FedRAMP20xMCP exposes querying and analysis capabilities for FedRAMP 20x data, focusing on Azure-first guidance. The server loads FedRAMP requirements, KSIs, FRDs, and accompanying documentation from the FedRAMP docs repository and provides tools to query by control, family, or keyword, as well as access to official FedRAMP terminology definitions. It includes an automated evidence collection feature and a pattern-driven analysis engine to help you assess implementations against 20x requirements. You can interact with the server to retrieve structured data suitable for integration into security catalogs, assessment reports, and planning documents. When running locally, ensure you point the server to the FedRAMP data source and have a Python environment ready for installation and execution.

The available capabilities include:

• Query by Control: Retrieve details about a specific FedRAMP FRR and its associated data.
• Query by Family: List all requirements within a given FedRAMP family (e.g., ADS, VDR, RSC).
• Keyword Search: Search across all FRRs, KSIs, and FRDs using keywords to surface relevant findings.
• KSI Access: Explore Key Security Indicators with implementation status guidance.
• Documentation Search: Fetch official FedRAMP documentation markdown files loaded from the repo.
• Pattern-Based Analysis: Leverage the 381 YAML patterns to detect and categorize findings across supported languages, enabling AST-first analysis and remediation recommendations.
• Implementation Planning: Generate interview questions and planning prompts to support product and engineering discussions for FedRAMP 20x adoption.
• AST-Powered Code Analysis: Analyze code with tree-sitter-based parsing for context-aware security assessment across multiple languages.

To use these tools, start the server and send requests to the API endpoints exposed by the MCP server (the exact endpoints depend on the server’s implementation). Typical workflows include querying a control to understand its requirements, enumerating all controls within a family for gap analysis, and performing keyword searches to discover all related findings. The implementation prioritizes Azure services and guidance, but the data remains applicable to broader cloud deployments where appropriate.

Prerequisites:

• Python 3.10 or higher
• pip (included with Python)
• Git (optional, for cloning the repository)

Setup steps:

1. Clone the repository git clone https://github.com/KevinRabun/FedRAMP20xMCP.git cd FedRAMP20xMCP

2. Create and activate a virtual environment (highly recommended) python -m venv .venv

   macOS/Linux

   source .venv/bin/activate

   Windows

   .venv\Scripts\activate

3. Install in editable mode pip install -e .

4. Optional: If you prefer to use uv as the package manager for development: uv pip install -e .

5. Run the MCP server python -m fedramp_20x_mcp

Prerequisite Python dependencies (automatically installed by setup):

• mcp>=1.2.0
• httpx>=0.27.0
• openpyxl>=3.1.0
• python-docx>=1.1.0
• tree-sitter>=0.21.0
• tree-sitter-python>=0.21.0
• tree-sitter-c-sharp>=0.21.0
• tree-sitter-java>=0.21.0
• tree-sitter-javascript>=0.21.0

Environment variables (examples):

• FEDRAMP_DATA_REPO: URL or path to the FedRAMP data repository (default https://github.com/FedRAMP/docs)
• Additional configuration can be added as needed per your deployment (e.g., API keys, storage paths, or feature flags)

Tips and common considerations:

• Data sources: The server loads data from the FedRAMP docs repository. Ensure network access to fetch data, or configure FEDRAMP_DATA_REPO to point to a local mirror for offline use.
• Azure-first guidance: The implementation emphasizes Azure-specific patterns and recommendations. When querying or exporting results, review Azure-focused remediation and architecture patterns.
• Pattern engine: The system relies on YAML-driven patterns to detect findings. If you customize or extend patterns, follow the existing YAML schema to maintain compatibility.
• Environment management: Using a virtual environment is recommended to avoid conflicts with system packages.
• Troubleshooting: If you encounter import or module-not-found errors, verify that the package is installed in the active environment and that the module name in the invocation matches the installed package module (e.g., fedramp_20x_mcp).
• Data freshness: Regularly update the FedRAMP data repository to keep FRRs, KSIs, and documentation current with the FedRAMP 20x release cycle.