Instant OSCAL expertise for your favorite AI agent
![PyPI][pypi-badge] %22&replace=%241&label=OSCAL)
MCP Server for OSCAL
Instant OSCAL expertise for your favorite AI agentA Model Context Protocol (MCP) server that provides AI assistants (Claude, Cline, Kiro, Claude Code, etc.) with tools to work with NIST's Open Security Controls Assessment Language (OSCAL). Like many early adopters, we needed help implementing OSCAL proofs-of-concept to demonstrate value to business stakeholders. Perhaps due to limited availability of examples in the public domain, we found that most AI agents/LLMs alone produced inconsistent results related to OSCAL. The tools in this MCP server minimized that problem for our use-case and we hope it does the same for you.
[!TIP] To get started, see Installation below.
Features
Together, the tools provided by this MCP server are meant to enable your preferred AI assitant to provide accurate, authoritative gudiance about OSCAL architecture, models, use-cases, requirements, and implementation. You don't need to understand the tools to use them, but details are in the tools directory.
The server is lightwieght and meant to run locally without additional setup. By default, it uses stdio protocol for MCP transport. Do not attempt to use the server with streamble-http transport, as we've not yet implemented transport security or authentication.
The default tools should not connect to any remote services or resources - all required content is bundled with the server. As a security measure, we've implemented basic file integrity verification for bundled content. At build-time we generate manifests including SHA-256 hashes of all content files. Each time the server starts, all content files are verified against the hash manifests. Any mismatch should produce an error and prevent startup.
Existing tools and features cover a variety of use-cases but are far from comprehensive. Please share your feedback, feature requests, questions, or bug reports in a GitHub issue. Direct contributions are wanted and welcome.
What is OSCAL?
OSCAL (Open Security Controls Assessment Language) is a set of framework-agnostic, vendor-neutral, machine-readable schemas developed by NIST that describe the full life cycle of GRC (governance, risk, compliance) artifacts, from controls to remediation plans. OSCAL enables automation of GRC workflows by replacing digital paper (spreadsheets, PDFs, etc.) with a standard-based structured data format. To learn more about OSCAL, install this MCP server then ask your AI. Or see the official OSCAL website.
What is MCP?
MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Think of MCP like a USB-C port for AI applications. Just as USB-C provides a standardized way to connect electronic devices, MCP provides a standardized way to connect AI applications to external systems.
How to use / Examples
Examples below were created with kiro-cli, but should work with any AI assistant that supports MCP servers.
Example 1: Learn about available OSCAL models
% kiro-cli
> /tools trust get_oscal_schema list_oscal_models list_oscal_resources
Tools '@oscal/get_oscal_schema', '@oscal/list_oscal_models', '@oscal/list_oscal_resources' are now trusted. I will not ask for confirmation before running these tools.
> How many GA OSCAL models are there?
> I'll check the available OSCAL models to find out how many are in GA (Generally Available) status.
Running tool list_oscal_models with the param (from mcp server: oscal)
⋮ {}
- Completed in 0.1s
> There are 8 GA OSCAL models:
Control Layer (3):
- Catalog
- Profile
- Mapping
Tools (3)
get_oscal_schemaRetrieves specific OSCAL schema definitions.list_oscal_modelsLists available OSCAL models and their status.list_oscal_resourcesLists available OSCAL resources.Configuration
{"mcpServers": {"oscal": {"command": "uvx", "args": ["mcp-server-for-oscal"]}}}