AI agent skills and modes for OSCAL-based compliance authoring — from NIST catalog customization through component definition to assessment result generation.
The OSCAL Compass project is hosted by the Cloud Native Computing Foundation (CNCF).
agentic-agile-authoring-20260318.mp4
The demo shows the full authoring lifecycle in Roo Code: tailoring a NIST SP 800-53 catalog, mapping controls to a Kubernetes component, and generating an assessment result — all through natural language.
Create a dedicated directory for your compliance authoring project and open it as your coding agent workspace.
mkdir my-compliance-workspace && cd my-compliance-workspaceRoo Code:
uvx --from git+https://github.com/oscal-compass/agentic-agile-authoring.git agentic-agile-authoring installThen reload your workspace and switch to the 📑 Agentic Agile Authoring mode in Roo Code.
Note: Roo Code loads skills at startup. If you install after opening the workspace, reload it for the skills to take effect.
Claude Code:
/plugin marketplace add oscal-compass/agentic-agile-authoring
/plugin install agentic-agile-authoring@agentic-agile-authoring
Confirm that the skills are loaded and the trestle MCP server is enabled in your workspace. The agent relies on trestle MCP for all OSCAL operations.
Follow along with the demo above. Type each prompt into Roo Code chat:
Step 1 — Create a custom catalog
Type in Roo Code:
Create regulatory controls for our organization, based on NIST SP 800-53 and limited to access control.
The agent prepares your regulatory document. Once done, it will ask if you want to customize the wording.
Step 2 — Generate OSCAL catalog
Type in Roo Code:
For now, proceed with the default wording. Please create the OSCAL JSON for this custom catalog.
catalog.json is created. Your controls are ready.
Step 3 — Define a component (Kubernetes)
Type in Roo Code:
Apply our organization's regulatory controls (catalogs/ac_controls_catalog) to Kubernetes. At this stage, please create the component definition.
The agent generates a human-readable implementation guide (Markdown + spreadsheet) per control, then produces the OSCAL component-definition.json. We recommend installing the Rainbow CSV VS Code extension to review the spreadsheet output.
Step 4 — Generate assessment results
Type in Roo Code:
Using the component definition, create the assessment results.
Provide your security tool's scan output, and the agent generates an assessment posture. If no scan output is provided, a mock posture is created automatically.
| Skill | Description |
|---|---|
catalog-authoring |
Import NIST OSCAL assets, edit parameters, generate CSV templates, deploy Markdown catalogs |
component-definition |
Map abstract controls to component-specific rules and validation checks; generate component-definition.json |
assessment |
Evaluate control compliance from component definitions and validation scan results |
git-workflow |
Two-branch Git strategy for change tracking and PR review of compliance documents (opt-in) |
A single agent agentic-agile-authoring covers the full OSCAL authoring lifecycle and delegates to the skills above.
| Platform | Agent definition | Skill location |
|---|---|---|
| Claude Code | agents/claude/agentic-agile-authoring.md |
skills/ |
| Roo Code | agents-roo/agentic-agile-authoring/roo.yaml |
.roo/skills[-agentic-agile-authoring]/ |
uvx --from git+https://github.com/oscal-compass/agentic-agile-authoring.git agentic-agile-authoring installSkills are installed to .roo/skills-agentic-agile-authoring/ by default.
To install into the shared .roo/skills/ directory instead (accessible to all modes):
uvx --from git+https://github.com/oscal-compass/agentic-agile-authoring.git agentic-agile-authoring install --skills-scope commonuvx --from git+https://github.com/oscal-compass/agentic-agile-authoring.git agentic-agile-authoring uninstall
# If installed with --skills-scope common:
uvx --from git+https://github.com/oscal-compass/agentic-agile-authoring.git agentic-agile-authoring uninstall --skills-scope commonuvx --from git+https://github.com/oscal-compass/agentic-agile-authoring.git agentic-agile-authoring downloadThen follow the printed instructions to copy skills and import mode YAMLs into Roo Code.
.roo/skills-agentic-agile-authoring/ (or .roo/skills/) and .roo/rules-*/ are created by the installer and gitignored.
/plugin marketplace add oscal-compass/agentic-agile-authoring
/plugin install agentic-agile-authoring@agentic-agile-authoring
claude --plugin-dir ./uvx --from git+https://github.com/oscal-compass/agentic-agile-authoring.git agentic-agile-authoring -h
uvx --from git+https://github.com/oscal-compass/agentic-agile-authoring.git agentic-agile-authoring install -hUnless otherwise noted, files in this repository are licensed under the root LICENSE. Some skill directories include their own LICENSE.txt, which governs files in that directory.
We are a Cloud Native Computing Foundation sandbox project.
The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see Trademark Usage.