fedramp-20x-mcp 0.4.8__py3-none-any.whl

fedramp_20x_mcp/prompts/__init__.py

@@ -0,0 +1,62 @@
+"""
+Prompt loader for FedRAMP 20x MCP Server.
+
+This module provides functions to load prompt templates from external files.
+"""
+import logging
+from pathlib import Path
+from typing import Optional
+
+logger = logging.getLogger(__name__)
+
+# Get the directory containing prompt files
+PROMPTS_DIR = Path(__file__).parent
+
+
+def load_prompt(prompt_name: str) -> str:
+    """
+    Load a prompt template from file.
+    
+    Args:
+        prompt_name: Name of the prompt (without .txt extension)
+        
+    Returns:
+        The prompt text content
+        
+    Raises:
+        FileNotFoundError: If the prompt file doesn't exist
+    """
+    prompt_file = PROMPTS_DIR / f"{prompt_name}.txt"
+    
+    if not prompt_file.exists():
+        logger.error(f"Prompt file not found: {prompt_file}")
+        raise FileNotFoundError(f"Prompt template '{prompt_name}' not found")
+    
+    try:
+        with open(prompt_file, 'r', encoding='utf-8') as f:
+            content = f.read()
+        logger.debug(f"Loaded prompt: {prompt_name} ({len(content)} chars)")
+        return content
+    except Exception as e:
+        logger.error(f"Error loading prompt {prompt_name}: {e}")
+        raise
+
+
+def get_prompt(prompt_name: str, default: Optional[str] = None) -> str:
+    """
+    Get a prompt template, with optional fallback.
+    
+    Args:
+        prompt_name: Name of the prompt (without .txt extension)
+        default: Default text to return if prompt not found
+        
+    Returns:
+        The prompt text content, or default if not found and default provided
+    """
+    try:
+        return load_prompt(prompt_name)
+    except FileNotFoundError:
+        if default is not None:
+            logger.warning(f"Prompt {prompt_name} not found, using default")
+            return default
+        raise

fedramp_20x_mcp/prompts/api_design_guide.txt

@@ -0,0 +1,432 @@
+I'll help you design your FedRAMP 20x Authorization Data Sharing API.
+
+# Authorization Data Sharing API Design Guide (FRR-ADS)
+
+## Overview
+
+FedRAMP 20x requires CSPs to share authorization data via API rather than document uploads. This API must provide machine-readable access to your security posture.
+
+**Important: Format Requirements**
+- **Required:** Machine-readable formats (JSON, XML, or other structured data)
+- **Optional:** OSCAL is a NIST standard that can be used as one implementation approach
+- FRR-ADS requirements specify "machine-readable" only - OSCAL is NOT mentioned in FedRAMP 20x
+- Choose custom JSON/XML or OSCAL based on your implementation needs
+
+## Required Endpoints
+
+### 1. System Information
+```
+GET /api/v1/system
+GET /api/v1/authorization-boundary
+GET /api/v1/system-characteristics
+```
+
+**Response Format Example (Using OSCAL - One Option):**
+```json
+{
+  "system-security-plan": {
+    "uuid": "12345678-1234-1234-1234-123456789abc",
+    "metadata": {
+      "title": "My Cloud Service SSP",
+      "last-modified": "2025-11-26T10:00:00Z",
+      "version": "1.2.0",
+      "oscal-version": "1.1.2"
+    },
+    "system-characteristics": {
+      "system-ids": [...],
+      "system-name": "My Cloud Service",
+      "description": "...",
+      "security-sensitivity-level": "moderate",
+      "authorization-boundary": {
+        "description": "...",
+        "diagrams": [...],
+        "remarks": "..."
+      }
+    },
+    "system-implementation": {
+      "users": [...],
+      "components": [...],
+      "leveraged-authorizations": [...]
+    }
+  }
+}
+```
+
+### 2. Vulnerability Data
+```
+GET /api/v1/vulnerabilities
+GET /api/v1/vulnerabilities?status=open
+GET /api/v1/vulnerabilities?severity=high
+GET /api/v1/vulnerabilities/{vuln-id}
+```
+
+**Response Format:**
+```json
+{
+  "vulnerabilities": [
+    {
+      "id": "vuln-2025-001",
+      "cve_id": "CVE-2025-12345",
+      "severity": "HIGH",
+      "cvss_score": 8.5,
+      "discovered_date": "2025-11-20",
+      "status": "remediation_in_progress",
+      "remediation_deadline": "2025-11-27",
+      "affected_components": ["web-server-prod-01"],
+      "description": "...",
+      "remediation_plan": "..."
+    }
+  ],
+  "metadata": {
+    "total_count": 45,
+    "open_count": 12,
+    "last_scan": "2025-11-26T08:00:00Z"
+  }
+}
+```
+
+### 3. Key Security Indicators
+```
+GET /api/v1/ksi
+GET /api/v1/ksi/{category}
+GET /api/v1/ksi/{ksi-id}
+GET /api/v1/ksi/metrics?start_date=2025-10-01&end_date=2025-12-31
+```
+
+**Response Format:**
+```json
+{
+  "ksi_metrics": [
+    {
+      "id": "KSI-IAM-01",
+      "name": "Phishing-Resistant MFA",
+      "status": "compliant",
+      "metric_value": "100%",
+      "measurement_date": "2025-11-26",
+      "details": {
+        "total_users": 150,
+        "users_with_mfa": 150,
+        "mfa_type": "FIDO2"
+      },
+      "evidence": {
+        "type": "automated_report",
+        "location": "https://evidencestorage.blob.core.windows.net/reports/iam-mfa-report-2025-11.pdf"
+      }
+    }
+  ]
+}
+```
+
+### 4. Incidents
+```
+GET /api/v1/incidents
+GET /api/v1/incidents?start_date=2025-10-01
+GET /api/v1/incidents/{incident-id}
+```
+
+**Response Format:**
+```json
+{
+  "incidents": [
+    {
+      "id": "INC-2025-003",
+      "type": "security_event",
+      "severity": "medium",
+      "detected_date": "2025-11-15T14:30:00Z",
+      "resolved_date": "2025-11-15T18:45:00Z",
+      "affected_agencies": [],
+      "description": "Suspicious login attempts detected",
+      "response_actions": "Account locked, investigation completed",
+      "status": "closed"
+    }
+  ]
+}
+```
+
+### 5. Changes
+```
+GET /api/v1/changes
+GET /api/v1/changes?type=significant
+GET /api/v1/changes/{change-id}
+```
+
+**Response Format:**
+```json
+{
+  "changes": [
+    {
+      "id": "CHG-2025-042",
+      "type": "transformative",
+      "date": "2025-11-20",
+      "description": "Added new microservice for analytics",
+      "impact_assessment": "New component added to boundary",
+      "notification_sent": true,
+      "notification_date": "2025-11-20",
+      "approvals": [...]
+    }
+  ]
+}
+```
+
+### 6. POA&M
+```
+GET /api/v1/poam
+GET /api/v1/poam?status=open
+GET /api/v1/poam/{poam-id}
+```
+
+**Response Format (OSCAL POA&M):**
+```json
+{
+  "plan-of-action-and-milestones": {
+    "uuid": "...",
+    "metadata": {...},
+    "poam-items": [
+      {
+        "uuid": "...",
+        "title": "Implement automated log forwarding",
+        "description": "...",
+        "risk-statement": "...",
+        "remediation-tracking": {
+          "tracking-entry": [
+            {
+              "date-time-stamp": "2025-11-26T10:00:00Z",
+              "title": "Initial identification",
+              "description": "..."
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
+```
+
+## Authentication & Authorization
+
+### Option 1: OAuth 2.0 (Recommended for Multiple Consumers)
+
+**Flow:**
+```
+1. Agency registers as OAuth client with FedRAMP
+2. FedRAMP provides client_id and client_secret
+3. Agency requests token:
+   POST /oauth/token
+   {
+     "grant_type": "client_credentials",
+     "client_id": "agency-xyz",
+     "client_secret": "..."
+   }
+4. Use token in requests:
+   GET /api/v1/system
+   Authorization: Bearer {token}
+```
+
+**Implementation:**
+```python
+# Using FastAPI + OAuth2
+from fastapi import FastAPI, Depends, HTTPException
+from fastapi.security import OAuth2PasswordBearer
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
+
+@app.get("/api/v1/system")
+async def get_system(token: str = Depends(oauth2_scheme)):
+    # Validate token
+    client = validate_token(token)
+    if not client:
+        raise HTTPException(status_code=401)
+    
+    # Return system data
+    return get_system_data()
+```
+
+### Option 2: Mutual TLS (mTLS) (Recommended for High Security)
+
+**Configuration:**
+```
+1. FedRAMP/Agency provides client certificate
+2. Configure API to require client certificates
+3. Validate certificate on each request
+```
+
+**Nginx Configuration:**
+```nginx
+server {
+    listen 443 ssl;
+    server_name api.myservice.com;
+    
+    ssl_certificate /etc/nginx/ssl/server.crt;
+    ssl_certificate_key /etc/nginx/ssl/server.key;
+    
+    # Require client certificate
+    ssl_client_certificate /etc/nginx/ssl/ca.crt;
+    ssl_verify_client on;
+    
+    location /api/ {
+        proxy_pass http://backend;
+        proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
+    }
+}
+```
+
+## Access Control
+
+**Principle: Least Privilege**
+
+Different consumers should have different access levels:
+
+```json
+{
+  "client_id": "fedramp-pmo",
+  "permissions": [
+    "read:system",
+    "read:vulnerabilities", 
+    "read:ksi",
+    "read:incidents",
+    "read:changes",
+    "read:poam"
+  ]
+},
+{
+  "client_id": "agency-xyz",
+  "permissions": [
+    "read:system",
+    "read:vulnerabilities",
+    "read:incidents:agency-xyz",  // Only their incidents
+    "read:ksi"
+  ]
+}
+```
+
+## API Versioning
+
+**Use URL versioning:**
+```
+/api/v1/system  (current)
+/api/v2/system  (future)
+```
+
+**Include version in responses:**
+```json
+{
+  "api_version": "1.0.0",
+  "data": {...}
+}
+```
+
+## Rate Limiting
+
+**Recommended limits:**
+```
+- Per client: 1000 requests/hour
+- Per endpoint: 100 requests/minute
+- Burst: Allow 10 requests/second
+```
+
+**Headers:**
+```
+X-RateLimit-Limit: 1000
+X-RateLimit-Remaining: 850
+X-RateLimit-Reset: 1701014400
+```
+
+## Error Handling
+
+**Standard error format:**
+```json
+{
+  "error": {
+    "code": "unauthorized",
+    "message": "Invalid or expired token",
+    "details": "Token expired at 2025-11-26T10:00:00Z",
+    "timestamp": "2025-11-26T12:30:00Z",
+    "request_id": "req-abc-123"
+  }
+}
+```
+
+## Monitoring & Logging
+
+**Log all API access:**
+```json
+{
+  "timestamp": "2025-11-26T10:00:00Z",
+  "client_id": "fedramp-pmo",
+  "endpoint": "/api/v1/vulnerabilities",
+  "method": "GET",
+  "status_code": 200,
+  "response_time_ms": 145,
+  "user_agent": "FedRAMP-Client/1.0"
+}
+```
+
+**Alert on:**
+- Repeated authentication failures
+- Unusual access patterns
+- High error rates
+- Slow response times
+
+## Testing
+
+**Provide test credentials:**
+```
+Test API endpoint: https://api-test.myservice.com
+Client ID: test-client
+Client Secret: (provided securely)
+```
+
+**Sample queries:**
+```bash
+# Test authentication
+curl -X POST https://api-test.myservice.com/oauth/token \
+  -d "grant_type=client_credentials&client_id=test-client&client_secret=..."
+
+# Test system endpoint
+curl https://api-test.myservice.com/api/v1/system \
+  -H "Authorization: Bearer {token}"
+
+# Test vulnerabilities
+curl https://api-test.myservice.com/api/v1/vulnerabilities?status=open \
+  -H "Authorization: Bearer {token}"
+```
+
+## Documentation
+
+**Provide OpenAPI/Swagger spec:**
+```yaml
+openapi: 3.0.0
+info:
+  title: Authorization Data Sharing API
+  version: 1.0.0
+  description: FedRAMP 20x compliant API for sharing authorization data
+
+servers:
+  - url: https://api.myservice.com
+    description: Production API
+
+paths:
+  /api/v1/system:
+    get:
+      summary: Get system information
+      security:
+        - oauth2: [read:system]
+      responses:
+        '200':
+          description: System information in OSCAL format
+```
+
+## Implementation Checklist
+
+- [ ] Choose authentication method (OAuth 2.0 or mTLS)
+- [ ] Implement all required endpoints
+- [ ] Use machine-readable formats (JSON/XML) - custom or OSCAL based on your needs
+- [ ] Add proper error handling
+- [ ] Implement rate limiting
+- [ ] Add comprehensive logging
+- [ ] Write API documentation (OpenAPI)
+- [ ] Create test credentials
+- [ ] Test with FedRAMP/agency
+- [ ] Monitor API usage and performance
+
+Use get_implementation_examples('FRR-ADS-01') for more detailed implementation guidance.

fedramp_20x_mcp/prompts/ato_package_checklist.txt

@@ -0,0 +1,75 @@
+I'll help you prepare a complete FedRAMP Authorization to Operate (ATO) package checklist.
+
+**FedRAMP 20x Documentation Requirements**:
+
+**1. Minimum Assessment Scope (MAS)**
+   - System boundary definition
+   - Information resources inventory
+   - Federal customer data handling documentation
+   - Third-party service dependencies
+
+**2. Authorization Data Sharing (ADS)**
+   - Access control matrix
+   - Trust center documentation
+   - Authorization sharing agreements
+
+**3. FedRAMP Definitions (FRD)**
+   - Verify all terminology usage aligns with official definitions
+   - Document any service-specific interpretations
+
+**4. Key Security Indicators (KSI) - 72 total indicators across:**
+   - Authorization & Accreditation (AFR)
+   - Cybersecurity Education (CED)
+   - Commitment (CMT)
+   - Change Management & Notifications (CNA)
+   - Identity & Access Management (IAM)
+   - Information Resources (INR)
+   - Monitoring, Logging & Analysis (MLA)
+   - Privacy (PIY)
+   - Reporting (RPL)
+   - Service Offerings (SVC)
+   - Third Party Resources (TPR)
+
+**5. Vulnerability Detection & Response (VDR)**
+   - Vulnerability scanning procedures
+   - Remediation timeframes by severity
+   - Exception documentation
+   - Agency-specific requirements
+
+**6. Incident Communications Procedures (ICP)**
+   - Incident response plan
+   - Communication protocols
+   - Escalation procedures
+
+**7. Collaborative Continuous Monitoring (CCM)**
+   - Quarterly review procedures
+   - Continuous monitoring documentation
+   - Agency collaboration processes
+
+**8. Persistent Validation & Assessment (PVA)**
+   - Assessment schedules by impact level
+   - Validation procedures
+   - Remediation tracking
+
+**9. Recommended Secure Configuration (RSC)**
+   - Baseline configurations
+   - Configuration management procedures
+
+**10. Significant Change Notifications (SCN)**
+    - Change classification procedures
+    - Notification protocols
+    - Impact assessment process
+
+**11. Using Cryptographic Modules (UCM)**
+    - FIPS 140 compliance documentation
+    - Cryptographic module inventory
+
+**12. FedRAMP Security Inbox (FSI)**
+    - Security inbox setup
+    - Response procedures
+    - Communication protocols
+
+**What to do next**: 
+1. Use the search_requirements tool to find specific details for each area
+2. Use get_definition to clarify any terminology
+3. Use list_ksi to review all Key Security Indicators you need to address