fisma-compliance-mcp

MCP server for Federal Information Security Management Act (FISMA) compliance — browse NIST SP 800-53 control families, categorize systems per FIPS 199, navigate the Risk Management Framework (RMF), assess ATO readiness, generate POA&Ms, and run gap analysis for federal agencies and contractors.

Built for federal CISOs, ISSOs, ISSMs, auditors, and government contractors operating federal information systems.

Tools

| Tool | Description | |------|-------------| | browse_controls | Browse NIST SP 800-53 control families with baseline counts and key control details | | categorize_system | Categorize a system per FIPS 199 with information type impact analysis | | rmf_guide | Get detailed guidance for any RMF step (categorize, select, implement, assess, authorize, monitor) | | assess_readiness | Assess FISMA compliance readiness with ATO status, SSP, and POA&M checks | | generate_poam | Generate POA&M templates for assessment findings with remediation timelines | | gap_analysis | Compare implemented controls against baseline with IG audit risk assessment |

Coverage

• 20 NIST SP 800-53 Control Families: AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR
• All 3 Impact Levels: Low, Moderate, High baselines with control counts
• Full RMF Lifecycle: All 6 steps with inputs, outputs, activities, and pitfalls
• FIPS 199 Categorization: Automated high-water mark calculation
• POA&M Management: BOD 22-01 timeline compliance

Install

npx fisma-compliance-mcp

Claude Desktop

{
  "mcpServers": {
    "fisma-compliance": {
      "command": "npx",
      "args": ["-y", "fisma-compliance-mcp"]
    }
  }
}

Examples

Browse Access Control family:

browse_controls({ family: "AC", impactLevel: "moderate" })

Categorize a system:

categorize_system({ systemName: "HR Portal", informationTypes: [{ name: "PII", confidentiality: "high", integrity: "moderate", availability: "low" }] })

Get RMF authorization guidance:

rmf_guide({ step: "authorize" })

Assess readiness:

assess_readiness({ implementedFamilies: ["AC", "AU", "IA", "SC"], systemImpactLevel: "moderate", hasATO: true, hasSSP: true, hasPOAM: true })

Generate POA&M:

generate_poam({ findings: [{ controlId: "AC-2", weakness: "Quarterly access reviews not conducted", severity: "high" }], systemName: "Finance System" })

License

MIT