nist

The NIST MCP Server provides programmatic access to the complete NIST SP 800-53 control catalog, CSF mappings, baselines, and cross-framework analyses. You can browse controls, fetch detailed control information with guidance, search by keywords or families, and map controls to CSF functions. It also includes capabilities for compliance assessments (e.g., CMMC readiness, FedRAMP alignment) and risk/coverage analyses. The server exposes a set of MCP tools you can call to list, query, analyze, and map controls, enabling AI assistants and other applications to reason about NIST security controls in a standardized way.

To use the server, start it with the designated Python entry point and call the provided MCP tool functions via your client or integration layer. Typical operations include listing all controls, retrieving a specific control (get_control("AC-1")), exploring a control family (get_control_family("AC")), running baseline and gap analyses (gap_analysis or get_baseline_controls), and performing mappings to CSF or other frameworks (get_control_mappings, compliance_mapping). The toolset also supports advanced analysis like coverage assessments and risk evaluations, enabling you to plan mitigations and determine remaining gaps against baselines.

Examples of common workflows include performing a basic control lookup to inspect implementation guidance, analyzing coverage across a family to identify underrepresented areas, and performing a moderate baseline readiness assessment to prepare for authorization efforts. The server is designed to be consumed by code or chat-based assistants, returning structured JSON that can be consumed by downstream tooling or UIs.

Prerequisites:

• Python 3.10+
• internet access to install dependencies and download data
• Optional: uv package manager (uv) for development convenience

One-Command Setup (Recommended):

git clone https://github.com/your-username/nist-mcp.git
cd nist-mcp
./scripts/install.sh
python -m nist_mcp.server

Manual Setup (alternative):

# 1. Clone and install in editable mode
git clone https://github.com/your-username/nist-mcp.git
cd nist-mcp
pip install -e ".[dev]"

# 2. Download NIST data (required data assets)
python scripts/download_nist_data.py

# 3. Start server
python -m nist_mcp.server

Prerequisites details:

• Ensure Python 3.10 or newer is installed.
• If you prefer the uv toolchain for high-performance I/O, you can install and use uv as described in the project docs.
• The install script and setup will fetch and prepare the SP 800-53 data, CSF mappings, and OSCAL schemas used by the MCP server.

Tips and common considerations:

• Data sources: The server relies on official NIST data (SP 800-53 Rev 5, CSF 2.0, OSCAL schemas). Ensure data download steps complete successfully to populate the server cache.
• Development vs production: Use the dev install path for development and testing; for production, consider packaging the server and data into a container or using a stable environment with pinned dependencies.
• Environment variables: If you customize data directories or network behavior, expose environment variables as needed (e.g., NIST_DATA_PATH, NIST_API_ENDPOINT).
• Performance: For large control sets (1,196+ controls), warming the data cache and using asynchronous handling can improve responsiveness in tools consuming the MCP API.
• Troubleshooting: If you encounter import or data loading errors, verify Python path accuracy, ensure dependencies are installed, and confirm network access for data downloads.
• API surface: The MCP toolset includes commands like list_controls(), get_control("AC-1"), search_controls("access", "AC", 10), get_control_family("AC"), and various analyses; refer to the MCP reference guide within the project for exact function signatures.