# oscal-validator

> Validate OSCAL documents for structural integrity, schema compliance, and OSCAL-specific requirements. Use this skill to check if OSCAL documents are properly formatted and meet NIST OSCAL specifications before processing.

- Author: “IVProduced”
- Repository: euCann/OSCAL-GRC-SKILLS
- Version: 20260120151036
- Stars: 3
- Forks: 0
- Last Updated: 2026-02-06
- Source: https://github.com/euCann/OSCAL-GRC-SKILLS
- Web: https://mule.run/skillshub/@@euCann/OSCAL-GRC-SKILLS~oscal-validator:20260120151036

---

---
name: oscal-validator
description: Validate OSCAL documents for structural integrity, schema compliance, and OSCAL-specific requirements. Use this skill to check if OSCAL documents are properly formatted and meet NIST OSCAL specifications before processing.
---

# OSCAL Validator Skill

Validate OSCAL documents against NIST schemas and perform structural integrity checks to ensure compliance data quality.

## When to Use This Skill

Use this skill when you need to:
- Verify an OSCAL document is properly formatted
- Check for missing required fields
- Validate UUIDs and cross-references
- Ensure metadata completeness
- Identify structural issues before further processing

---

## ✅ Data Source Principle

This skill validates **documents you provide** against structural rules and OSCAL schema requirements. Validation logic is safe — it checks format and syntax, not compliance content.

**Note:** For baseline completeness validation (e.g., "does this SSP cover all FedRAMP Moderate controls?"), you must also provide the baseline profile/catalog.

---

## Validation Severity Levels

| Level | Meaning | Action Required |
|-------|---------|-----------------|
| **ERROR** | Document is invalid | Must fix before use |
| **WARNING** | Potential issues | Should review |
| **INFO** | Suggestions | Optional improvements |

## Validation Rules

### Structure Validation (STRUCT)

| Rule | Description |
|------|-------------|
| STRUCT-001 | Document must not be empty or null |
| STRUCT-002 | Document must have a root element |
| STRUCT-003 | Root element must be a valid OSCAL model type |

### Metadata Validation (META)

| Rule | Description |
|------|-------------|
| META-001 | Metadata section is required |
| META-002 | Title is required |
| META-003 | Last-modified timestamp is required |
| META-004 | Version is required |
| META-005 | OSCAL version should match current spec |

### UUID Validation (UUID)

| Rule | Description |
|------|-------------|
| UUID-001 | Document UUID must be present |
| UUID-002 | UUIDs must be valid RFC 4122 format |
| UUID-003 | UUIDs must be unique within document |

### Reference Validation (REF)

| Rule | Description |
|------|-------------|
| REF-001 | Internal references must resolve |
| REF-002 | Control references must exist |
| REF-003 | Party references must resolve |

## How to Validate an OSCAL Document

### Step 1: Check Basic Structure
1. Verify document is not empty
2. Confirm root element exists
3. Validate root element is a valid OSCAL type

### Step 2: Validate Metadata
1. Check for required `metadata` section
2. Verify `title` is present and non-empty
3. Confirm `last-modified` is valid ISO timestamp
4. Check `version` is present
5. Validate `oscal-version` matches expected format

### Step 3: Validate UUIDs
1. Check document-level UUID exists
2. Validate UUID format (8-4-4-4-12 hexadecimal)
3. Build list of all UUIDs
4. Check for duplicates

### Step 4: Validate References
1. Find all internal references (e.g., `#uuid-value`)
2. Verify each reference resolves to existing element
3. Check control-id references against imported catalogs
4. Validate party-uuid references

### Step 5: Model-Specific Validation

**For Catalogs:**
- Groups should have controls
- Controls should have statements
- Parameters should have values or selections

**For SSPs:**
- Import-profile must reference valid profile
- System-characteristics must include system-ids
- Control-implementation must address all imported controls

**For Component Definitions:**
- Components must have titles
- Control implementations must reference valid controls

## Validation Report Format

Provide validation results as:

```
VALIDATION REPORT
=================
Document: [filename]
Model Type: [type]
Valid: [YES/NO]

Issues Found:
- [SEVERITY] [RULE-ID]: [Message] at [location]

Summary:
- Errors: X
- Warnings: Y
- Info: Z
```

## Common Issues and Fixes

| Issue | Cause | Fix |
|-------|-------|-----|
| Missing metadata | Incomplete document | Add required metadata section |
| Invalid UUID | Malformed identifier | Generate new RFC 4122 UUID |
| Unresolved reference | Broken link | Update reference or add target |
| Missing timestamp | Incomplete metadata | Add ISO 8601 timestamp |

## Example Usage

When asked "Validate this SSP for compliance":

1. Parse the document
2. Run all validation checks
3. Collect issues by severity
4. Report findings with specific locations
5. Provide actionable fix recommendations