NIST MCP Server

A professional Model Context Protocol (MCP) server providing comprehensive access to NIST cybersecurity frameworks and controls. Enables AI assistants and applications to query, analyze, and manage NIST security controls through a standardized, secure interface.

🚀 Quick Start

Get started with NIST's complete control catalog in minutes:

# Install and run
git clone https://github.com/your-username/nist-mcp.git
cd nist-mcp
./scripts/install.sh
python -m nist_mcp.server

That's it! Your MCP server is now running with access to 1,196+ NIST security controls.

🔧 What You Can Do

Core Control Operations

• Browse all NIST SP 800-53 controls (1,196 total: base controls + enhancements)
• Get detailed control information with implementation guidance
• Search by keywords, families, or baseline levels
• Map controls to Cybersecurity Framework subcategories

Enterprise Compliance Support

• CMMC 2.0 assessments across all 5 maturity levels
• FedRAMP readiness for Low/Moderate/High impact systems
• SP 800-171 CUI baseline for protecting sensitive information
• NIST Cybersecurity Framework alignment and mapping

Advanced Analysis

• Gap analysis against baseline requirements
• Coverage assessments across control families
• Compliance mapping to other frameworks (SOC2, ISO27001)
• Risk evaluation of control implementations

📖 Installation & Setup

One-Command Setup (Recommended)

git clone https://github.com/your-username/nist-mcp.git
cd nist-mcp
./scripts/install.sh
python -m nist_mcp.server

That's it! Your NIST MCP server is now running with 1,196+ controls.

Manual Setup

# 1. Clone and install
git clone https://github.com/your-username/nist-mcp.git
cd nist-mcp
pip install -e ".[dev]"

# 2. Download NIST data
python scripts/download_nist_data.py

# 3. Start server
python -m nist_mcp.server

Prerequisites

• Python 3.10+
• uv package manager (optional, but recommended)

🛠️ Practical Examples

Here are real examples of how to use the NIST MCP tools:

Basic Control Lookup

"What does AC-1 say?"

// Call: get_control("AC-1")
{
  "id": "ac-1",
  "title": "Policy and Procedures",
  "class": "SP800-53",
  "family": "AC",
  "parts": [
    {
      "name": "statement",
      "prose": "The organization develops and maintains a comprehensive security policy..."
    }
  ],
  "links": [...]
}

"Show me all Access Control family controls"

// Call: get_control_family("AC")
{
  "family": "AC",
  "name": "Access Control",
  "description": "The AC family contains controls...",
  "total_controls": 57,
  "base_controls": 25,
  "enhancements": 32,
  "controls": [...]
}

Compliance Analysis

"Do we meet Moderate baseline requirements?"

// Call: gap_analysis(implemented_controls=["AC-1", "AU-1"], target_baseline="moderate")
{
  "total_required": 177,
  "implemented_count": 2,
  "missing_count": 175,
  "compliance_percentage": 1.13,
  "critical_gaps": ["Risk Assessment", "Configuration Management"],
  "next_priorities": ["AC-2", "IA-2", "AU-2"]
}

"What's our CMMC Level 2 readiness?"

// Call: cmmc_compliance_assessment(implemented_controls=["AC-1", "IA-2"], target_level=2)
{
  "current_level": 1,
  "target_level": 2,
  "achieved_domains": ["AC", "IA"],
  "missing_domains": ["CM", "CP", "IR"],
  "progress_percentage": 23.5,
  "next_steps": ["Implement CM-2", "Add CP-9 controls"]
}

Risk Assessments

"How risky is our current access control implementation?"

// Call: risk_assessment_helper(control_ids=["AC-1", "AC-2", "IA-3"])
{
  "overall_risk_score": 7.3,
  "critical_gaps": ["AC-6 (Least Privilege)", "AC-18 (Wireless Access)"],
  "recommendations": [
    "Implement multi-factor authentication (IA-3)",
    "Review access control policies (AC-1)",
    "Add session timeout controls"
  ]
}

Enterprise

... View full README on GitHub