string (summary)

evidence_mapping:
  - control_family: string
    automated_evidence: array (log files, configs, scan results)
    manual_evidence: array (policies, interviews, procedures)
    collection_method: "automated" | "manual" | "hybrid"

gap_analysis:
  - gap_type: "Implementation" | "Evidence" | "Partial" | "Enhancement"
    control_id: string
    risk_score: float
    remediation_effort: integer (hours)
    priority: integer (1=highest)
    deadline: date

remediation_plan:
  - control_id: string
    remediation_action: string
    assigned_to: string (role/team)
    effort_estimate: integer (hours)
    target_date: date
    dependencies: array (other controls)

oscal_outputs:
  - sar: object (OSCAL SAR JSON)
    poam: object (OSCAL POA&M JSON)
    format: "json" | "xml" | "yaml"

compliance_metrics:
  - overall_score: float (0-100%)
    by_family: object ({AC: 85%, SI: 78%, ...})
    trend: "improving" | "stable" | "declining"
    finding_count: integer

continuous_monitoring:  # If T3
  - enabled: boolean
    assessment_frequency: string (daily, weekly, monthly)
    automated_tests: array (test names)
    dashboard_url: string
```

**Token Tier Minimums:**
- T1: baseline, validation_results (5 sample controls), gap_analysis (top 3).
- T2: All of T1 + evidence_mapping, remediation_plan, oscal_outputs, compliance_metrics.
- T3: All of T2 + continuous_monitoring, multi-system assessment, advanced automation.

---

## Examples

**AC-2 Account Management Validation:**

```yaml
control_id: AC-2
control_name: Account Management
family: AC (Access Control)
implementation_status: Implemented
evidence_artifacts:
  - account_management_policy.pdf
  - quarterly_user_review_2025-Q3.xlsx
  - qualys_inactive_account_scan.pdf
compliance_score: 100%
findings: All assessment objectives met. Automated testing confirms inactive accounts disabled after 90 days.
```

See `examples/nist-moderate-baseline-assessment.txt` for a complete MODERATE baseline assessment.

---

## Quality Gates

1. **Token Budgets:**
   - T1 response ≤2k tokens (quick gap analysis, 5 controls).
   - T2 response ≤6k tokens (full family assessment, evidence mapping).
   - T3 response ≤12k tokens (continuous monitoring, multi-system).

2. **Safety Checks:**
   - No PII or classified information in evidence artifacts.
   - Evidence collection respects data privacy (NIST PT family).
   - Automated tests do not disrupt production systems.

3. **Auditability:**
   - All validation results include evidence artifact references.
   - Gap analysis includes risk scoring methodology.
   - Remediation plans include effort estimates and deadlines.

4. **Determinism:**
   - Same baseline + evidence → same validation results.
   - Gap prioritization deterministic (risk score formula).

5. **Citations:**
   - NIST SP 800-53 Rev 5.2.0: 1,189 controls across 20 families (accessed 2025-10-26T18:38:09-0400, [NIST CSRC](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final)).
   - Release 5.2.0 (August 27, 2025): Software security, Executive Order 14306 (accessed 2025-10-26T18:38:09-0400, [NIST News](https://csrc.nist.gov/News/2025/nist-releases-revision-to-sp-800-53-controls)).
   - Automation: 60-80% effort reduction (accessed 2025-10-26T18:38:09-0400, [Satine Tech](https://satinetech.com/2025/05/28/automated-security-testing-for-nist-800-53-controls-a-practical-guide/)).

---

## Resources

**Official NIST Documentation:**
- [NIST SP 800-53 Rev 5.2.0 (August 2025)](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) (accessed 2025-10-26T18:38:09-0400)
- [NIST SP 800-53A Rev 5.2.0 Assessment Procedures](https://csrc.nist.gov/pubs/sp/800/53/a/r5/final) (accessed 2025-10-26T18:38:09-0400)
- [NIST SP 800-137 Continuous Monitoring](https://csrc.nist.gov/publications/detail/sp/800-137/final)
- [NIST SP 800-53B Control Baselines](https://csrc.nist.gov/publications/detail/sp/800-53b/final)

**OSCAL Integration:**
- [OSCAL Homepage](https://pages.nist.gov/OSCAL/)
- [OSCAL SAR Schema](https://pages.nist.gov/OSCAL/reference/latest/assessment-results/json-reference/)
- [OSCAL POA&M Schema](https://pages.nist.gov/OSCAL/reference/latest/plan-of-action-and-milestones/json-reference/)

**Automation Tools:**
- [Chef InSpec](https://www.inspec.io/) (compliance as code)
- [AWS Config](https://aws.amazon.com/config/) (cloud resource compliance)
- [Azure Policy](https://azure.microsoft.com/en-us/products/azure-policy) (NIST compliance built-in)
- [OpenSCAP](https://www.open-scap.org/) (open-source security compliance)

Related Skills

Service Level Objective Validator

5
from williamzujkowski/cognitive-toolworks

Validate SLO definitions against actual metrics, generate alerting rules, and design error budget policies with burn rate calculations.

Software Supply Chain Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate software supply chain security with SBOM generation, dependency scanning, provenance verification, and SLSA attestation.

Network Security Architecture Validator

5
from williamzujkowski/cognitive-toolworks

Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.

Cryptographic Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.

Application Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.

UX Design System Validator

5
from williamzujkowski/cognitive-toolworks

Validate design systems for accessibility (WCAG), responsive design, and component consistency with design token analysis.

Frontend Accessibility Validator

5
from williamzujkowski/cognitive-toolworks

Validate WCAG 2.2 compliance (A/AA/AAA) with ARIA, color contrast, keyboard navigation, screen readers, and automated testing via axe-core/Pa11y.

OSCAL SSP Validator

5
from williamzujkowski/cognitive-toolworks

Validates OSCAL System Security Plan documents against schemas, profiles, and cross-reference requirements with tiered validation depth.

Compliance Automation Engine

5
from williamzujkowski/cognitive-toolworks

Automate compliance checks for NIST, FedRAMP, FISMA, GDPR, HIPAA, and fintech regulations with OSCAL artifact generation and evidence validation.

API Design Validator

5
from williamzujkowski/cognitive-toolworks

Design and validate REST and GraphQL APIs with OpenAPI/GraphQL schema generation, security hardening, and OWASP API Security compliance.

API Contract Testing Validator

5
from williamzujkowski/cognitive-toolworks

Generate and validate API contract tests using Pact, Spring Cloud Contract, or OpenAPI with consumer-driven contracts and schema drift detection.

UX Wireframe Designer

5
from williamzujkowski/cognitive-toolworks

Design user experience wireframes, user flows, and interactive mockups for web and mobile applications using industry-standard notation