This project aims to develop a plug-in to OPAL (https://github.com/eop-omb/opal) that can automate the process of auditing system documentation to identify how specific security controls are implemented. The use case is:
As a cybersecurity officer, I want to be able to analyze the user-oriented documentation for a system and output concise descriptions of how specific security controls are implemented. These descriptions should be sufficient for an auditor to validate that the system meets the control requirements.
Security documentation examples in OSCAL format: https://github.com/usnistgov/oscal-content/tree/main
Convert OSCAL data to Word document: https://github.com/GSA/oscal-ssp-to-word