NIST Server
FreeNot checkedProvides comprehensive access to NIST cybersecurity frameworks and controls, enabling AI assistants and applications to query, analyze, and manage NIST security
About
Provides comprehensive access to NIST cybersecurity frameworks and controls, enabling AI assistants and applications to query, analyze, and manage NIST security controls through a standardized interface.
README
A professional Model Context Protocol (MCP) server providing comprehensive access to NIST cybersecurity frameworks and controls. Enables AI assistants and applications to query, analyze, and manage NIST security controls through a standardized, secure interface.
🚀 Quick Start
Get started with NIST's complete control catalog in minutes:
# Install and run
git clone https://github.com/your-username/nist-mcp.git
cd nist-mcp
./scripts/install.sh
python -m nist_mcp.server
That's it! Your MCP server is now running with access to 1,196+ NIST security controls.
🔧 What You Can Do
Core Control Operations
- Browse all NIST SP 800-53 controls (1,196 total: base controls + enhancements)
- Get detailed control information with implementation guidance
- Search by keywords, families, or baseline levels
- Map controls to Cybersecurity Framework subcategories
Enterprise Compliance Support
- CMMC 2.0 assessments across all 5 maturity levels
- FedRAMP readiness for Low/Moderate/High impact systems
- SP 800-171 CUI baseline for protecting sensitive information
- NIST Cybersecurity Framework alignment and mapping
Advanced Analysis
- Gap analysis against baseline requirements
- Coverage assessments across control families
- Compliance mapping to other frameworks (SOC2, ISO27001)
- Risk evaluation of control implementations
📖 Installation & Setup
One-Command Setup (Recommended)
git clone https://github.com/your-username/nist-mcp.git
cd nist-mcp
./scripts/install.sh
python -m nist_mcp.server
That's it! Your NIST MCP server is now running with 1,196+ controls.
Manual Setup
# 1. Clone and install
git clone https://github.com/your-username/nist-mcp.git
cd nist-mcp
pip install -e ".[dev]"
# 2. Download NIST data
python scripts/download_nist_data.py
# 3. Start server
python -m nist_mcp.server
Prerequisites
- Python 3.10+
- uv package manager (optional, but recommended)
🛠️ Practical Examples
Here are real examples of how to use the NIST MCP tools:
Basic Control Lookup
"What does AC-1 say?"
// Call: get_control("AC-1")
{
"id": "ac-1",
"title": "Policy and Procedures",
"class": "SP800-53",
"family": "AC",
"parts": [
{
"name": "statement",
"prose": "The organization develops and maintains a comprehensive security policy..."
}
],
"links": [...]
}
"Show me all Access Control family controls"
// Call: get_control_family("AC")
{
"family": "AC",
"name": "Access Control",
"description": "The AC family contains controls...",
"total_controls": 57,
"base_controls": 25,
"enhancements": 32,
"controls": [...]
}
Compliance Analysis
"Do we meet Moderate baseline requirements?"
// Call: gap_analysis(implemented_controls=["AC-1", "AU-1"], target_baseline="moderate")
{
"total_required": 177,
"implemented_count": 2,
"missing_count": 175,
"compliance_percentage": 1.13,
"critical_gaps": ["Risk Assessment", "Configuration Management"],
"next_priorities": ["AC-2", "IA-2", "AU-2"]
}
"What's our CMMC Level 2 readiness?"
// Call: cmmc_compliance_assessment(implemented_controls=["AC-1", "IA-2"], target_level=2)
{
"current_level": 1,
"target_level": 2,
"achieved_domains": ["AC", "IA"],
"missing_domains": ["CM", "CP", "IR"],
"progress_percentage": 23.5,
"next_steps": ["Implement CM-2", "Add CP-9 controls"]
}
Risk Assessments
"How risky is our current access control implementation?"
// Call: risk_assessment_helper(control_ids=["AC-1", "AC-2", "IA-3"])
{
"overall_risk_score": 7.3,
"critical_gaps": ["AC-6 (Least Privilege)", "AC-18 (Wireless Access)"],
"recommendations": [
"Implement multi-factor authentication (IA-3)",
"Review access control policies (AC-1)",
"Add session timeout controls"
]
}
Enterprise Framework Alignment
"Map our controls to NIST CSF functions"
// Call: get_control_mappings("AC-1")
{
"control_id": "AC-1",
"csf_mappings": ["PR.IP-1", "PR.IP-6"],
"functions": ["Protect"],
"categories": ["Identity Management"],
"rationale": "Policy framework supports identity protection"
}
"Prepare for FedRAMP Moderate authorization"
// Call: get_baseline_controls("moderate")
{
"baseline": "Moderate",
"total_controls": 177,
"required_families": {
"AC": 12, "AU": 9, "CA": 5,
"CM": 10, "IA": 8, "IR": 6,
"MP": 4, "PE": 8, "PS": 3,
"RA": 5, "SC": 45, "SI": 16,
"SA": 6, "AT": 1, "PL": 2
},
"implementation_timeline": "12-18 months"
}
📚 MCP Tool Reference
Core Control Operations
list_controls()- Browse all 1,196 NIST controlsget_control("AC-1")- Get detailed control info with implementation guidancesearch_controls("access", "AC", 10)- Search controls by keyword within familiesget_control_family("AC")- Get complete access control family (57 total controls)
Framework & Compliance
get_baseline_controls("moderate")- NIST baselines for system categorizationcmmc_compliance_assessment(current_controls, 3)- CMMC readiness assessmentfedramp_readiness_assessment(controls, "saas")- FedRAMP cloud readinessget_sp800171_baseline()- CUI protection baseline (DOD contractors)
Advanced Analysis
gap_analysis(implemented, "high")- Identify missing controls against baselinesanalyze_control_coverage(["AC-1", "AU-1"])- Assess control family coveragecompliance_mapping("ISO27001", controls)- Cross-framework mapping
Cybersecurity Framework
get_csf_framework()- Complete NIST CSF 2.0 with all functionssearch_csf_subcategories("multi-factor")- Find relevant CSF subcategoriescsf_to_controls_mapping("PR.AC-1")- Map CSF requirements to controls
Project Structure
nist-mcp/
├── src/nist_mcp/ # Main package
│ ├── server.py # MCP server implementation
│ ├── data/ # Data loading and caching
│ │ └── loader.py # NIST data loader
│ ├── tools/ # MCP tools (future expansion)
│ └── utils/ # Utility functions
├── data/ # NIST data sources
│ ├── nist-sources/ # Official NIST data
│ │ ├── sp800-53/ # SP 800-53 controls and baselines
│ │ ├── sp800-171/ # SP 800-171 CUI baseline profiles
│ │ ├── cmmc/ # CMMC framework and maturity levels
│ │ ├── fedramp/ # FedRAMP framework and impact levels
│ │ ├── csf/ # Cybersecurity Framework data
│ │ └── mappings/ # Control-to-CSF mappings
│ ├── oscal-schemas/ # OSCAL JSON schemas
│ └── examples/ # Example OSCAL documents
├── scripts/ # Utility scripts
│ └── download_nist_data.py # Data download script and framework creation
├── tools/ # Additional control tools
│ └── control_tools.py # Control management utilities
└── tests/ # Test suite
📋 Important Notes
Data Sources
Uses official public domain NIST data:
- SP 800-53 Rev 5 (1,196 controls)
- Cybersecurity Framework 2.0
- OSCAL schemas for document validation
Development & Testing
uv sync --dev # Install dev tools
make test # Run full test suite
make test-security # Security testing only
python -m nist_mcp.server # Start server
License
- MIT License (code)
- Public Domain (NIST data)
- Apache 2.0 (OSCAL schemas)
Support
Install NIST Server in Claude Desktop, Claude Code & Cursor
unyly install nist-mcp-serverInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add nist-mcp-server -- uvx --from git+https://github.com/tnicholson/nist-mcp-server nist-mcpFAQ
Is NIST Server MCP free?
Yes, NIST Server MCP is free — one-click install via Unyly at no cost.
Does NIST Server need an API key?
No, NIST Server runs without API keys or environment variables.
Is NIST Server hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install NIST Server in Claude Desktop, Claude Code or Cursor?
Open NIST Server on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
by modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
by xuzexin-hzCompare NIST Server with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All ai MCPs
