mcp-server-for-oscal 0.1.3

AI agent tools for Open Security Controls Assessment Language (OSCAL).

MCP Server for OSCAL

A Model Context Protocol (MCP) server that provides AI assistants (Claude, Cline, Kiro, Claude Code, etc.) with tools to work with NIST's Open Security Controls Assessment Language (OSCAL). Like many early adopters, we needed help implementing OSCAL proofs-of-concept to demonstrate value to business stakeholders. Perhaps due to limited availability of examples in the public domain, we found that most AI agents/LLMs alone produced inconsistent results related to OSCAL. The tools in this MCP server minimzed that problem for our use-case and we hope they do the same for you.

What is OSCAL?

OSCAL (Open Security Controls Assessment Language) is a set of framework-agnostic, vendor-neutral, machine-readable schemas developed by NIST that describe common security artifacts like controls and assessments. OSCAL enables automation of security governance, risk, and compliance workflows.

Features

This MCP server provides these tools for working with OSCAL:

1. List OSCAL Models

• Tool: list_oscal_models
• Retrieve all available OSCAL model types with descriptions, layers, and status
• Understand the different OSCAL models and their purposes

2. Get OSCAL Schemas

• Tool: get_oscal_schema
• Retrieve JSON or XSD schemas for current GA release of individual OSCAL models. Because OSCAL schemas are self-documenting, this is equivalent to querying model documentation.
• Used to answer questions about the structure, properties, requirements of each OSCAL model

3. List OSCAL Community Resources

• Tool: list_oscal_resources
• Access a curated collection of OSCAL community resources from Awesome OSCAL
• Get information about available OSCAL tools, content, articles, presentations, and educational materials
• Includes resources from government agencies, security organizations, and the broader OSCAL community

4. Query OSCAL Documentation

• Tool: query_oscal_documentation
• Query authoritative OSCAL documentation using Amazon Bedrock Knowledge Base (KB). Note that this feature requires you to setup and maintain a Bedrock KB in your AWS account. In future, we hope to provide this as a service.
• Get answers to questions about OSCAL concepts, best practices, and implementation guidance.

Installation

Prerequisites

• uv package manager for Python (Installation instructions)
• Python 3.11 or higher; (uv install python 3.12). The server may work with other versions of Python, but we only test 3.11 & 3.12 for now.

Configuring IDEs and AI Tools

This MCP server communicates via stdio (standard input/output) and can be integrated with various IDEs and agentic tools that support the Model Context Protocol.

Configuration Format

Most MCP-compatible tools use a JSON configuration format. Values in the "env": section are generally not needed, but shown here as a how-to. Here's the basic structure:

{
  "mcpServers": {
    "oscal": {
      "command": "uvx",
      "args": ["--from", "mcp-server-for-oscal@latest", "server"],
      "env": {
      }
    }
  }
}

IDE-Specific Configuration

Kiro IDE Add to your .kiro/settings/mcp.json:

{
  "mcpServers": {
    "oscal": {
      "command": "uvx",
      "args": ["--from", "mcp-server-for-oscal@latest", "server"],
      "env": {
        "AWS_PROFILE": "your-aws-profile"
      },
      "disabled": false,
      "autoApprove": ["query_oscal_documentation", "list_oscal_models"]
    }
  }
}

Claude Desktop Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "oscal": {
      "command": "uvx",
      "args": ["--from", "mcp-server-for-oscal@latest", "server"]
    }
  }
}

VS Code with MCP Extension Configure in your workspace settings or user settings:

{
  "mcp.servers": [
    {
      "name": "oscal",
      "command": "uvx",
      "args": ["--from", "mcp-server-for-oscal@latest", "server"]
    }
  ]
}

Environment Variables

Generally, configuration should not be required. See the file dotenv.example for available options. Note that a dotenv file is only needed in a development environment. For typical, runtime use of the MCP server, environment variables should be configured as described above.

Development

See DEVELOPING to get started.

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.