FedRAMP 20x Requirements

Install

Config snippet generator goes here (5 client tabs)

README

# FedRAMP 20x MCP Server

[![Tests](https://github.com/KevinRabun/FedRAMP20xMCP/actions/workflows/test.yml/badge.svg)](https://github.com/KevinRabun/FedRAMP20xMCP/actions/workflows/test.yml)
[![PyPI version](https://img.shields.io/pypi/v/fedramp-20x-mcp.svg)](https://pypi.org/project/fedramp-20x-mcp/)
[![Python Versions](https://img.shields.io/pypi/pyversions/fedramp-20x-mcp.svg)](https://pypi.org/project/fedramp-20x-mcp/)

<!-- mcp-name: io.github.KevinRabun/FedRAMP20xMCP -->

An MCP (Model Context Protocol) server that provides access to FedRAMP 20x security requirements and controls with **Azure-first guidance**.

## Overview

This server loads FedRAMP 20x data from the official [FedRAMP documentation repository](https://github.com/FedRAMP/docs) and provides tools for querying requirements by control, family, or keyword.

**Data Sources:**
- **Requirements Data:** JSON files from [github.com/FedRAMP/docs](https://github.com/FedRAMP/docs) (root directory)
- **Documentation:** Markdown files from [github.com/FedRAMP/docs/tree/main/docs](https://github.com/FedRAMP/docs/tree/main/docs)

**Azure Focus:** All implementation examples, architecture patterns, and vendor recommendations prioritize Microsoft Azure services (Azure Government, Microsoft Entra ID, Azure Key Vault, AKS, Azure Functions, Bicep, etc.) while remaining cloud-agnostic where appropriate.

### Data Coverage

The server provides access to **321 requirements** (199 FRRs + 72 KSIs + 50 FRDs) across FedRAMP 20x documents:

**FedRAMP Requirements (FRR) - 199 requirements across 10 families:**
- **ADS** - Authorization Data Sharing (20 requirements)
- **CCM** - Collaborative Continuous Monitoring (25 requirements)
- **FSI** - FedRAMP Security Inbox (16 requirements)
- **ICP** - Incident Communications Procedures (9 requirements)
- **MAS** - Minimum Assessment Scope (12 requirements)
- **PVA** - Persistent Validation and Assessment (22 requirements)
- **RSC** - Recommended Secure Configuration (10 requirements)
- **SCN** - Significant Change Notifications (22 requirements)
- **UCM** - Using Cryptographic Modules (4 requirements)
- **VDR** - Vulnerability Detection and Response (57 requirements)
- **KSI** - Key Security Indicators (2 requirements)

**Key Security Indicators (KSI) - 72 indicators across 11 families:**
- **AFR** - Architecture, Features, and Resources (11 indicators)
- **CED** - Continuous Evidence Delivery (4 indicators)
- **CMT** - Continuous Monitoring and Testing (5 indicators)
- **CNA** - Cloud Native Architecture (8 indicators)
- **IAM** - Identity and Access Management (7 indicators)
- **INR** - Incident and Near-Miss Reporting (3 indicators)
- **MLA** - Monitoring, Logging, and Alerting (8 indicators)
- **PIY** - Privacy and Transparency (8 indicators)
- **RPL** - Resilience and Recovery Planning (4 indicators)
- **SVC** - Secure Coding and Vulnerability Management (10 indicators)
- **TPR** - Third-Party Risk Management (4 indicators)

**FedRAMP Definitions (FRD) - 50 official term definitions**

## Features

- **🎯 Automated Evidence Collection (NEW)**: Automation guidance for 65 active KSIs with Azure-native services, ready-to-use queries, and artifact specifications
- **Query by Control**: Get detailed information about specific FedRAMP requirements
- **Query by Family**: List all requirements within a family
- **Keyword Search**: Search across all requirements using keywords
- **FedRAMP Definitions**: Look up official FedRAMP term definitions
- **Key Security Indicators**: Access and query FedRAMP Key Security Indicators (KSI) with implementation status
- **Documentation Search**: Search and retrieve official FedRAMP documentation markdown files
- **Dynamic Content**: Automatically discovers and loads all markdown documentation files
- **Implementation Planning**: Generate strategic interview questions to help product managers and engineers think through FedRAMP 20x implementation considerations
- **AST-Powered Code Analysis**: Advanced Abstract Syntax Tree parsing using tree-sitter for accurate, context-aware security analysis across Python, C#, Java, TypeScript/JavaScript, Bicep, and Terraform
- **Semantic Analysis**: Deep code understanding with symbol resolution, control flow analysis, and interprocedural analysis capabilities
- **🚀 Pattern-Based Architecture**: Unified analysis engine with 381 YAML patterns across 23 requirement families, supporting compliance analysis for KSIs and FRRs
- **Pattern Engine**: Declarative YAML-driven detection across 14 languages with AST-first analysis and intelligent finding categorization
- **🎯 Context-Aware Filtering (NEW)**: Reduce false positives by specifying your application type (`cli-tool`, `mcp-server`, `web-app`, `api-service`, `iac-only`, `library`, `batch-job`, `full`) via the `application_profile` parameter on analysis tools

### Pattern-Based Analysis Architecture

The server uses a **unified pattern-based architecture** for all FedRAMP 20x compliance analysis:

**Archi