io.github.KevinRabun/FedRAMP20xMCP
An MCP server that provides access to FedRAMP 20x security requirements and controls.
Versions
1.3.0 latest 1.2.0 1.1.0 1.0.0 0.13.0 + show 25 more show less
0.12.1 0.12.0 0.11.0 0.10.0 0.9.0 0.8.0 0.7.0 0.6.0 0.5.0 0.4.9 0.4.8 0.4.7 0.4.6 0.4.5 0.4.4 0.4.3 0.4.2 0.4.1 0.4.0 0.3.3 0.3.2 0.3.0 0.2.1 0.2.0 0.1.0 Tools 48
get_frr_evidence_automation Get evidence automation recommendations for a specific FRR. Provides detailed guidance on automating evidence collection including: - Azure services needed - Collection methods and queries (KQL, REST API) - Storage requirements - Evidence artifacts to collect Args: frr_id: FRR identifier (e.g., "FRR-VDR-01") Returns: Evidence automation recommendations
get_frr_implementation_status Get implementation status summary across all FRR analyzers. Shows statistics by family with implementation rates. Returns: Status summary with family breakdown
search_documentation Search FedRAMP official documentation by keywords.
get_documentation_file Get the full content of a specific FedRAMP documentation file.
list_documentation_files List all available FedRAMP documentation files.
export_to_excel Export FedRAMP 20x data to Excel format.
export_to_csv Export FedRAMP 20x data to CSV format.
generate_ksi_specification Generate a detailed product specification document for a KSI.
compare_with_rev4 Compare FedRAMP 20x requirements to Rev 4/Rev 5 to understand changes.
get_implementation_examples Get practical implementation examples for a requirement.
check_requirement_dependencies Show which requirements are related or dependent on a specific requirement.
estimate_implementation_effort Provide rough effort estimates for implementing a specific requirement.
get_cloud_native_guidance Get cloud-native specific guidance for implementing FedRAMP 20x.
validate_architecture Validate a cloud architecture against FedRAMP 20x requirements.
get_control Get detailed information about a specific FedRAMP 20x requirement.
list_family_controls List all requirements within a specific document family.
search_requirements Search for FedRAMP 20x requirements containing specific keywords.
get_definition Get the FedRAMP definition for a specific term.
list_definitions List all FedRAMP definitions with their terms.
search_definitions Search FedRAMP definitions by keywords.
get_ksi Get detailed information about a specific Key Security Indicator.
list_ksi List all Key Security Indicators with their implementation status. Returns a comprehensive list showing: - Implementation status (Implemented/Not Implemented/Retired) - Code detectability (Code-Detectable vs Process-Based) - Organized by family - Summary statistics
get_ksi_implementation_summary Get a summary of KSI implementation status across all families. Returns statistics showing: - Overall implementation coverage - Breakdown by family - Code-detectable vs process-based KSIs - Retired KSIs
get_ksi_evidence_automation Get evidence automation recommendations for a specific KSI. Provides detailed guidance on automating evidence collection including: - Azure services needed - Collection methods and schedules - Storage requirements and retention - FRR-ADS API integration - Code examples and infrastructure templates - Implementation effort and prerequisites Args: ksi_id: The KSI identifier (e.g., "KSI-IAM-01", "KSI-CNA-01") Returns: Comprehensive evidence automation recommendations
get_ksi_evidence_queries Get evidence collection queries for a specific KSI. Returns ready-to-use queries for collecting evidence from Azure: - KQL queries for Log Analytics - Azure Resource Graph queries - REST API calls for Microsoft Graph Args: ksi_id: The KSI identifier (e.g., "KSI-IAM-01", "KSI-CNA-01") Returns: Collection queries with descriptions and usage guidance
get_ksi_evidence_artifacts Get list of evidence artifacts to collect for a specific KSI. Returns detailed information about what artifacts to collect: - Artifact names and types (logs, configs, reports) - Collection methods and frequency - File formats and retention requirements Args: ksi_id: The KSI identifier (e.g., "KSI-IAM-01", "KSI-CNA-01") Returns: Evidence artifacts list with collection details
analyze_frr_code Analyze code against a specific FedRAMP requirement (FRR). Detects compliance issues in application code, infrastructure as code, or CI/CD pipelines for the specified FRR. Args: frr_id: FRR identifier (e.g., "FRR-VDR-01", "FRR-RSC-01") code: Code to analyze language: Language/platform (python, csharp, java, typescript, bicep, terraform, github-actions, azure-pipelines, gitlab-ci) file_path: Optional file path for context Returns: Analysis results with findings and recommendations
analyze_all_frrs Analyze code against all FedRAMP requirements. Performs comprehensive analysis across all 199 FRR requirements. Args: code: Code to analyze language: Language/platform file_path: Optional file path for context Returns: Complete analysis results grouped by family
analyze_frr_family Analyze code against all requirements in a specific FRR family. Args: family: Family code (VDR, RSC, UCM, SCN, ADS, CCM, MAS, ICP, FSI, PVA, KSI) code: Code to analyze language: Language/platform file_path: Optional file path for context Returns: Analysis results for the specified family
list_frrs_by_family List all FRR requirements in a specific family. Shows implementation status and code detectability for each FRR. Args: family: Family code (VDR, RSC, UCM, SCN, ADS, CCM, MAS, ICP, FSI, PVA, KSI) Returns: List of FRRs with status indicators
get_frr_metadata Get detailed metadata for a specific FRR. Returns NIST controls, related KSIs, impact levels, and detection strategy. Args: frr_id: FRR identifier (e.g., "FRR-VDR-01") Returns: Detailed FRR metadata
generate_implementation_questions Generate strategic questions for PMs and engineers about implementing a requirement.
get_ksi_implementation_matrix Get implementation matrix showing all KSIs in a family with Azure services, effort, and priority.
generate_implementation_checklist Generate actionable step-by-step implementation checklist for a specific KSI.
get_infrastructure_code_for_ksi Generate infrastructure code templates for automating KSI evidence collection.
get_evidence_collection_code Provide code examples for collecting KSI evidence programmatically.
get_evidence_automation_architecture Provide comprehensive architecture guidance for automated evidence collection.
analyze_infrastructure_code Analyze Infrastructure as Code (Bicep/Terraform) for FedRAMP 20x compliance issues. Args: code: The IaC code content to analyze file_type: Type of IaC file ("bicep" or "terraform") file_path: Optional path to the file being analyzed context: Optional context about the changes (e.g., PR description) application_profile: Optional application profile to reduce false positives. Supported profiles: "cli-tool", "mcp-server", "web-app", "api-service", "iac-only", "library", "batch-job", "full" (default). Example: Use "cli-tool" for a local CLI tool that reads YAML files to suppress irrelevant MFA, RBAC, HSTS, and database findings.
validate_fedramp_config Validate Infrastructure as Code against FedRAMP 20x MANDATORY requirements BEFORE generating/deploying. 🚨 USE THIS TOOL BEFORE FINALIZING ANY TEMPLATE/CODE 🚨 This tool checks for CRITICAL violations that will cause compliance failures: - Log Analytics retention < 730 days (CRITICAL) - Platform-managed keys instead of Customer-Managed Keys (CRITICAL) - Key Vault Standard SKU instead of Premium (CRITICAL) - Public access enabled instead of disabled (CRITICAL) - Missing diagnostic settings (HIGH) Returns: - passed: bool - Whether ALL validations passed - violations: list - CRITICAL issues that MUST be fixed - warnings: list - Non-critical issues that SHOULD be fixed - compliant_values: list - Requirements that passed validation Example usage: 1. Generate Bicep/Terraform code 2. Call validate_fedramp_config with the code 3. If violations exist, FIX THEM before deploying 4. If passed=true, code meets FedRAMP 20x requirements
analyze_application_code Analyze application code for FedRAMP 20x security compliance issues. Args: code: The application code content to analyze language: Programming language ("python", "csharp", "java", "typescript", "javascript") file_path: Optional path to the file being analyzed dependencies: Optional list of dependencies/imports to check application_profile: Optional application profile to reduce false positives. Supported profiles: "cli-tool", "mcp-server", "web-app", "api-service", "iac-only", "library", "batch-job", "full" (default). Example: Use "cli-tool" for a local CLI tool that reads YAML files to suppress irrelevant MFA, RBAC, HSTS, and database findings.
analyze_cicd_pipeline Analyze CI/CD pipeline configuration for FedRAMP 20x DevSecOps compliance. Args: code: The pipeline configuration content (YAML/JSON) pipeline_type: Type of pipeline ("github-actions", "azure-pipelines", "gitlab-ci", or "generic") file_path: Optional path to the pipeline file application_profile: Optional application profile to reduce false positives. Supported profiles: "cli-tool", "mcp-server", "web-app", "api-service", "iac-only", "library", "batch-job", "full" (default).
get_ksi_coverage_summary Get a summary of KSI analyzer coverage and recommendation quality assessment. Shows which KSIs have analyzer coverage, what limitations exist, and important disclaimers about recommendation validation. Use this to understand the scope and limitations of automated compliance checking.
get_ksi_coverage_status Check if a specific KSI has analyzer coverage and what the limitations are. Args: ksi_id: The KSI identifier (e.g., "KSI-MLA-05") Returns detailed coverage information including which analyzers support this KSI, whether it's process-based or technical, and important limitations of the coverage.
check_package_vulnerabilities Check a package for known CVE vulnerabilities against authoritative databases. Queries GitHub Advisory Database (and optionally NVD) for security vulnerabilities in the specified package. Returns detailed CVE information, affected versions, patched versions, severity ratings, and FedRAMP compliance recommendations. Args: package_name: Package name (e.g., "Newtonsoft.Json", "lodash", "requests", "log4j") ecosystem: Package ecosystem - "nuget" (.NET), "npm" (JavaScript/TypeScript), "pypi" (Python), "maven" (Java) version: Specific version to check (optional, checks all versions if omitted) github_token: GitHub Personal Access Token for higher API rate limits (optional) Returns: JSON with vulnerability details including CVE IDs, severity, CVSS scores, affected/patched versions, descriptions, and FedRAMP compliance status. Example: check_package_vulnerabilities("Newtonsoft.Json", "nuget", "12.0.1") check_package_vulnerabilities("lodash", "npm") Maps to FedRAMP 20x requirements: - KSI-SVC-08: Secure Dependencies - vulnerability management - KSI-TPR-03: Supply Chain Security - third-party risk assessment
scan_dependency_file Scan an entire dependency file for vulnerable packages. Analyzes dependency manifests and checks all packages against CVE databases. Provides comprehensive vulnerability report with prioritized remediation guidance. Args: file_content: Full content of the dependency file file_type: Type of file - "csproj", "packages.config", "package.json", "requirements.txt", "pom.xml" github_token: GitHub Personal Access Token for higher API rate limits (optional) Returns: JSON with scan results including total vulnerabilities, severity breakdown, vulnerable packages list, and prioritized remediation recommendations. Supported file formats: - NuGet: *.csproj (PackageReference), packages.config, Directory.Packages.props - npm: package.json, package-lock.json - Python: requirements.txt, Pipfile, pyproject.toml - Maven: pom.xml Example: scan_dependency_file(csproj_content, "csproj") scan_dependency_file(requirements_txt, "requirements.txt") Maps to FedRAMP 20x requirements: - KSI-SVC-08: Secure Dependencies - KSI-TPR-03: Supply Chain Security - KSI-CMT-01: Continuous Monitoring (automated vulnerability scanning)
get_ksi_implementation_status Get comprehensive implementation status of all KSI analyzers. Dynamically queries each KSI analyzer to report: - Total KSIs, active vs retired - Implementation status (IMPLEMENTED, PARTIAL, NOT_IMPLEMENTED) - Code detectability (CODE_DETECTABLE vs PROCESS_BASED) - Status organized by family - Implementation percentages Returns: JSON with complete KSI status including: - Overall statistics (total, active, implemented, code_detectable) - Family-level breakdown - Individual KSI details with metadata - Implementation and code detectability percentages This tool eliminates the need to maintain separate tracking documents by querying each KSI analyzer's CODE_DETECTABLE and IMPLEMENTATION_STATUS properties. Example output: { "total_ksis": 72, "active_ksis": 65, "retired_ksis": 7, "implemented_ksis": 38, "code_detectable_ksis": 38, "process_based_ksis": 27, "implementation_percentage": 58.5, "families": {...} }
get_ksi_family_status Get implementation status for a specific KSI family. Args: family: Family code (e.g., "IAM", "SVC", "CNA", "AFR", "MLA") Returns: JSON with family-specific status: - Total KSIs in family - Active vs retired count - Implementation status - Code detectability breakdown - List of all KSIs with their properties Supported families: - IAM: Identity and Access Management - SVC: Service Configuration - MLA: Monitoring, Logging, and Alerting - CNA: Cloud and Network Architecture - AFR: Authorization by FedRAMP - TPR: Third-Party Risk - CMT: Change Management and Testing - RPL: Resiliency and Performance Limits - INR: Incident Response - PIY: Privacy - CED: Cybersecurity Education Example: get_ksi_family_status("IAM")
add_requirement_comments Add FedRAMP requirement comments to code or IaC templates. Enriches generated code with detailed KSI and FRR requirement information in comments, ensuring traceability to specific compliance requirements. Args: code: The code or template to enrich ksi_ids: Comma-separated KSI IDs (e.g., "KSI-IAM-01,KSI-MLA-01") frr_ids: Comma-separated FRR IDs (e.g., "FRR-VDR-01,FRR-ADS-01") language: Programming language for comment syntax Options: bicep, terraform, python, csharp, java, typescript, powershell Returns: Enriched code with requirement header comments and inline annotations Example: ```bicep // Original code: resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = { name: 'mykeyvault' } // After enrichment with add_requirement_comments(code, "KSI-SVC-06", "FRR-RSC-01", "bicep"): // ========================================== // FedRAMP 20x Compliance Requirements // ========================================== // // Key Security Indicators (KSI): // // KSI-SVC-06: Secret Management // Automate management, protection, and regular rotation of // digital keys, certificates, and other secrets. // // FedRAMP Requirements (FRR): // // FRR-RSC-01: Recommended Secure Configuration // Apply security baselines and hardening standards. // ========================================== resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = { name: 'mykeyvault' tags: { Compliance: 'FedRAMP 20x' Requirements: 'KSI-SVC-06, FRR-RSC-01' } } ``` Use this tool when: - Generating Bicep/Terraform infrastructure code - Writing C#/Python/Java application code for FedRAMP compliance - Need to document which requirements a code block addresses - Creating templates or examples for teams
Permissions 4
network medium filesystem low shell high env_vars low