nist-mcp
A Model Context Protocol (MCP) server that gives AI assistants structured access to the full NIST cybersecurity catalog: SP 800 and SP 1800 publications, SP 800-53 Rev 5 security controls, NIST CSF 2.0, the NVD vulnerability database (CVEs and CPEs), FIPS 140-2/3 validated cryptographic modules (CMVP), NCP security checklists, the NIST glossary, and NICE Framework work roles — all served from a local SQLite index that builds automatically on first use (~2 seconds) by downloading structured data directly from NIST.
Installation
pipx install nist-mcp
# or
pip install nist-mcp
Configuration
Environment Variables
| Variable | Default | Description |
|---|---|---|
NIST_MCP_DATA_DIR | ~/.nist-mcp | Directory for the local database and cached documents |
NIST_MCP_NVD_API_KEY | (none) | Optional NVD API key for higher rate limits (recommended) |
NIST_MCP_UPDATE_INTERVAL | 604800 | Seconds between background database rebuilds (default: 7 days) |
config.toml
Create ~/.nist-mcp/config.toml (or $NIST_MCP_DATA_DIR/config.toml) for persistent settings:
nvd_api_key = "your-api-key-here"
update_interval = 43200 # 12 hours
Environment variables take precedence over the config file.
MCP Client Config
Add to your MCP client's server list (e.g. Claude Desktop claude_desktop_config.json):
{
"mcpServers": {
"nist": {
"command": "nist-mcp",
"env": {
"NIST_MCP_NVD_API_KEY": "your-api-key-here"
}
}
}
}
On first run, the server builds a local database by downloading structured data from NIST (~2 seconds). The database is cached and rebuilt automatically when stale (default: every 7 days).
Available Tools
| Tool | Description |
|---|---|
search_nist | Meta-search across all 7 NIST data sources at once — use as starting point |
update_database | Rebuild the local NIST index by downloading fresh data from NIST sources |
database_status | Show database version, size, last update check, and file path |
search_publications | Full-text search across all NIST publication series (SP 800, SP 1800, FIPS, IR, CSWP, AI) |
get_publication | Full metadata for a specific publication: abstract, authors, supplemental materials |
get_document_content | Read publication content as Markdown (PDF, XLSX, CSV, JSON, XML); returns TOC by default |
download_document | Download a publication PDF or supplemental file to local cache |
get_latest_revision | Resolve any publication ID to its newest available revision |
search_controls | Search SP 800-53 Rev 5 controls by keyword, control family, or baseline level |
get_control | Full detail for a specific control: statement, guidance, parameters, baselines, CSF mappings |
get_csf_data | Browse/search the NIST CSF 2.0 hierarchy (functions, categories, subcategories) |
get_framework_mappings | Cross-reference between SP 800-53 controls and CSF subcategories, bidirectionally |
lookup_glossary | Look up NIST cybersecurity/privacy term definitions with authoritative source |
search_cmvp | Search FIPS 140-2/3 validated cryptographic modules by vendor, algorithm, or validation level |
search_checklists | Search NCP security configuration checklists by product, format, or authority |
search_nice_roles | Search NICE Framework work roles by keyword or category |
search_cves | Search the NVD CVE database by keyword, severity, CPE product, CWE, date range, or KEV status |
get_cve | Full CVE details: CVSS scores, affected products, CWE, references, and CISA KEV status |
search_cpes | Search the NVD CPE product dictionary by keyword or CPE name prefix |
get_cve_history | Audit trail of changes to a CVE (score updates, CPE additions, CWE remaps) |
Available Resources
| URI | Description |
|---|---|
nist://about | Server version, database freshness, and quick-start tool guide |
nist://controls/families | All 20 SP 800-53 Rev 5 control families with one-line descriptions |
nist://controls/baselines | LOW, MODERATE, HIGH, and PRIVACY baselines with control counts and descriptions |
nist://csf/overview | CSF 2.0 structure: the 6 core Functions with descriptions |
nist://glossary/common | ~30 most commonly referenced NIST cybersecurity terms and definitions |
Available Prompts
| Prompt | Parameters | Description |
|---|---|---|
compliance_assessment | system_description, baseline (default: MODERATE) | Step-by-step workflow to assess a system against an SP 800-53 baseline |
vulnerability_analysis | cve_id, system_description (optional) | Analyze a CVE's impact, affected components, and applicable NIST controls |
policy_draft | control_family | Draft a security policy document grounded in SP 800-53 Rev 5 |
incident_response_guide | incident_type | NIST-based guidance for detecting, containing, and recovering from a security incident |
Quick Examples
Find NIST guidance on zero trust
search_nist("zero trust architecture")
Look up the SP 800-207 publication
search_publications("zero trust")
get_publication("SP.800-207")
Review access control requirements for a MODERATE system
search_controls(family="ac", baseline="MODERATE", detail_level="standard")
get_control("AC-2", include_enhancements=True)
Analyze Log4Shell
get_cve("CVE-2021-44228")
Check if your cryptographic library is FIPS validated
search_cmvp(vendor="OpenSSL", fips_level=1)
Find CSF guidance on incident response
get_csf_data(function="RS")
get_csf_data(function="RC")
Use a workflow prompt
compliance_assessment(
system_description="Web application processing PII, hosted on AWS, with MFA for admin access",
baseline="MODERATE"
)
License
MIT license. Note that the optional pymupdf4llm dependency (used for PDF-to-Markdown conversion) is licensed under AGPL-3.0. If AGPL is not acceptable for your use case, the server functions fully without it for all non-document-content tools; remove pymupdf4llm from your installation and get_document_content will fall back to pdfplumber for PDF parsing.