fedramp-compliance-mcp 0.1.0

package/README.md

@@ -0,0 +1,65 @@
+# fedramp-compliance-mcp
+
+MCP server for **FedRAMP (Federal Risk and Authorization Management Program)** compliance — browse security controls by baseline, assess authorization readiness, generate SSP sections, evidence checklists, gap analysis, and continuous monitoring deliverable templates for cloud service providers.
+
+Built for CSPs seeking FedRAMP authorization, 3PAO assessors, and federal agency security teams.
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `browse_controls` | Browse FedRAMP controls by baseline (Low/Moderate/High), family, priority, or search |
+| `assess_readiness` | Score authorization readiness with baseline-specific and path-specific (JAB/Agency/Li-SaaS) assessment |
+| `generate_ssp` | Generate SSP sections per FedRAMP template format for any control or family |
+| `evidence_checklist` | Generate 3PAO assessment evidence collection checklists |
+| `gap_analysis` | Compare implemented controls vs. baseline requirements, generate POA&M |
+| `conmon_deliverables` | Generate monthly, quarterly, and annual ConMon deliverable templates |
+
+## Control Families Covered
+
+AC (Access Control), AU (Audit & Accountability), CA (Security Assessment & Authorization), CM (Configuration Management), CP (Contingency Planning), IA (Identification & Authentication), IR (Incident Response), PL (Planning), RA (Risk Assessment), SC (System & Communications Protection), SI (System & Information Integrity)
+
+## Install
+
+```bash
+npx fedramp-compliance-mcp
+```
+
+### Claude Desktop
+
+```json
+{
+  "mcpServers": {
+    "fedramp-compliance": {
+      "command": "npx",
+      "args": ["-y", "fedramp-compliance-mcp"]
+    }
+  }
+}
+```
+
+## Examples
+
+Browse all P1 controls for Moderate baseline:
+```
+browse_controls({ baseline: "moderate", priority: "P1" })
+```
+
+Assess readiness for JAB P-ATO:
+```
+assess_readiness({ implementedControls: ["AC-1", "AC-2", "AC-3", "AU-2", "SC-13"], targetBaseline: "moderate", authorizationPath: "jab" })
+```
+
+Generate SSP for Incident Response controls:
+```
+generate_ssp({ family: "IR", cspName: "Acme Cloud", systemName: "AcmeCloud Platform" })
+```
+
+Generate monthly ConMon deliverables:
+```
+conmon_deliverables({ period: "monthly", month: "May 2026", cspName: "Acme Cloud", systemName: "AcmeCloud Platform" })
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,866 @@
+#!/usr/bin/env node
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+const FAMILY_NAMES = {
+    AC: "Access Control",
+    AU: "Audit & Accountability",
+    AT: "Awareness & Training",
+    CA: "Security Assessment & Authorization",
+    CM: "Configuration Management",
+    CP: "Contingency Planning",
+    IA: "Identification & Authentication",
+    IR: "Incident Response",
+    MA: "Maintenance",
+    MP: "Media Protection",
+    PE: "Physical & Environmental Protection",
+    PL: "Planning",
+    PM: "Program Management",
+    PS: "Personnel Security",
+    RA: "Risk Assessment",
+    SA: "System & Services Acquisition",
+    SC: "System & Communications Protection",
+    SI: "System & Information Integrity",
+};
+// ── FedRAMP Controls Database ─────────────────────────────────────────
+const FEDRAMP_CONTROLS = [
+    // ── ACCESS CONTROL ──────────────────────────────────────────────────
+    {
+        id: "AC-1",
+        family: "AC",
+        title: "Access Control Policy and Procedures",
+        description: "Develop, document, and disseminate an access control policy and procedures addressing purpose, scope, roles, responsibilities, management commitment, coordination, and compliance.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Develop access control policy addressing all NIST 800-53 AC family controls. Define roles and responsibilities. Establish review cycle. Disseminate to all personnel. Maintain revision history. Policy must address FedRAMP-specific requirements for cloud environments.",
+        evidence: ["Access control policy document", "Policy dissemination records", "Policy review/approval records", "Revision history", "Role and responsibility documentation"],
+        fedrampRequirements: ["Policy reviewed and updated at least every 3 years", "Procedures reviewed and updated at least annually", "Must address FedRAMP-specific cloud access requirements"],
+        commonFindings: ["Policy not updated within required frequency", "Policy doesn't address cloud-specific access controls", "No evidence of dissemination", "Roles and responsibilities not clearly defined", "Missing FedRAMP-specific requirements"],
+        policyTemplate: "[CSP] maintains an access control policy governing all aspects of logical and physical access to the [System Name] cloud service offering. The policy defines roles, responsibilities, and procedures for access management including provisioning, modification, review, and revocation. The policy is reviewed at least every 3 years and procedures annually. All personnel receive the policy during onboarding and when updates are made.",
+        relatedControls: ["AC-2", "AC-3", "AC-6"],
+    },
+    {
+        id: "AC-2",
+        family: "AC",
+        title: "Account Management",
+        description: "Identify and select authorized users, define access authorizations, require approvals, create/enable/modify/disable/remove accounts, and review accounts per a defined frequency.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Define account types (individual, shared, group, system, guest, temporary). Assign account managers. Establish conditions for group/role membership. Specify authorized users and access authorizations. Require manager approval for account creation. Notify account managers of account changes. Grant access based on valid authorization and intended use. Review accounts per FedRAMP frequency (monthly for privileged, quarterly for non-privileged). Disable inactive accounts after 90 days.",
+        evidence: ["Account management procedures", "Account inventory by type", "Account approval records", "Account review logs with dates", "Inactive account reports", "Account manager assignments", "Automated account management tool evidence"],
+        fedrampRequirements: ["Monthly review of privileged accounts", "Quarterly review of non-privileged accounts", "Disable inactive accounts after 90 days", "Remove temporary/emergency accounts within 24 hours", "Automated mechanisms for account management where feasible", "Annual review of account management policy"],
+        commonFindings: ["Account reviews not performed at FedRAMP frequency", "Inactive accounts not disabled within 90 days", "No automated account management", "Temporary accounts not removed within 24 hours", "Missing approval documentation for account creation", "Shared accounts without proper controls"],
+        policyTemplate: "[CSP] manages all accounts for [System Name] through formal procedures. Account creation requires documented approval from [role]. Privileged accounts are reviewed monthly; non-privileged quarterly. Accounts inactive for 90 days are automatically disabled. Temporary/emergency accounts are removed within 24 hours of purpose completion. Account management is automated through [tool]. Account managers are notified of all account lifecycle events.",
+        relatedControls: ["AC-1", "AC-3", "AC-6", "IA-4"],
+    },
+    {
+        id: "AC-3",
+        family: "AC",
+        title: "Access Enforcement",
+        description: "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Implement role-based access control (RBAC) or attribute-based access control (ABAC). Enforce access policies at application, database, network, and OS layers. Deny by default. Log access enforcement decisions. Implement multi-tenancy isolation for cloud environments.",
+        evidence: ["Access control mechanism configurations", "RBAC/ABAC policy definitions", "Multi-tenancy isolation evidence", "Access denial logs", "Testing results showing enforcement"],
+        fedrampRequirements: ["Multi-tenant isolation required for shared infrastructure", "Access enforcement at all system layers", "Deny-by-default access model"],
+        commonFindings: ["Inconsistent enforcement across system layers", "No multi-tenancy isolation", "Overly permissive access rules", "Access enforcement not logged", "Default-allow instead of default-deny"],
+        policyTemplate: "[CSP] enforces approved authorizations at all layers of [System Name] including network, OS, database, and application. Role-based access control governs user permissions aligned with least privilege. Multi-tenant isolation ensures customer data separation through [mechanism]. Default access posture is deny-all with explicit allow rules for authorized functions. Access enforcement decisions are logged and monitored.",
+        relatedControls: ["AC-2", "AC-6", "SC-4"],
+    },
+    {
+        id: "AC-6",
+        family: "AC",
+        title: "Least Privilege",
+        description: "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Grant minimum access necessary. Separate privileged and non-privileged accounts. Restrict privileged accounts to specific security functions. Audit privileged actions. Prohibit privileged access for non-security functions. Authorized users must use non-privileged accounts for standard work.",
+        evidence: ["Least privilege policy", "Privilege assignment justifications", "Privileged vs non-privileged account separation", "Privileged action audit logs", "Access review showing least privilege enforcement"],
+        fedrampRequirements: ["Separate accounts for privileged and non-privileged functions", "Privileged actions must be audited", "Annual review of privilege assignments", "Justification documented for all privileged access"],
+        commonFindings: ["No separation of privileged and non-privileged accounts", "Excessive privileges granted", "Privileged access not justified", "Privilege usage not audited", "Admin accounts used for routine work"],
+        policyTemplate: "[CSP] enforces least privilege across [System Name]. All users operate with non-privileged accounts for standard work. Privileged accounts are limited to security functions and require documented justification approved by [role]. Privileged actions are logged and audited [frequency]. Privilege assignments are reviewed annually to confirm continued necessity. Service accounts are granted minimum required permissions.",
+        relatedControls: ["AC-2", "AC-3", "AC-5"],
+    },
+    // ── AUDIT & ACCOUNTABILITY ──────────────────────────────────────────
+    {
+        id: "AU-1",
+        family: "AU",
+        title: "Audit and Accountability Policy and Procedures",
+        description: "Develop, document, and disseminate audit and accountability policies and procedures.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Document audit policy covering what events to log, how long to retain, who reviews, and how to protect audit data. Address FedRAMP-specific retention (minimum 1 year online, 3 years total). Define roles for audit management. Disseminate to all personnel.",
+        evidence: ["Audit policy document", "Policy dissemination records", "Policy review schedule", "Retention period documentation"],
+        fedrampRequirements: ["Policy reviewed every 3 years", "Procedures reviewed annually", "Must address FedRAMP audit retention requirements"],
+        commonFindings: ["Policy not addressing FedRAMP retention requirements", "No defined audit review process", "Policy not disseminated", "Missing cloud-specific audit procedures"],
+        policyTemplate: "[CSP] maintains audit and accountability policies for [System Name] defining auditable events, retention periods, review processes, and protection of audit data. Audit records are retained for minimum 1 year online and 3 years total per FedRAMP requirements. The policy is reviewed every 3 years with procedures updated annually.",
+        relatedControls: ["AU-2", "AU-3", "AU-6"],
+    },
+    {
+        id: "AU-2",
+        family: "AU",
+        title: "Audit Events",
+        description: "Identify events that the system is capable of auditing and define the subset of auditable events deemed to be adequate to support after-the-fact investigations of security incidents.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Define auditable events including: successful/failed logins, privilege escalation, access to sensitive data, administrative actions, policy changes, system events, API calls in cloud environment. Coordinate audit event selection across system components. Review and update event list annually.",
+        evidence: ["Audit event list", "Event selection rationale", "Audit configuration per component", "Annual review records", "FedRAMP-required event coverage evidence"],
+        fedrampRequirements: ["Must audit all FedRAMP-required event types", "Annual review and update of auditable events", "Must cover all system components including cloud infrastructure", "API access logging for cloud environments"],
+        commonFindings: ["Not all FedRAMP-required events audited", "API calls not logged", "Cloud management plane activities not audited", "Event list not reviewed annually", "Missing components from audit scope"],
+        policyTemplate: "[CSP] audits the following events on [System Name]: successful/failed authentication, privileged actions, object access, policy modifications, system errors, API calls, administrative changes, and all FedRAMP-required event types. The auditable event list is reviewed and updated annually by [role]. All system components including cloud infrastructure management plane are in scope.",
+        relatedControls: ["AU-1", "AU-3", "AU-6", "AU-12"],
+    },
+    {
+        id: "AU-6",
+        family: "AU",
+        title: "Audit Review, Analysis, and Reporting",
+        description: "Review and analyze system audit records for indications of inappropriate or unusual activity and report findings to designated organizational officials.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Review audit logs at least weekly (FedRAMP Moderate/High). Use SIEM for automated analysis and correlation. Define indicators of compromise (IOCs) and anomaly detection rules. Report findings to ISSO/ISSM. Integrate with incident response. Provide audit reports to agency customers per FedRAMP requirements.",
+        evidence: ["Audit review schedule and records", "SIEM configuration and alert rules", "Audit finding reports", "Escalation records", "Agency audit report templates"],
+        fedrampRequirements: ["Weekly audit log review minimum for Moderate/High", "Automated audit analysis mechanisms", "Report suspicious activity to agency customers", "Integration with FedRAMP continuous monitoring"],
+        commonFindings: ["Audit reviews not performed at required frequency", "No automated analysis (manual review only)", "Findings not reported or escalated", "No correlation across system components", "Missing agency notification procedures"],
+        policyTemplate: "[CSP] reviews [System Name] audit records [weekly/daily] using [SIEM tool] for automated analysis and [role] for manual review. Anomaly detection rules cover [IOC categories]. Findings are reported to the ISSO within [N] hours and to agency customers per their authorization agreements. Audit review results are documented and retained. Suspicious activity triggers the incident response process.",
+        relatedControls: ["AU-2", "AU-3", "IR-5", "SI-4"],
+    },
+    // ── SECURITY ASSESSMENT & AUTHORIZATION ─────────────────────────────
+    {
+        id: "CA-1",
+        family: "CA",
+        title: "Security Assessment and Authorization Policy",
+        description: "Develop, document, and disseminate security assessment and authorization policy and procedures.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Document policy covering assessment methodology, authorization process, continuous monitoring, and POA&M management. Address FedRAMP assessment requirements including 3PAO engagement, JAB/agency authorization paths, and annual assessment requirements.",
+        evidence: ["Assessment and authorization policy", "Policy dissemination records", "3PAO engagement criteria", "Authorization process documentation"],
+        fedrampRequirements: ["Must address FedRAMP assessment methodology", "Annual assessment by 3PAO required", "Policy reviewed every 3 years, procedures annually"],
+        commonFindings: ["Policy doesn't address FedRAMP-specific requirements", "No 3PAO engagement criteria", "Missing continuous monitoring procedures", "Authorization process not documented"],
+        policyTemplate: "[CSP] maintains security assessment and authorization policies for [System Name] covering FedRAMP assessment requirements, 3PAO engagement, authorization paths (JAB/agency), continuous monitoring, and POA&M management. Assessments are conducted annually by an accredited 3PAO. The authorization package is maintained current per FedRAMP continuous monitoring requirements.",
+        relatedControls: ["CA-2", "CA-5", "CA-6"],
+    },
+    {
+        id: "CA-2",
+        family: "CA",
+        title: "Security Assessments",
+        description: "Assess the security controls in the system at defined frequency to determine control effectiveness.",
+        baseline: "low",
+        priority: "P2",
+        implementation: "Annual assessment by accredited 3PAO. Develop Security Assessment Plan (SAP). Conduct assessment per FedRAMP methodology. Document results in Security Assessment Report (SAR). Identify and track findings. Provide results to authorizing official. Continuous monitoring between annual assessments.",
+        evidence: ["Security Assessment Plan (SAP)", "Security Assessment Report (SAR)", "3PAO accreditation evidence", "Assessment finding tracking", "Continuous monitoring evidence"],
+        fedrampRequirements: ["Annual assessment by A2LA-accredited 3PAO", "Assessment follows FedRAMP test methodology", "SAP/SAR submitted to FedRAMP PMO", "Continuous monitoring between annual assessments"],
+        commonFindings: ["3PAO not accredited by A2LA", "Assessment methodology doesn't follow FedRAMP requirements", "SAR not submitted timely", "Findings not tracked via POA&M", "Continuous monitoring gaps between annual assessments"],
+        policyTemplate: "[CSP] conducts annual security assessments of [System Name] using an A2LA-accredited 3PAO. The assessment follows FedRAMP test methodology covering all implemented controls. The SAP is approved by [AO] before assessment begins. SAR findings are documented in the POA&M with remediation milestones. Between annual assessments, continuous monitoring activities include [monthly vulnerability scans, quarterly control testing, annual penetration testing].",
+        relatedControls: ["CA-1", "CA-5", "CA-7", "RA-5"],
+    },
+    {
+        id: "CA-5",
+        family: "CA",
+        title: "Plan of Action and Milestones",
+        description: "Develop and update a plan of action and milestones (POA&M) documenting planned remedial actions to correct weaknesses or deficiencies.",
+        baseline: "low",
+        priority: "P3",
+        implementation: "Maintain POA&M for all known vulnerabilities and assessment findings. Include: weakness description, point of contact, resources required, scheduled completion, milestones, status. Update monthly. Submit to FedRAMP PMO. Track high-risk items separately. Escalate overdue items.",
+        evidence: ["Current POA&M document", "Monthly POA&M update records", "FedRAMP PMO submission evidence", "Overdue item escalation records", "Closed POA&M items with evidence"],
+        fedrampRequirements: ["POA&M updated and submitted monthly to FedRAMP PMO", "Must follow FedRAMP POA&M template format", "High-risk items require remediation within 30 days", "Moderate-risk items within 90 days", "Low-risk items within 180 days"],
+        commonFindings: ["POA&M not updated monthly", "Not following FedRAMP template", "Missing required fields", "Overdue items not escalated", "Remediation timelines not met", "POA&M not submitted to FedRAMP PMO"],
+        policyTemplate: "[CSP] maintains a POA&M for [System Name] documenting all known weaknesses with remediation plans. The POA&M follows FedRAMP template format and is updated monthly. High-risk findings are remediated within 30 days, moderate within 90, and low within 180. The POA&M is submitted to the FedRAMP PMO monthly. Overdue items are escalated to [management level]. Closed items include evidence of remediation.",
+        relatedControls: ["CA-2", "CA-7", "RA-5"],
+    },
+    {
+        id: "CA-7",
+        family: "CA",
+        title: "Continuous Monitoring",
+        description: "Develop a continuous monitoring strategy and implement a continuous monitoring program.",
+        baseline: "low",
+        priority: "P2",
+        implementation: "Implement FedRAMP continuous monitoring (ConMon) program. Monthly vulnerability scanning and POA&M updates. Quarterly security control testing (subset). Annual comprehensive assessment by 3PAO. Annual penetration testing. Significant change analysis. Monthly ConMon deliverables to FedRAMP PMO.",
+        evidence: ["ConMon strategy document", "Monthly vulnerability scan results", "Monthly POA&M updates", "Quarterly control test results", "Annual 3PAO assessment", "Annual pen test results", "Significant change requests", "Monthly ConMon deliverable submissions"],
+        fedrampRequirements: ["Monthly OS/infrastructure scans (all unique vulnerabilities)", "Monthly web application scans", "Monthly database scans", "Monthly POA&M updates", "Quarterly control subset testing", "Annual 3PAO assessment", "Annual penetration testing", "Significant change analysis per FedRAMP guidance", "Monthly ConMon deliverables to PMO"],
+        commonFindings: ["Monthly scans not comprehensive", "ConMon deliverables not submitted timely", "Quarterly control testing gaps", "No significant change process", "Pen test scope insufficient", "Scan results not reflected in POA&M"],
+        policyTemplate: "[CSP] implements a FedRAMP continuous monitoring program for [System Name]. Monthly activities: vulnerability scanning (OS, web app, database), POA&M updates, ConMon deliverable submission. Quarterly: security control subset testing. Annually: comprehensive 3PAO assessment and penetration testing. Significant changes are analyzed per FedRAMP guidance before implementation. All findings flow into the POA&M with appropriate risk ratings and remediation timelines.",
+        relatedControls: ["CA-2", "CA-5", "RA-5", "SI-2"],
+    },
+    // ── CONFIGURATION MANAGEMENT ────────────────────────────────────────
+    {
+        id: "CM-1",
+        family: "CM",
+        title: "Configuration Management Policy and Procedures",
+        description: "Develop, document, and disseminate configuration management policy and procedures.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Document configuration management policy covering baselines, change management, and configuration monitoring. Address cloud-specific CM including infrastructure-as-code, container configurations, and cloud service configurations. Define CM roles.",
+        evidence: ["CM policy document", "CM procedures", "Policy review records", "CM role assignments"],
+        fedrampRequirements: ["Policy reviewed every 3 years, procedures annually", "Must address cloud-specific configuration management"],
+        commonFindings: ["Policy doesn't cover cloud infrastructure", "No IaC configuration management", "Missing container/serverless CM procedures"],
+        policyTemplate: "[CSP] maintains configuration management policies for [System Name] covering infrastructure baselines, change management, and configuration monitoring across all cloud components. This includes [VMs, containers, serverless functions, network configurations, IaC templates]. CM roles are assigned to [team/positions]. The policy is reviewed every 3 years with procedures updated annually.",
+        relatedControls: ["CM-2", "CM-3", "CM-6"],
+    },
+    {
+        id: "CM-2",
+        family: "CM",
+        title: "Baseline Configuration",
+        description: "Develop, document, and maintain current baseline configurations for the information system and system components.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Document baseline configurations for all system components (OS, applications, network devices, cloud services). Use configuration management tools. Maintain in version control. Update baselines when approved changes are made. Review annually minimum. Include security-relevant settings per FedRAMP requirements.",
+        evidence: ["Baseline configuration documents", "Version-controlled configurations", "Configuration management tool outputs", "Baseline review/update records", "Deviation reports"],
+        fedrampRequirements: ["Baselines updated within 30 days of approved changes", "Annual review minimum", "Must cover all system components including cloud services", "Baselines maintained under configuration control"],
+        commonFindings: ["Baselines not maintained for cloud services", "No version control for configurations", "Baselines out of date", "Missing components from baseline scope", "No deviation detection or monitoring"],
+        policyTemplate: "[CSP] maintains current baseline configurations for all [System Name] components in [configuration management tool/version control]. Baselines cover [OS, applications, databases, network devices, cloud services, IaC templates]. Baselines are updated within 30 days of approved changes and reviewed annually. Configuration deviations are detected through [scanning/monitoring tool] and remediated within [N] days.",
+        relatedControls: ["CM-1", "CM-3", "CM-6"],
+    },
+    {
+        id: "CM-6",
+        family: "CM",
+        title: "Configuration Settings",
+        description: "Establish and document configuration settings for system components using security configuration checklists that reflect the most restrictive mode consistent with operational requirements.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Apply CIS Benchmarks, DISA STIGs, or vendor hardening guides. Document configuration settings per component. Enforce through automation (GPO, Ansible, Terraform, etc.). Monitor for compliance. Remediate deviations. Document exceptions with risk acceptance.",
+        evidence: ["Adopted security benchmarks per component", "Configuration enforcement automation", "Compliance scan results", "Exception documentation with risk acceptance", "Remediation records"],
+        fedrampRequirements: ["Must use recognized security benchmarks (CIS/DISA STIG)", "Configuration compliance scanning required", "Deviations require documented risk acceptance"],
+        commonFindings: ["No security benchmarks adopted", "Configurations not enforced automatically", "No compliance scanning", "Exceptions not documented", "Cloud service configurations not hardened"],
+        policyTemplate: "[CSP] configures [System Name] components using [CIS Benchmarks/DISA STIGs] as the baseline. Configurations are enforced through [automation tools]. Compliance scans run [frequency] with results reviewed by [role]. Deviations require documented risk acceptance from [authority]. Cloud service configurations (IAM policies, storage permissions, network ACLs) are hardened per [cloud provider security guide].",
+        relatedControls: ["CM-2", "CM-3", "RA-5"],
+    },
+    // ── CONTINGENCY PLANNING ────────────────────────────────────────────
+    {
+        id: "CP-1",
+        family: "CP",
+        title: "Contingency Planning Policy and Procedures",
+        description: "Develop, document, and disseminate contingency planning policy and procedures.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Document contingency planning policy covering backup, recovery, and continuity of operations for the cloud service. Address multi-region/multi-AZ architecture. Define RPO/RTO. Address customer notification procedures. Plan for provider dependency failures.",
+        evidence: ["Contingency planning policy", "Policy review records", "RPO/RTO documentation", "Customer notification procedures"],
+        fedrampRequirements: ["Policy reviewed every 3 years, procedures annually", "Must address cloud-specific contingency scenarios"],
+        commonFindings: ["Policy doesn't address cloud-specific scenarios", "No defined RPO/RTO", "Missing customer notification procedures", "Provider dependencies not addressed"],
+        policyTemplate: "[CSP] maintains contingency planning policies for [System Name] covering backup, recovery, and business continuity. RPO is [value] and RTO is [value]. The system leverages [multi-AZ/multi-region] architecture for resilience. Customer notification procedures are defined for service disruptions. Contingency plans address [cloud provider] dependency failures including region-level outages.",
+        relatedControls: ["CP-2", "CP-9", "CP-10"],
+    },
+    // ── IDENTIFICATION & AUTHENTICATION ─────────────────────────────────
+    {
+        id: "IA-1",
+        family: "IA",
+        title: "Identification and Authentication Policy and Procedures",
+        description: "Develop, document, and disseminate identification and authentication policy and procedures.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Document IA policy covering user identification, authentication mechanisms, MFA requirements, authenticator management, and identity verification. Address FedRAMP-specific MFA requirements and FIPS 140-2 validated cryptographic modules.",
+        evidence: ["IA policy document", "Policy review records", "MFA requirement documentation", "FIPS 140-2 validation evidence"],
+        fedrampRequirements: ["Policy reviewed every 3 years, procedures annually", "Must address MFA for all privileged and remote access", "FIPS 140-2 validated cryptographic modules required"],
+        commonFindings: ["MFA requirements not comprehensive", "FIPS 140-2 not validated", "Policy doesn't address all identity types", "No authenticator management procedures"],
+        policyTemplate: "[CSP] maintains identification and authentication policies for [System Name] covering user identification, multi-factor authentication, authenticator management, and identity verification. MFA is required for all privileged access and all remote access. Cryptographic modules are FIPS 140-2 validated. The policy is reviewed every 3 years with procedures updated annually.",
+        relatedControls: ["IA-2", "IA-4", "IA-5"],
+    },
+    {
+        id: "IA-2",
+        family: "IA",
+        title: "Identification and Authentication (Organizational Users)",
+        description: "Uniquely identify and authenticate organizational users (or processes acting on behalf of users).",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Unique user identification for all personnel. Multi-factor authentication for network access and privileged access. MFA for local access to privileged accounts. Phishing-resistant MFA preferred (FIDO2, PIV). Replay-resistant authentication. Group authenticator management. Use of PIV credentials per HSPD-12 where applicable.",
+        evidence: ["User identification procedures", "MFA deployment evidence", "MFA coverage reports", "PIV credential usage (if applicable)", "Authentication configuration per system"],
+        fedrampRequirements: ["MFA for ALL network access (not just privileged)", "MFA for local privileged access", "Phishing-resistant MFA preferred", "PIV/CAC support for federal user access", "Replay-resistant authentication mechanisms"],
+        commonFindings: ["MFA not enabled for all network access", "Local admin access without MFA", "SMS-based MFA (not phishing-resistant)", "No PIV/CAC support for federal users", "Authentication not replay-resistant"],
+        policyTemplate: "[CSP] uniquely identifies and authenticates all organizational users of [System Name]. Multi-factor authentication is required for all network access (privileged and non-privileged) and local privileged access. [System Name] supports [FIDO2/PIV/CAC] for phishing-resistant MFA. Federal agency users can authenticate using PIV/CAC credentials per HSPD-12. Authentication mechanisms are replay-resistant.",
+        relatedControls: ["IA-1", "IA-4", "IA-5", "AC-2"],
+    },
+    // ── INCIDENT RESPONSE ───────────────────────────────────────────────
+    {
+        id: "IR-1",
+        family: "IR",
+        title: "Incident Response Policy and Procedures",
+        description: "Develop, document, and disseminate incident response policy and procedures.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Document IR policy covering preparation, detection, analysis, containment, eradication, recovery, and post-incident. Address FedRAMP-specific reporting to US-CERT and agency customers. Define incident categories and severity levels. Establish IR team.",
+        evidence: ["IR policy document", "IR team roster and contacts", "Incident severity/category matrix", "US-CERT reporting procedures", "Agency notification procedures"],
+        fedrampRequirements: ["US-CERT reporting within 1 hour for incidents", "Agency customer notification procedures", "Policy reviewed every 3 years, procedures annually"],
+        commonFindings: ["No US-CERT reporting procedures", "Missing agency notification process", "IR team not defined", "Severity levels not aligned with FedRAMP", "No post-incident review process"],
+        policyTemplate: "[CSP] maintains incident response policies for [System Name] covering all phases of incident handling. The IR team includes [roles] with [24/7 availability]. Incidents are classified per [severity matrix]. US-CERT is notified within 1 hour of confirmed incidents. Affected agency customers are notified within [N] hours. Post-incident reviews are conducted within [N] days.",
+        relatedControls: ["IR-4", "IR-5", "IR-6", "AU-6"],
+    },
+    {
+        id: "IR-6",
+        family: "IR",
+        title: "Incident Reporting",
+        description: "Require personnel to report suspected security incidents to the organizational incident response capability and report security incidents to appropriate authorities.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "US-CERT reporting within 1 hour for FedRAMP incidents. Report to agency customers per their requirements. Report to FedRAMP PMO for significant incidents. Internal reporting chain established. Document all reports and acknowledgments.",
+        evidence: ["US-CERT reporting procedures", "Incident report records", "Agency notification records", "FedRAMP PMO notification records", "Internal reporting chain documentation"],
+        fedrampRequirements: ["Report to US-CERT within 1 hour", "Report to FedRAMP PMO for significant incidents", "Report to all affected agency customers", "Report must include specific FedRAMP-required data elements"],
+        commonFindings: ["US-CERT reporting not within 1 hour", "FedRAMP PMO not notified", "Agency customers not notified", "Missing data elements in reports", "No evidence of report submissions"],
+        policyTemplate: "[CSP] reports security incidents affecting [System Name] to US-CERT within 1 hour of confirmation. The FedRAMP PMO is notified for significant incidents. All affected agency customers are notified within [N] hours including incident description, impact assessment, and remediation status. Reports include all FedRAMP-required data elements. All incident reports and acknowledgments are documented.",
+        relatedControls: ["IR-1", "IR-4", "IR-5"],
+    },
+    // ── RISK ASSESSMENT ─────────────────────────────────────────────────
+    {
+        id: "RA-5",
+        family: "RA",
+        title: "Vulnerability Scanning",
+        description: "Scan for vulnerabilities in the system and hosted applications per FedRAMP continuous monitoring requirements and remediate legitimate vulnerabilities.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Monthly OS/infrastructure vulnerability scans. Monthly web application scans. Monthly database scans. Quarterly authenticated scans. Scan after significant changes. Remediate per FedRAMP timelines: high/critical within 30 days, moderate within 90 days, low within 180 days. Share scan results with authorizing officials.",
+        evidence: ["Monthly scan results (OS, web app, database)", "Remediation tracking records", "Scan configuration showing scope", "Authenticated scan evidence", "False positive documentation", "Scan result sharing with AO"],
+        fedrampRequirements: ["Monthly OS/infrastructure scans", "Monthly web application scans", "Monthly database scans", "Critical/high remediation within 30 days", "Moderate within 90 days", "Low within 180 days", "Share results with AO monthly", "Scan all unique vulnerabilities"],
+        commonFindings: ["Scans not monthly", "Web application scans missing", "Database scans missing", "Remediation timelines not met", "Scan scope incomplete", "Results not shared with AO", "False positives not properly documented"],
+        policyTemplate: "[CSP] conducts monthly vulnerability scans of [System Name] covering operating systems, web applications, and databases. Scans are performed using [tools] with authenticated scanning for [OS/database]. Remediation follows FedRAMP timelines: critical/high within 30 days, moderate within 90 days, low within 180 days. Scan results and remediation status are shared with the authorizing official monthly. False positives are documented with supporting evidence.",
+        relatedControls: ["CA-5", "CA-7", "SI-2"],
+    },
+    // ── SYSTEM & COMMUNICATIONS PROTECTION ──────────────────────────────
+    {
+        id: "SC-1",
+        family: "SC",
+        title: "System and Communications Protection Policy and Procedures",
+        description: "Develop, document, and disseminate system and communications protection policy and procedures.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Document SC policy covering boundary protection, encryption, network segmentation, denial of service protection, and session management. Address cloud-specific networking, CDN, WAF, and API gateway security.",
+        evidence: ["SC policy document", "Policy review records", "Cloud networking architecture documentation"],
+        fedrampRequirements: ["Policy reviewed every 3 years, procedures annually", "Must address cloud-specific SC controls"],
+        commonFindings: ["Policy doesn't address cloud networking", "Missing API gateway security procedures", "No CDN/WAF procedures"],
+        policyTemplate: "[CSP] maintains system and communications protection policies for [System Name] covering boundary protection, FIPS-validated encryption, network segmentation, denial-of-service protection, and session management. Cloud-specific protections include [WAF, CDN, API gateway, VPC configuration, security groups]. The policy is reviewed every 3 years with procedures updated annually.",
+        relatedControls: ["SC-7", "SC-8", "SC-13"],
+    },
+    {
+        id: "SC-7",
+        family: "SC",
+        title: "Boundary Protection",
+        description: "Monitor and control communications at external system boundaries and key internal boundaries.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Deploy managed boundary protection (firewalls, security groups, NACLs, WAF). Implement DMZ for public services. Restrict outbound traffic. Monitor boundary traffic. Separate management network. Implement API gateway for service boundaries. Deny by default.",
+        evidence: ["Network architecture diagram with boundaries", "Firewall/security group rules", "WAF configuration", "DMZ architecture", "Outbound traffic restrictions", "API gateway configuration", "Boundary monitoring evidence"],
+        fedrampRequirements: ["Managed interfaces at all external boundaries", "DMZ for public-facing components", "Deny-by-default with allow-by-exception", "Monitor traffic at all boundaries", "Separate management network"],
+        commonFindings: ["No DMZ architecture", "Overly permissive security groups", "No outbound traffic restrictions", "Management network not separated", "No WAF for web applications", "API endpoints unprotected"],
+        policyTemplate: "[CSP] implements boundary protection at all external and key internal boundaries of [System Name]. Public-facing services are deployed in a DMZ. Security groups and NACLs enforce deny-by-default access. A WAF protects web applications. Outbound traffic is restricted to approved destinations. The management network is separated from data plane traffic. Boundary traffic is monitored by [tool/team].",
+        relatedControls: ["SC-1", "AC-3", "AU-6"],
+    },
+    {
+        id: "SC-13",
+        family: "SC",
+        title: "Cryptographic Protection",
+        description: "Implement FIPS-validated cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "FIPS 140-2 (or 140-3) validated cryptographic modules for all encryption. TLS 1.2+ for data in transit. AES-256 for data at rest. Key management procedures. Certificate management. Crypto inventory documenting all cryptographic implementations.",
+        evidence: ["FIPS 140-2/3 validation certificates", "TLS configuration evidence", "Encryption at rest configuration", "Key management procedures", "Certificate management procedures", "Cryptographic module inventory"],
+        fedrampRequirements: ["All cryptographic modules must be FIPS 140-2/3 validated", "TLS 1.2 minimum for data in transit", "FIPS-validated encryption for data at rest", "Key management with separation of duties"],
+        commonFindings: ["Non-FIPS validated modules used", "TLS 1.0/1.1 still enabled", "Data at rest not encrypted", "No key management procedures", "No cryptographic module inventory", "Self-signed certificates in production"],
+        policyTemplate: "[CSP] implements FIPS 140-2 validated cryptography for all encryption on [System Name]. Data in transit uses TLS 1.2+ with FIPS-validated modules. Data at rest uses AES-256 encryption with FIPS-validated modules. Encryption keys are managed per [key management procedures] with separation of duties. A cryptographic module inventory documents all implementations with validation status.",
+        relatedControls: ["SC-1", "SC-7", "SC-8"],
+    },
+    // ── SYSTEM & INFORMATION INTEGRITY ──────────────────────────────────
+    {
+        id: "SI-2",
+        family: "SI",
+        title: "Flaw Remediation",
+        description: "Identify, report, and correct system flaws; test software/firmware updates related to flaw remediation for effectiveness and potential side effects before installation.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Patch management covering all components. Test patches before production. Deploy per FedRAMP remediation timelines. Track patch compliance. Include third-party and open-source components. Address container image patching. Automated patching where feasible.",
+        evidence: ["Patch management policy", "Patch testing procedures", "Patch deployment records with timelines", "Patch compliance reports", "Third-party component patching evidence", "Container image scanning/patching"],
+        fedrampRequirements: ["Critical/high within 30 days", "Moderate within 90 days", "Low within 180 days", "Emergency patches within 48 hours", "Must cover all system components including containers"],
+        commonFindings: ["Patches not deployed within FedRAMP timelines", "No testing before production", "Third-party components unpatched", "Container images with known vulnerabilities", "No patch compliance monitoring", "Emergency patch process not defined"],
+        policyTemplate: "[CSP] manages flaw remediation for [System Name] per FedRAMP timelines: critical/high within 30 days, moderate within 90 days, low within 180 days, emergency within 48 hours. Patches are tested in [environment] before production deployment. All components are in scope including OS, applications, databases, network devices, container images, and third-party libraries. Patch compliance is monitored via [tool] with [frequency] reporting.",
+        relatedControls: ["RA-5", "CA-5", "CM-3"],
+    },
+    {
+        id: "SI-4",
+        family: "SI",
+        title: "System Monitoring",
+        description: "Monitor the system to detect attacks and indicators of potential attacks, unauthorized connections, and unauthorized use.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Deploy IDS/IPS at network boundaries. Implement SIEM for log aggregation and correlation. Endpoint detection and response (EDR). Cloud-native monitoring (CloudTrail, GuardDuty, etc.). Define monitoring strategy covering internal, external, and cloud management plane. Alert and escalation procedures.",
+        evidence: ["Monitoring strategy document", "IDS/IPS deployment and configuration", "SIEM configuration and alert rules", "EDR deployment", "Cloud-native monitoring configuration", "Alert and escalation procedures", "Monitoring effectiveness reports"],
+        fedrampRequirements: ["Real-time monitoring of all system boundaries", "SIEM with correlation capabilities", "Cloud management plane monitoring", "Heightened monitoring during threat advisories", "Integration with US-CERT reporting"],
+        commonFindings: ["No IDS/IPS deployed", "SIEM not covering all components", "Cloud management plane not monitored", "Alert fatigue (too many false positives)", "No escalation procedures", "EDR not deployed on all endpoints"],
+        policyTemplate: "[CSP] monitors [System Name] using a defense-in-depth approach. IDS/IPS monitors network boundaries. [SIEM tool] aggregates and correlates logs across all components. EDR is deployed on all endpoints. Cloud-native monitoring ([service names]) covers the management plane. Alerts are escalated per [procedures] with [response SLA]. Monitoring is heightened during elevated threat periods per US-CERT advisories.",
+        relatedControls: ["AU-6", "IR-4", "SC-7"],
+    },
+    // ── PLANNING ────────────────────────────────────────────────────────
+    {
+        id: "PL-2",
+        family: "PL",
+        title: "System Security Plan",
+        description: "Develop and maintain a security plan that describes security controls in place or planned, rules of behavior, and access.",
+        baseline: "low",
+        priority: "P1",
+        implementation: "Develop SSP per FedRAMP SSP template. Cover all applicable control families. Describe system boundary, architecture, data flows. Document all control implementations. Include customer responsibility matrix. Maintain current with all changes. Annual review and update.",
+        evidence: ["System Security Plan (FedRAMP template)", "SSP revision history", "Annual review records", "Customer Responsibility Matrix", "System architecture diagrams", "Data flow diagrams"],
+        fedrampRequirements: ["Must follow FedRAMP SSP template", "Updated for all significant changes", "Annual review minimum", "Must include Customer Responsibility Matrix", "Must include system architecture and data flow diagrams"],
+        commonFindings: ["SSP doesn't follow FedRAMP template", "SSP out of date", "Missing Customer Responsibility Matrix", "Architecture diagrams outdated", "Control descriptions copied from templates not customized", "Missing data flow diagrams"],
+        policyTemplate: "[CSP] maintains the System Security Plan for [System Name] per the FedRAMP SSP template. The SSP describes the system boundary, architecture, data flows, and implementation of all applicable security controls. The Customer Responsibility Matrix defines shared responsibility between [CSP] and agency customers. The SSP is reviewed annually and updated within [N] days of significant changes. All revisions are tracked.",
+        relatedControls: ["CA-2", "CA-5", "CA-7"],
+    },
+];
+// ── Readiness Assessment ──────────────────────────────────────────────
+function assessReadiness(implementedControls, targetBaseline) {
+    const baselineOrder = { low: 1, moderate: 2, high: 3 };
+    const targetOrder = baselineOrder[targetBaseline];
+    const inScope = FEDRAMP_CONTROLS.filter((c) => baselineOrder[c.baseline] <= targetOrder);
+    const implemented = new Set(implementedControls.map((c) => c.toUpperCase()));
+    let totalImplemented = 0;
+    const byFamily = {};
+    for (const control of inScope) {
+        const fam = control.family;
+        if (!byFamily[fam])
+            byFamily[fam] = { implemented: 0, total: 0, score: 0 };
+        byFamily[fam].total++;
+        if (implemented.has(control.id)) {
+            totalImplemented++;
+            byFamily[fam].implemented++;
+        }
+    }
+    for (const f of Object.keys(byFamily)) {
+        byFamily[f].score = Math.round((byFamily[f].implemented / byFamily[f].total) * 100);
+    }
+    const score = inScope.length > 0 ? Math.round((totalImplemented / inScope.length) * 100) : 0;
+    const gaps = inScope.filter((c) => !implemented.has(c.id));
+    const p1Gaps = gaps.filter((c) => c.priority === "P1");
+    const recommendations = [];
+    if (!implemented.has("PL-2"))
+        recommendations.push("CRITICAL: Develop System Security Plan (SSP) per FedRAMP template — this is the foundation of your authorization package");
+    if (!implemented.has("CA-7"))
+        recommendations.push("CRITICAL: Implement Continuous Monitoring program — FedRAMP requires monthly vulnerability scans, POA&M updates, and deliverables");
+    if (!implemented.has("RA-5"))
+        recommendations.push("HIGH: Implement vulnerability scanning — monthly scans with FedRAMP-compliant remediation timelines");
+    if (!implemented.has("CA-2"))
+        recommendations.push("HIGH: Engage accredited 3PAO for security assessment — required for authorization");
+    if (!implemented.has("IR-6"))
+        recommendations.push("HIGH: Establish US-CERT reporting capability — 1-hour reporting requirement");
+    if (!implemented.has("SC-13"))
+        recommendations.push("HIGH: Implement FIPS 140-2 validated cryptography — non-negotiable for FedRAMP");
+    if (p1Gaps.length > 5)
+        recommendations.push(`URGENT: ${p1Gaps.length} P1 controls missing — these are the highest priority for authorization`);
+    if (recommendations.length === 0)
+        recommendations.push("Strong posture — prepare authorization package and engage 3PAO");
+    return { score, total: inScope.length, implemented: totalImplemented, byFamily, gaps, p1Gaps, recommendations };
+}
+// ── MCP Server ────────────────────────────────────────────────────────
+const server = new McpServer({
+    name: "fedramp-compliance-mcp",
+    version: "0.1.0",
+});
+// Tool 1: Browse Controls
+server.tool("browse_controls", "Browse FedRAMP security controls by baseline (low/moderate/high), family (AC/AU/CA/CM/etc.), priority (P1/P2/P3), or search terms.", {
+    baseline: z.enum(["low", "moderate", "high"]).optional().describe("Filter by FedRAMP baseline"),
+    family: z.enum(["AC", "AU", "AT", "CA", "CM", "CP", "IA", "IR", "MA", "MP", "PE", "PL", "PM", "PS", "RA", "SA", "SC", "SI"]).optional().describe("Filter by control family"),
+    priority: z.enum(["P1", "P2", "P3"]).optional().describe("Filter by control priority"),
+    search: z.string().optional().describe("Search control titles and descriptions"),
+}, async ({ baseline, family, priority, search }) => {
+    let results = [...FEDRAMP_CONTROLS];
+    if (baseline) {
+        const order = { low: 1, moderate: 2, high: 3 };
+        const targetOrder = order[baseline];
+        results = results.filter((c) => order[c.baseline] <= targetOrder);
+    }
+    if (family)
+        results = results.filter((c) => c.family === family);
+    if (priority)
+        results = results.filter((c) => c.priority === priority);
+    if (search) {
+        const q = search.toLowerCase();
+        results = results.filter((c) => c.title.toLowerCase().includes(q) || c.description.toLowerCase().includes(q) || c.id.toLowerCase().includes(q));
+    }
+    if (results.length === 0) {
+        return { content: [{ type: "text", text: "No controls match your criteria." }] };
+    }
+    const output = [
+        `# FedRAMP Controls (${results.length} results)`,
+        ``,
+        ...results.map((c) => [
+            `## ${c.id}: ${c.title}`,
+            `**Family:** ${c.family} (${FAMILY_NAMES[c.family]}) | **Baseline:** ${c.baseline} | **Priority:** ${c.priority}`,
+            ``,
+            c.description,
+            ``,
+            `**Implementation:** ${c.implementation}`,
+            ``,
+            `**FedRAMP-Specific Requirements:**`,
+            ...c.fedrampRequirements.map((r) => `- ${r}`),
+            ``,
+            `**Common 3PAO Findings:**`,
+            ...c.commonFindings.map((f) => `- ${f}`),
+            ``,
+        ].join("\n")),
+        `---`,
+        `Automate your FedRAMP compliance: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 2: Assess Readiness
+server.tool("assess_readiness", "Score your FedRAMP authorization readiness based on which controls you've implemented. Includes baseline-specific assessment.", {
+    implementedControls: z.array(z.string()).describe("Array of control IDs you have implemented (e.g., ['AC-1', 'AC-2', 'AU-2'])"),
+    targetBaseline: z.enum(["low", "moderate", "high"]).default("moderate").describe("Target FedRAMP baseline (most agencies require Moderate)"),
+    authorizationPath: z.enum(["jab", "agency", "li_saas"]).default("agency").describe("Authorization path: JAB P-ATO, Agency ATO, or FedRAMP Li-SaaS"),
+}, async ({ implementedControls, targetBaseline, authorizationPath }) => {
+    const result = assessReadiness(implementedControls, targetBaseline);
+    const pathNote = authorizationPath === "jab"
+        ? "\n**JAB P-ATO Path:** Requires FedRAMP PMO sponsorship and JAB review. Highest rigor but broadest reuse across agencies."
+        : authorizationPath === "li_saas"
+            ? "\n**Li-SaaS Path:** Streamlined for low-impact SaaS. Reduced control set. Good for initial authorization."
+            : "\n**Agency ATO Path:** Direct engagement with a sponsoring agency. Most common path.";
+    const output = [
+        `# FedRAMP Authorization Readiness Assessment`,
+        ``,
+        `## Overall Score: ${result.score}%`,
+        `- **Controls Implemented:** ${result.implemented}/${result.total}`,
+        `- **Target Baseline:** ${targetBaseline}`,
+        `- **Authorization Path:** ${authorizationPath.replace(/_/g, " ").toUpperCase()}${pathNote}`,
+        ``,
+        `## Readiness by Control Family`,
+        ...Object.entries(result.byFamily)
+            .sort(([, a], [, b]) => a.score - b.score)
+            .map(([fam, v]) => `- **${fam} (${FAMILY_NAMES[fam]}):** ${v.implemented}/${v.total} (${v.score}%) ${v.score < 50 ? "-- CRITICAL GAP" : v.score < 80 ? "-- needs attention" : "-- good"}`),
+        ``,
+        `## P1 Controls Missing (${result.p1Gaps.length})`,
+        ...result.p1Gaps.map((g) => `- **${g.id}:** ${g.title}`),
+        ``,
+        `## Priority Recommendations`,
+        ...result.recommendations.map((r, i) => `${i + 1}. ${r}`),
+        ``,
+        `## Authorization Readiness`,
+        result.score >= 85 ? "**READY** — Strong control implementation. Prepare authorization package and engage 3PAO for assessment." :
+            result.score >= 60 ? "**NEARLY READY** — Address P1 gaps before engaging 3PAO. Focus on SSP, ConMon, and vulnerability management." :
+                "**NOT READY** — Significant gaps exist. Build foundational controls (access management, monitoring, encryption, incident response) before pursuing authorization.",
+        ``,
+        `## Authorization Package Checklist`,
+        `- [ ] System Security Plan (SSP) per FedRAMP template`,
+        `- [ ] Security Assessment Plan (SAP)`,
+        `- [ ] Security Assessment Report (SAR) from 3PAO`,
+        `- [ ] Plan of Action & Milestones (POA&M)`,
+        `- [ ] Continuous Monitoring deliverables`,
+        `- [ ] Customer Responsibility Matrix`,
+        `- [ ] System architecture and data flow diagrams`,
+        `- [ ] Privacy Impact Assessment (PIA) if applicable`,
+        `- [ ] Rules of Behavior`,
+        ``,
+        `---`,
+        `Track your FedRAMP authorization: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 3: Generate SSP Section
+server.tool("generate_ssp", "Generate a FedRAMP System Security Plan section for a specific control or control family, formatted per FedRAMP SSP template requirements.", {
+    controlId: z.string().optional().describe("Specific control ID (e.g., 'AC-2')"),
+    family: z.enum(["AC", "AU", "AT", "CA", "CM", "CP", "IA", "IR", "MA", "MP", "PE", "PL", "PM", "PS", "RA", "SA", "SC", "SI"]).optional().describe("Control family to generate SSP section for"),
+    cspName: z.string().default("[CSP]").describe("Cloud Service Provider name"),
+    systemName: z.string().default("[System Name]").describe("System/CSO name"),
+}, async ({ controlId, family, cspName, systemName }) => {
+    let controls;
+    let title;
+    if (controlId) {
+        const control = FEDRAMP_CONTROLS.find((c) => c.id === controlId.toUpperCase());
+        if (!control) {
+            return { content: [{ type: "text", text: `Control ${controlId} not found. Use browse_controls to see available IDs.` }] };
+        }
+        controls = [control];
+        title = `${control.id}: ${control.title}`;
+    }
+    else if (family) {
+        controls = FEDRAMP_CONTROLS.filter((c) => c.family === family);
+        title = `${family} — ${FAMILY_NAMES[family]}`;
+    }
+    else {
+        return { content: [{ type: "text", text: "Provide either controlId or family." }] };
+    }
+    const output = [
+        `# FedRAMP SSP — ${title}`,
+        `**Cloud Service Provider:** ${cspName}`,
+        `**Cloud Service Offering:** ${systemName}`,
+        `**Date:** ${new Date().toISOString().split("T")[0]}`,
+        ``,
+        ...controls.map((c) => [
+            `## ${c.id}: ${c.title}`,
+            `**Family:** ${c.family} (${FAMILY_NAMES[c.family]}) | **Baseline:** ${c.baseline} | **Priority:** ${c.priority}`,
+            ``,
+            `### Control Description`,
+            c.description,
+            ``,
+            `### Implementation`,
+            `**Responsible Role:** [CSP/Agency/Shared]`,
+            ``,
+            c.policyTemplate.replace(/\[CSP\]/g, cspName).replace(/\[System Name\]/g, systemName),
+            ``,
+            `### Implementation Details`,
+            c.implementation,
+            ``,
+            `### FedRAMP Additional Requirements`,
+            ...c.fedrampRequirements.map((r) => `- ${r}`),
+            ``,
+            `### Evidence Artifacts`,
+            ...c.evidence.map((e) => `- ${e}`),
+            ``,
+            `### Customer Responsibility`,
+            `[Describe any customer responsibilities for this control]`,
+            ``,
+            `### Implementation Status`,
+            `- [ ] Implemented`,
+            `- [ ] Partially Implemented`,
+            `- [ ] Planned`,
+            `- [ ] Alternative Implementation`,
+            `- [ ] Not Applicable`,
+            ``,
+        ].join("\n")),
+        `---`,
+        `Generate your complete FedRAMP SSP: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 4: Evidence Checklist
+server.tool("evidence_checklist", "Generate evidence collection checklist for FedRAMP 3PAO assessment preparation.", {
+    controlId: z.string().optional().describe("Specific control ID"),
+    family: z.enum(["AC", "AU", "AT", "CA", "CM", "CP", "IA", "IR", "MA", "MP", "PE", "PL", "PM", "PS", "RA", "SA", "SC", "SI"]).optional().describe("Control family"),
+    baseline: z.enum(["low", "moderate", "high"]).optional().describe("Filter by baseline"),
+}, async ({ controlId, family, baseline }) => {
+    let controls;
+    if (controlId) {
+        const control = FEDRAMP_CONTROLS.find((c) => c.id === controlId.toUpperCase());
+        if (!control) {
+            return { content: [{ type: "text", text: `Control ${controlId} not found.` }] };
+        }
+        controls = [control];
+    }
+    else {
+        controls = [...FEDRAMP_CONTROLS];
+        if (family)
+            controls = controls.filter((c) => c.family === family);
+        if (baseline) {
+            const order = { low: 1, moderate: 2, high: 3 };
+            controls = controls.filter((c) => order[c.baseline] <= order[baseline]);
+        }
+    }
+    const output = [
+        `# FedRAMP Evidence Collection Checklist`,
+        `**Scope:** ${controlId || (family ? `${family} (${FAMILY_NAMES[family]})` : "All Families")}${baseline ? ` | Baseline: ${baseline}` : ""}`,
+        ``,
+        `## 3PAO Assessment Preparation Tips`,
+        `- Organize evidence by control family in shared folders`,
+        `- Ensure screenshots include timestamps`,
+        `- Provide both policy/procedure documents AND implementation evidence`,
+        `- Have system administrators available for live demonstrations`,
+        `- Prepare a test environment for penetration testing`,
+        ``,
+        ...controls.map((c) => [
+            `## ${c.id}: ${c.title}`,
+            `**Family:** ${FAMILY_NAMES[c.family]} | **Baseline:** ${c.baseline} | **Priority:** ${c.priority}`,
+            ``,
+            `### Evidence Required`,
+            ...c.evidence.map((e) => `- [ ] ${e}`),
+            ``,
+            `### FedRAMP-Specific Evidence`,
+            ...c.fedrampRequirements.map((r) => `- [ ] Evidence for: ${r}`),
+            ``,
+            `**Owner:** ___________`,
+            `**Status:** Not Started / In Progress / Complete`,
+            ``,
+        ].join("\n")),
+        `---`,
+        `Track FedRAMP evidence collection: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 5: Gap Analysis
+server.tool("gap_analysis", "Compare implemented controls against FedRAMP baseline requirements and generate prioritized remediation plan.", {
+    implementedControls: z.array(z.string()).describe("Array of control IDs you have implemented"),
+    targetBaseline: z.enum(["low", "moderate", "high"]).default("moderate").describe("Target FedRAMP baseline"),
+    assessmentTimeline: z.enum(["under_3_months", "3_to_6_months", "6_to_12_months", "over_12_months"]).default("6_to_12_months").describe("Time until 3PAO assessment"),
+}, async ({ implementedControls, targetBaseline, assessmentTimeline }) => {
+    const result = assessReadiness(implementedControls, targetBaseline);
+    const gaps = result.gaps;
+    const groupedGaps = {};
+    for (const gap of gaps) {
+        const fam = gap.family;
+        if (!groupedGaps[fam])
+            groupedGaps[fam] = [];
+        groupedGaps[fam].push(gap);
+    }
+    const output = [
+        `# FedRAMP Gap Analysis`,
+        `**Target Baseline:** ${targetBaseline}`,
+        `**Controls Required:** ${result.total}`,
+        `**Controls Implemented:** ${result.implemented}`,
+        `**Gaps:** ${gaps.length}`,
+        `**P1 Gaps:** ${result.p1Gaps.length}`,
+        `**Assessment Timeline:** ${assessmentTimeline.replace(/_/g, " ")}`,
+        ``,
+        `## POA&M Template`,
+        ``,
+        `| # | Control | Title | Family | Priority | Milestone | Target Date | Owner | Status |`,
+        `|---|---------|-------|--------|----------|-----------|------------|-------|--------|`,
+        ...gaps.map((g, i) => `| ${i + 1} | ${g.id} | ${g.title} | ${FAMILY_NAMES[g.family]} | ${g.priority} | | | | Not Started |`),
+        ``,
+        `## Gaps by Control Family`,
+        ``,
+        ...Object.entries(groupedGaps).sort(([, a], [, b]) => b.length - a.length).map(([fam, controls]) => [
+            `### ${fam} — ${FAMILY_NAMES[fam]} (${controls.length} gaps)`,
+            ``,
+            ...controls.map((c) => [
+                `#### ${c.id}: ${c.title} (${c.priority})`,
+                c.description,
+                ``,
+                `**FedRAMP Requirements:**`,
+                ...c.fedrampRequirements.map((r) => `- ${r}`),
+                ``,
+                `**Common 3PAO Findings:**`,
+                ...c.commonFindings.slice(0, 3).map((f) => `- ${f}`),
+                ``,
+            ].join("\n")),
+        ].join("\n")),
+        `## Priority Recommendations`,
+        ...result.recommendations.map((r, i) => `${i + 1}. ${r}`),
+        ``,
+        `---`,
+        `Automate your FedRAMP gap analysis: https://complianceiq.site`,
+    ].join("\n");
+    return { content: [{ type: "text", text: output }] };
+});
+// Tool 6: ConMon Deliverables Generator
+server.tool("conmon_deliverables", "Generate FedRAMP Continuous Monitoring (ConMon) deliverable templates and checklists for monthly, quarterly, and annual requirements.", {
+    period: z.enum(["monthly", "quarterly", "annual"]).describe("ConMon period to generate deliverables for"),
+    month: z.string().optional().describe("Specific month (e.g., 'January 2026') for the deliverable header"),
+    cspName: z.string().default("[CSP]").describe("Cloud Service Provider name"),
+    systemName: z.string().default("[System Name]").describe("System name"),
+}, async ({ period, month, cspName, systemName }) => {
+    const periodLabel = month || `[Month/Year]`;
+    let output;
+    if (period === "monthly") {
+        output = [
+            `# FedRAMP Monthly ConMon Deliverables`,
+            `**CSP:** ${cspName} | **System:** ${systemName} | **Period:** ${periodLabel}`,
+            ``,
+            `## Required Monthly Deliverables`,
+            ``,
+            `### 1. Vulnerability Scan Results`,
+            `- [ ] OS/infrastructure scan results (all unique vulnerabilities)`,
+            `- [ ] Web application scan results`,
+            `- [ ] Database scan results`,
+            `- [ ] Container image scan results (if applicable)`,
+            `- [ ] Scan coverage report (% of assets scanned)`,
+            ``,
+            `### 2. Updated POA&M`,
+            `- [ ] New findings added from this month's scans`,
+            `- [ ] Status updates on existing items`,
+            `- [ ] Closed items with evidence of remediation`,
+            `- [ ] Overdue items with revised milestones`,
+            `- [ ] Risk-adjusted completion dates`,
+            ``,
+            `### 3. Inventory Updates`,
+            `- [ ] Hardware inventory changes`,
+            `- [ ] Software inventory changes`,
+            `- [ ] Data flow diagram updates (if changed)`,
+            ``,
+            `### 4. Significant Changes`,
+            `- [ ] Significant change requests submitted (if any)`,
+            `- [ ] Impact analysis for approved changes`,
+            ``,
+            `### 5. Incident Reports`,
+            `- [ ] Security incidents reported to US-CERT`,
+            `- [ ] Agency customer notifications`,
+            `- [ ] Incident status updates`,
+            ``,
+            `## Remediation Status Summary`,
+            `| Category | Total Open | New This Month | Closed This Month | Overdue |`,
+            `|----------|-----------|---------------|-------------------|---------|`,
+            `| Critical/High | | | | |`,
+            `| Moderate | | | | |`,
+            `| Low | | | | |`,
+            ``,
+            `## Submission`,
+            `- Submit to FedRAMP PMO by the [N]th of each month`,
+            `- Share with all leveraging agencies`,
+            ``,
+        ].join("\n");
+    }
+    else if (period === "quarterly") {
+        output = [
+            `# FedRAMP Quarterly ConMon Deliverables`,
+            `**CSP:** ${cspName} | **System:** ${systemName} | **Period:** ${periodLabel}`,
+            ``,
+            `## Required Quarterly Deliverables`,
+            ``,
+            `### 1. Security Control Testing (Subset)`,
+            `- [ ] Control subset selection (1/3 of controls tested per quarter)`,
+            `- [ ] Testing methodology documentation`,
+            `- [ ] Testing results and findings`,
+            `- [ ] New POA&M items from control testing`,
+            ``,
+            `### 2. Quarterly Scan Summary`,
+            `- [ ] Trend analysis across 3 months`,
+            `- [ ] Persistent vulnerability identification`,
+            `- [ ] Remediation effectiveness metrics`,
+            ``,
+            `### 3. Updated SSP Sections (if changes occurred)`,
+            `- [ ] Architecture changes documented`,
+            `- [ ] Control implementation updates`,
+            `- [ ] New interconnections documented`,
+            ``,
+            `### Controls Tested This Quarter`,
+            `| Control | Test Method | Result | Finding |`,
+            `|---------|------------|--------|---------|`,
+            `| | | | |`,
+            ``,
+        ].join("\n");
+    }
+    else {
+        output = [
+            `# FedRAMP Annual ConMon Deliverables`,
+            `**CSP:** ${cspName} | **System:** ${systemName} | **Period:** ${periodLabel}`,
+            ``,
+            `## Required Annual Deliverables`,
+            ``,
+            `### 1. Annual 3PAO Assessment`,
+            `- [ ] 3PAO engagement (A2LA accredited)`,
+            `- [ ] Security Assessment Plan (SAP)`,
+            `- [ ] Security Assessment Report (SAR)`,
+            `- [ ] Findings remediation plan`,
+            ``,
+            `### 2. Annual Penetration Testing`,
+            `- [ ] Pen test scope (external, internal, social engineering as applicable)`,
+            `- [ ] Pen test results and findings`,
+            `- [ ] Remediation for pen test findings`,
+            ``,
+            `### 3. SSP Annual Update`,
+            `- [ ] Complete SSP review and update`,
+            `- [ ] Architecture diagrams current`,
+            `- [ ] Data flow diagrams current`,
+            `- [ ] Customer Responsibility Matrix updated`,
+            `- [ ] All control implementations verified current`,
+            ``,
+            `### 4. Contingency Plan Testing`,
+            `- [ ] Contingency plan test executed`,
+            `- [ ] Test results documented`,
+            `- [ ] Lessons learned incorporated`,
+            `- [ ] Plan updated based on test results`,
+            ``,
+            `### 5. Annual Security Training`,
+            `- [ ] Security awareness training completed (all users)`,
+            `- [ ] Role-based training for security personnel`,
+            `- [ ] Training completion records`,
+            ``,
+            `### 6. Access Review`,
+            `- [ ] Comprehensive access review all users`,
+            `- [ ] Privileged access justification review`,
+            `- [ ] Separation of duties conflict review`,
+            ``,
+        ].join("\n");
+    }
+    output += `\n---\nAutomate your FedRAMP ConMon: https://complianceiq.site`;
+    return { content: [{ type: "text", text: output }] };
+});
+// ── Start Server ──────────────────────────────────────────────────────
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((error) => {
+    console.error("Server error:", error);
+    process.exit(1);
+});

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "fedramp-compliance-mcp",
+  "version": "0.1.0",
+  "description": "MCP server for FedRAMP compliance — browse security controls by baseline (Low/Moderate/High), assess authorization readiness, generate SSP/POA&M templates, evidence checklists, and gap analysis for cloud service providers seeking federal authorization",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "fedramp-compliance-mcp": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "fedramp",
+    "federal-risk-authorization",
+    "nist-800-53",
+    "cloud-security",
+    "csp",
+    "cloud-service-provider",
+    "ato",
+    "authorization-to-operate",
+    "jab",
+    "p-ato",
+    "agency-authorization",
+    "fisma",
+    "continuous-monitoring",
+    "conmon",
+    "system-security-plan",
+    "poam",
+    "vulnerability-management",
+    "3pao",
+    "regtech",
+    "complianceiq"
+  ],
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.1",
+    "zod": "^3.24.4"
+  },
+  "devDependencies": {
+    "@types/node": "^25.8.0",
+    "typescript": "^5.8.3"
+  }
+}