@auditpilot/compliance-kb-mcp
v0.2.0
Published
NIST SP 800-53 Rev 5 knowledge-base MCP server (324 controls) with SOC 2 TSC mappings and BM25 search.
Maintainers
Readme
compliance-kb-mcp
compliance-kb-mcp is a typed MCP server that exposes the canonical
NIST Special Publication 800-53 Revision 5 control catalog (324 base
controls across 20 families) over stdio transport. Each control is annotated
with the SOC 2 Trust Services Criteria identifiers it helps satisfy, derived
from publicly available crosswalks.
This package is part of the AuditPilot SOC 2 readiness reference architecture and is designed to be easy to fork for other control catalogs.
Why NIST 800-53?
- Public domain. NIST 800-53 is a U.S. federal government work and is in the public domain (17 U.S.C. 105). The full canonical control text can be redistributed without licensing concerns.
- Machine-readable canonical source. NIST publishes the catalog in OSCAL JSON, XML, and YAML at usnistgov/oscal-content.
- Well-mapped to SOC 2. The AICPA publishes a TSC to 800-53 mapping (registration required); supplementary public crosswalks like the Open Security Architecture project make the relationship transparent.
Positioning
AuditPilot maps your environment to NIST 800-53 controls and shows which SOC 2 Trust Services Criteria are satisfied by your 800-53 coverage. The included
compliance-kb-mcpships with NIST 800-53 Rev 5 (public domain) and curated SOC 2 TSC mappings. For canonical SOC 2 TSC text, refer to AICPA-CIMA's published 2017 Trust Services Criteria -- that text is copyright-protected and is not redistributed in this package.
Features
- Strict Pydantic v2 schemas with
extra="forbid". - 324 NIST 800-53 Rev 5 base controls with parameter-substituted statements.
- Curated SOC 2 TSC to 800-53 mapping covering Common Criteria, Availability, Confidentiality, Processing Integrity, and Privacy clauses.
- Four MCP tools:
lookup_control,lookup_by_soc2_tsc,search_controls,list_controls. - Naive BM25 ranking for lexical search across statement, guidance, title, and family text.
- Zero external runtime dependencies beyond
mcp>=1.0andpydantic>=2.0.
Installation
Python (for running the stdio MCP server)
pip install compliance-kb-mcpOr with uv:
uv add compliance-kb-mcpnpm / Node.js (thin shim that delegates to the Python server)
npm install -g @auditpilot/compliance-kb-mcpOr run without installation via npx:
npx @auditpilot/compliance-kb-mcpMCP Client Configuration
Add the server to your MCP client config (e.g. Claude Desktop's
claude_desktop_config.json, or your project's .mcp.json).
Using the installed Python package (recommended):
{
"mcpServers": {
"compliance-kb": {
"command": "compliance-kb-mcp"
}
}
}Using uvx (no global install required):
{
"mcpServers": {
"compliance-kb": {
"command": "uvx",
"args": ["compliance-kb-mcp"]
}
}
}Using npx (Node shim delegates to Python):
{
"mcpServers": {
"compliance-kb": {
"command": "npx",
"args": ["-y", "@auditpilot/compliance-kb-mcp"]
}
}
}Note: The npx shim requires Python to be available on PATH. It spawns
python -m compliance_kb_mcp.serverusing thePYTHONenv var if set, otherwise falls back topython.
Tool Reference
lookup_control
- Input:
control_id: str-- NIST 800-53 base identifier, e.g."AC-1" - Output:
Control | None - Behavior: Returns the canonical 800-53 control payload (title,
statement, guidance, assessment objectives, SOC 2 TSC mappings, citation).
Returns
nullif the identifier is not found.
lookup_by_soc2_tsc
- Input:
tsc_id: str-- SOC 2 TSC identifier, e.g."CC6.1","A1.2" - Output:
list[Control] - Behavior: Returns all 800-53 controls mapped to the given SOC 2 TSC.
search_controls
- Input:
query: str,k: int(1-20, default 5) - Output:
list[Control] - Behavior: Returns top
kBM25-ranked controls matching the query terms.
list_controls
- Input:
family_id: str | None-- e.g."ac","sc","ia" - Output:
list[ControlSummary] - Behavior: Lists all 324 controls (or scoped to a single family) as lightweight summaries including id, title, and SOC 2 TSC mappings.
Local Development
# Install the package in editable mode with dev dependencies
uv sync --directory packages/compliance-kb-mcp
# Run tests
uv run --directory packages/compliance-kb-mcp pytest tests/
# Run the server locally (stdio transport)
uv run --directory packages/compliance-kb-mcp python -m compliance_kb_mcpData Sources
- Control catalog: NIST Special Publication 800-53 Revision 5
(DOI 10.6028/NIST.SP.800-53r5)
via the OSCAL JSON catalog at
usnistgov/oscal-content. - License: Public domain (17 U.S.C. 105).
- SOC 2 TSC mapping: Curated from the AICPA-published Mapping: 2017 Trust Services Criteria to NIST 800-53 (registration required) and the publicly available Open Security Architecture SOC 2 TSC to SP 800-53 crosswalk.
- SOC 2 TSC text: Copyright AICPA. Not redistributed in this package. Refer to the AICPA-CIMA-published 2017 Trust Services Criteria (with revised points of focus - 2022) for canonical SOC 2 TSC criteria text.
How to Refresh the Dataset When NIST Republishes the Catalog
- Pull the latest catalog from
usnistgov/oscal-content:curl -sL https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json \ -o /tmp/nist_catalog.json - Regenerate the dataset:
python scripts/build_dataset.py --oscal-source /tmp/nist_catalog.json - Re-run the test suite:
uv run --directory packages/compliance-kb-mcp pytest tests/ - Update
CHANGELOG.mdand the source citationoscal_last_modifiedline in the resulting JSON.
How To Fork For Another Catalog
- Copy
packages/compliance-kb-mcpto a new package folder (for examplepackages/iso-27001-kb-mcporpackages/cmmc-kb-mcp). - Rename the Python package and npm metadata.
- Replace
src/compliance_kb_mcp/data/nist_800_53_rev5_controls.jsonwith the new catalog (matching theControlPydantic schema). - Update
Control.frameworkliterals and validation patterns inschemas.py. - Keep the tool signatures unchanged so existing LangGraph integrations continue to work.
- Run tests and dry-run packaging:
pytest tests/npm pack --dry-runuv build
License
Apache-2.0. See LICENSE.
