@modular-intelligence/compliance-audit
v1.0.0
Published
MCP server for security compliance framework auditing (NIST, CIS, PCI DSS, HIPAA, SOC 2)
Downloads
85
Readme
Compliance Audit MCP Server
A comprehensive compliance framework auditing service that integrates five major security and compliance standards. This MCP (Model Context Protocol) server enables Claude to query compliance controls, map security findings to requirements, and generate comprehensive baseline audit checklists.
Overview
This server provides access to five industry-leading compliance frameworks through a unified interface:
- NIST SP 800-53 Rev 5 - Federal information security controls catalog with LOW/MODERATE/HIGH baseline mappings
- CIS Controls v8 - Critical security controls with implementation groups (IG1/IG2/IG3)
- PCI DSS v4.0 - Payment card industry data security standards and requirements
- HIPAA Security Rule - Healthcare privacy and security safeguards (Administrative/Physical/Technical)
- SOC 2 Type II - Trust Service Criteria for service organization controls
All compliance framework data is bundled as JSON within the server. No external API keys or dependencies are required.
Perfect for compliance audits, security assessments, control mapping, gap analysis, and building compliance checklists.
Tools
| Tool | Framework | Description |
|------|-----------|-------------|
| cis_benchmark_check | CIS Controls v8 | Query controls by ID, category, or implementation group (IG1/IG2/IG3) |
| nist_control_lookup | NIST SP 800-53 Rev 5 | Look up security controls by ID, family, or baseline (LOW/MODERATE/HIGH) |
| pci_requirement_map | PCI DSS v4.0 | Map security findings to PCI DSS requirements by keyword or ID |
| hipaa_control_check | HIPAA Security Rule | Search controls by safeguard type (Administrative/Physical/Technical) or keyword |
| soc2_criteria_map | SOC 2 Type II | Map to Trust Service Criteria by category (Security/Availability/Confidentiality) |
| baseline_audit | All Frameworks | Generate comprehensive compliance baseline checklists |
CIS Controls v8 Benchmark Check
Query CIS Controls v8 benchmark by control ID, category, or implementation group.
Input Parameters:
{
control_id?: string // CIS Control ID (e.g., "1", "5", "18")
category?: string // Control category (e.g., "asset_management", "access_control", "data_protection")
implementation_group?: "IG1" | "IG2" | "IG3" // Implementation Group level
}Example Request:
{
"implementation_group": "IG1"
}Example Output:
{
"framework": "CIS Controls v8",
"total_controls": 5,
"controls": [
{
"id": "1",
"title": "Inventory and Control of Enterprise Assets",
"description": "Actively manage all enterprise assets connected to the infrastructure.",
"category": "asset_management",
"implementation_groups": ["IG1", "IG2", "IG3"],
"assessment_guidance": "Verify that processes and technical controls are in place for: actively manage all enterprise assets connected to the infrastructure."
},
{
"id": "2",
"title": "Inventory and Control of Software Assets",
"description": "Actively manage all software on the network.",
"category": "asset_management",
"implementation_groups": ["IG1", "IG2", "IG3"],
"assessment_guidance": "Verify that processes and technical controls are in place for: actively manage all software on the network."
},
{
"id": "3",
"title": "Data Protection",
"description": "Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.",
"category": "data_protection",
"implementation_groups": ["IG1", "IG2", "IG3"],
"assessment_guidance": "Verify that processes and technical controls are in place for: develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data."
},
{
"id": "4",
"title": "Secure Configuration of Enterprise Assets and Software",
"description": "Establish and maintain secure configuration of enterprise assets and software.",
"category": "configuration",
"implementation_groups": ["IG1", "IG2", "IG3"],
"assessment_guidance": "Verify that processes and technical controls are in place for: establish and maintain secure configuration of enterprise assets and software."
},
{
"id": "5",
"title": "Account Management",
"description": "Use processes and tools to assign and manage authorization to credentials.",
"category": "access_control",
"implementation_groups": ["IG1", "IG2", "IG3"],
"assessment_guidance": "Verify that processes and technical controls are in place for: use processes and tools to assign and manage authorization to credentials."
}
]
}NIST Control Lookup
Query NIST SP 800-53 Rev 5 security controls by control ID, family, or baseline level.
Input Parameters:
{
control_id?: string // NIST Control ID (e.g., "AC-2", "AU-6", "SC-8")
family?: string // Control family ID (e.g., "AC", "AU", "IA", "SC", "SI")
baseline?: "LOW" | "MODERATE" | "HIGH" // Security baseline level
}Example Request:
{
"family": "AC",
"baseline": "HIGH"
}Example Output:
{
"framework": "NIST SP 800-53 Rev 5",
"total_controls": 10,
"controls": [
{
"id": "AC-1",
"title": "Policy and Procedures",
"description": "Develop, document, and disseminate access control policy and procedures.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["LOW", "MODERATE", "HIGH"]
},
{
"id": "AC-2",
"title": "Account Management",
"description": "Define and document types of accounts. Create, enable, modify, disable, and remove accounts.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["LOW", "MODERATE", "HIGH"]
},
{
"id": "AC-3",
"title": "Access Enforcement",
"description": "Enforce approved authorizations for logical access to information and system resources.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["LOW", "MODERATE", "HIGH"]
},
{
"id": "AC-4",
"title": "Information Flow Enforcement",
"description": "Enforce approved authorizations for controlling the flow of information within the system and between systems.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["MODERATE", "HIGH"]
},
{
"id": "AC-5",
"title": "Separation of Duties",
"description": "Identify and document duties of individuals requiring separation.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["MODERATE", "HIGH"]
},
{
"id": "AC-6",
"title": "Least Privilege",
"description": "Employ the principle of least privilege, allowing only authorized accesses necessary to accomplish assigned tasks.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["MODERATE", "HIGH"]
},
{
"id": "AC-7",
"title": "Unsuccessful Logon Attempts",
"description": "Enforce a limit of consecutive invalid logon attempts during a specified time period.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["LOW", "MODERATE", "HIGH"]
},
{
"id": "AC-8",
"title": "System Use Notification",
"description": "Display system use notification message before granting access.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["LOW", "MODERATE", "HIGH"]
},
{
"id": "AC-11",
"title": "Device Lock",
"description": "Prevent access to the system by initiating a device lock after a period of inactivity.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P2",
"baselines": ["MODERATE", "HIGH"]
},
{
"id": "AC-17",
"title": "Remote Access",
"description": "Establish and document usage restrictions for remote access.",
"family_id": "AC",
"family_name": "Access Control",
"priority": "P1",
"baselines": ["LOW", "MODERATE", "HIGH"]
}
]
}PCI DSS Requirement Map
Map security findings to PCI DSS v4.0 requirements by finding type or requirement ID.
Input Parameters:
{
finding_type: string // Description of the finding (e.g., "unencrypted data transmission", "weak passwords", "missing access logs")
requirement_id?: string // Specific PCI DSS requirement ID (e.g., "1", "3", "8")
}Example Request:
{
"finding_type": "unencrypted cardholder data transmission"
}Example Output:
{
"framework": "PCI DSS v4.0",
"finding": "unencrypted cardholder data transmission",
"total_matches": 2,
"requirements": [
{
"id": "4",
"title": "Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks",
"description": "Sensitive authentication data is encrypted during transmission.",
"category": "encryption",
"remediation_guidance": "Ensure compliance with PCI DSS requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks"
},
{
"id": "3",
"title": "Protect Stored Account Data",
"description": "Protection methods such as encryption, truncation, masking, and hashing are critical to protecting account data.",
"category": "data_protection",
"remediation_guidance": "Ensure compliance with PCI DSS requirement 3: Protect Stored Account Data"
}
]
}HIPAA Control Check
Query HIPAA Security Rule controls by control ID, safeguard type, or keyword.
Input Parameters:
{
control_id?: string // HIPAA control ID (e.g., "164.308(a)(1)", "164.312(e)(1)")
safeguard_type?: "Administrative" | "Physical" | "Technical" // Type of safeguard
keyword?: string // Keyword to search in control titles and descriptions
}Example Request:
{
"safeguard_type": "Technical",
"keyword": "encryption"
}Example Output:
{
"framework": "HIPAA Security Rule",
"total_controls": 3,
"controls": [
{
"id": "164.312(e)(1)",
"title": "Encryption and Decryption",
"description": "Implement technical security measures to encrypt electronic protected health information (ePHI) at rest and in transit.",
"safeguard_type": "Technical",
"required": true,
"compliance_guidance": "REQUIRED: Implement technical security measures to encrypt electronic protected health information (ePHI) at rest and in transit."
},
{
"id": "164.312(e)(2)",
"title": "Encryption Standards",
"description": "Implement encryption standards for all ePHI transmission across open networks.",
"safeguard_type": "Technical",
"required": true,
"compliance_guidance": "REQUIRED: Implement encryption standards for all ePHI transmission across open networks."
},
{
"id": "164.312(a)(2)(iv)",
"title": "Mechanism to Encrypt ePHI",
"description": "Implement a mechanism to encrypt ePHI whenever deemed appropriate by risk analysis.",
"safeguard_type": "Technical",
"required": false,
"compliance_guidance": "ADDRESSABLE: Implement a mechanism to encrypt ePHI whenever deemed appropriate by risk analysis."
}
]
}SOC 2 Criteria Map
Map to SOC 2 Type II Trust Service Criteria by criteria ID, category, or keyword.
Input Parameters:
{
criteria_id?: string // SOC 2 criteria ID (e.g., "CC6.1", "CC7.2", "A1.1")
category?: "Security" | "Availability" | "Confidentiality" // Trust Service Principle category
keyword?: string // Keyword to search in criteria titles and descriptions
}Example Request:
{
"category": "Security",
"keyword": "access"
}Example Output:
{
"framework": "SOC 2 Type II",
"total_criteria": 2,
"criteria": [
{
"id": "CC6.1",
"title": "Logical and Physical Access Controls",
"description": "The entity restricts logical and physical access to facilities and resources associated with the system based on the principle of least privilege.",
"category": "Security",
"audit_guidance": "Document and test controls that demonstrate: the entity restricts logical and physical access to facilities and resources associated with the system based on the principle of least privilege."
},
{
"id": "CC6.2",
"title": "Prior to Issuing System Credentials",
"description": "The entity ensures that prior to issuing system credentials, it verifies the identity and authority of the individual requesting credentials.",
"category": "Security",
"audit_guidance": "Document and test controls that demonstrate: the entity ensures that prior to issuing system credentials, it verifies the identity and authority of the individual requesting credentials."
}
]
}Baseline Audit
Generate comprehensive compliance baseline checklists for any compliance framework.
Input Parameters:
{
framework: "nist" | "cis" | "pci" | "hipaa" | "soc2" // Compliance framework to audit against
baseline_level?: string // Baseline level (e.g., "LOW"/"MODERATE"/"HIGH" for NIST; "IG1"/"IG2"/"IG3" for CIS)
category?: string // Filter by specific category
}Example Request:
{
"framework": "cis",
"baseline_level": "IG2"
}Example Output:
{
"framework": "CIS Controls v8",
"implementation_group": "IG2",
"total_controls": 12,
"controls_by_category": {
"asset_management": [
{
"id": "1",
"title": "Inventory and Control of Enterprise Assets",
"description": "Actively manage all enterprise assets connected to the infrastructure.",
"family": "asset_management",
"priority": "P1",
"baselines": ["IG1", "IG2", "IG3"]
},
{
"id": "2",
"title": "Inventory and Control of Software Assets",
"description": "Actively manage all software on the network.",
"family": "asset_management",
"priority": "P1",
"baselines": ["IG1", "IG2", "IG3"]
}
],
"data_protection": [
{
"id": "3",
"title": "Data Protection",
"description": "Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.",
"family": "data_protection",
"priority": "P1",
"baselines": ["IG1", "IG2", "IG3"]
},
{
"id": "11",
"title": "Data Recovery",
"description": "Establish and maintain data recovery practices.",
"family": "data_protection",
"priority": "P1",
"baselines": ["IG1", "IG2", "IG3"]
}
]
},
"checklist": [
{
"control_id": "1",
"title": "Inventory and Control of Enterprise Assets",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "2",
"title": "Inventory and Control of Software Assets",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "3",
"title": "Data Protection",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "4",
"title": "Secure Configuration of Enterprise Assets and Software",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "5",
"title": "Account Management",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "6",
"title": "Access Control Management",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "8",
"title": "Audit Log Management",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "9",
"title": "Email and Web Browser Protections",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "10",
"title": "Malware Defenses",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "11",
"title": "Data Recovery",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "12",
"title": "Network Infrastructure Management",
"status": "NOT_ASSESSED",
"notes": ""
},
{
"control_id": "13",
"title": "Network Monitoring and Defense",
"status": "NOT_ASSESSED",
"notes": ""
}
]
}Configuration
This server requires no external API keys or environment variables. All compliance framework data is bundled as JSON files within the server itself. The server operates as pure TypeScript with embedded compliance data.
Installation
Prerequisites
- Bun runtime (version 1.x or later)
- Node.js 18+ (alternative runtime)
Steps
- Clone or download this repository:
git clone <repo-url>
cd compliance-audit- Install dependencies:
bun install- Build the project:
bun run build- Run the server:
bun run startThe server will start listening on stdio transport.
Usage
Running the Server
Start the server with Bun:
bun run src/index.tsThe server implements the Model Context Protocol (MCP) and communicates via stdio transport. It can be integrated with Claude or other MCP clients.
Claude Desktop Configuration
Add the server to your Claude Desktop configuration at ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"compliance-audit": {
"command": "bun",
"args": [
"run",
"/path/to/compliance-audit/src/index.ts"
]
}
}
}Claude Code MCP Settings
Configure the server in Claude Code's MCP settings (typically in .mcp.json or via settings UI):
{
"servers": {
"compliance-audit": {
"transport": "stdio",
"command": "bun",
"args": ["run", "/path/to/compliance-audit/src/index.ts"]
}
}
}Example Usage in Claude
Once configured, you can use the tools directly in conversations with Claude:
Request: "Generate a comprehensive NIST HIGH baseline audit checklist for me"
Claude will call:
{
"tool": "baseline_audit",
"input": {
"framework": "nist",
"baseline_level": "HIGH"
}
}Request: "Find all CIS Controls that are required for Implementation Group 1"
Claude will call:
{
"tool": "cis_benchmark_check",
"input": {
"implementation_group": "IG1"
}
}Request: "What PCI DSS requirements apply to unencrypted data transmission?"
Claude will call:
{
"tool": "pci_requirement_map",
"input": {
"finding_type": "unencrypted data transmission"
}
}Request: "Look up NIST control AC-2 and tell me which baselines it applies to"
Claude will call:
{
"tool": "nist_control_lookup",
"input": {
"control_id": "AC-2"
}
}Request: "Show me all technical HIPAA controls related to encryption"
Claude will call:
{
"tool": "hipaa_control_check",
"input": {
"safeguard_type": "Technical",
"keyword": "encryption"
}
}Request: "Map the Security category of SOC 2 Type II Trust Service Criteria"
Claude will call:
{
"tool": "soc2_criteria_map",
"input": {
"category": "Security"
}
}Security
This server implements comprehensive input validation to ensure safe operation:
Input Validation
Control ID Validation
- Accepts alphanumeric control IDs in proper format
- Case-insensitive matching (e.g., "AC-2", "ac-2", "au-6")
- Rejects malformed or non-existent control IDs
Framework Parameters
- Validates against fixed enumeration of supported frameworks (nist, cis, pci, hipaa, soc2)
- Rejects unknown framework names
Baseline Level Validation
- For NIST: accepts LOW, MODERATE, HIGH
- For CIS: accepts IG1, IG2, IG3
- Case-insensitive matching
- Rejects invalid baseline specifications
Category and Keyword Validation
- Accepts alphanumeric characters, underscores, and spaces
- Maximum keyword length: 255 characters
- Case-insensitive matching
- Prevents injection via parameter values
Safeguard Type Validation
- Limited to three fixed values: Administrative, Physical, Technical
- Case-sensitive enumeration
- Rejects alternative spellings or invalid types
Error Handling
- Invalid control IDs return empty result sets (graceful degradation)
- Unknown parameters are safely ignored
- Malformed input returns helpful error messages
- All errors are caught and reported with context
What Gets Blocked
The server rejects:
- Invalid framework names (non-enum values)
- Oversized inputs (strings exceeding reasonable limits)
- SQL injection attempts in keyword searches
- Shell injection attempts in any parameters
- Non-string values where strings are expected
Data Safety
- No external API calls or network requests
- All data is read-only (compliance framework data is immutable)
- No data is logged or transmitted
- Results are returned as plain JSON with no side effects
License
ISC License - see LICENSE file for details