Add NIST 800-53 control files with OSCAL metadata and CIS mappings

Add 1,196 NIST 800-53 Revision 5 controls split into 21 family files with
enriched OSCAL metadata and automated CIS benchmark rule mappings.

Control File Structure:
- controls/nist_800_53.yml: Top-level metadata (15 lines, points to subdirectory)
- controls/nist_800_53/*.yml: 21 family files for human editing
  - ac.yml: Access Control (147 controls)
  - au.yml: Audit and Accountability (69 controls)
  - cm.yml: Configuration Management (66 controls)
  - ia.yml: Identification and Authentication (74 controls)
  - sc.yml: System and Communications Protection (162 controls)
  - si.yml: System and Information Integrity (119 controls)
  - other.yml: Unmapped CIS items (102 items)
  - 14 additional families (AT, CA, CP, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SR)

- shared/references/controls/nist_800_53_cis_reference.yml: Reference metadata
- shared/references/controls/nist_800_53_cis_reference/*.yml: 21 reference family files
  - Auto-generated for weekly comparison
  - Same structure as real files
  - Used to detect CIS mapping changes

OSCAL Metadata (extracted from NIST catalog):
- description: Full control statements with sub-parts (a, b, c...)
  - Example AC-2: 12 sub-parts describing account management requirements
- parameters: Organization-Defined Parameters (ODPs)
  - Labels, guidelines, and choices for customization
  - Example AC-2: 10 parameters for account management criteria
- guidance: Implementation advice and discussion
  - 500-3000 characters per control
  - Security best practices and considerations
- related_controls: Control dependency references
  - Example AC-2: 28 related controls (AC-3, AC-5, IA-2, etc.)
- Jinja2 syntax: Escaped as [[ ]] to prevent macro expansion

CIS Integration:
- Automated NIST→CIS mappings from benchmark nist: references
- Inverted index: NIST controls populated with CIS rule selections
- Product guards: {{% if product.startswith('rhel') %}} for family-based filtering
- Variable variants: If/elif blocks for product-specific values
- Unmapped items: 102 CIS rules without NIST mappings in other.yml
- Complete coverage: 525 mapped + 102 unmapped = 627 total CIS items

Product Guards:
- Family-based: {{% if product.startswith('rhel') %}} for all RHEL versions
- Specific: {{% if product == "rhel9" %}} for single product
- Variables: {{% if/elif/endif %}} blocks for product-specific values

File Sizes:
- Real control files: 24KB-180KB per family (~1.5MB total)
- Reference files: Same size distribution
- Metadata overhead: ~3x increase from OSCAL enrichment

Integration:
- Profiles use nist_800_53:all to reference all controls
- Build system loads all 21 family files automatically
- Jinja2 guards evaluated at build time for target product

Testing:
- RHEL 9 datastream builds successfully
- Profile comparisons show exact CIS coverage
- All 1,196 controls have OSCAL metadata
- Product guards syntactically correct

Author: ggbecker

controls/nist_800_53.yml

@@ -0,0 +1,15 @@
+# NIST 800-53 Revision 5 Control Framework
+#
+# This file contains only metadata. Control families are in nist_800_53/
+# Edit the family files in nist_800_53/ to add or modify rule mappings.
+#
+policy: NIST 800-53 Revision 5
+title: NIST Special Publication 800-53 Revision 5
+id: nist_800_53
+version: Revision 5
+source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
+controls_dir: nist_800_53
+levels:
+- id: low
+- id: moderate
+- id: high