Which integrations are available for this server?

Enables automatic cloning, updating, and management of the FedRAMP documentation repository for local analysis and querying Provides access to the FedRAMP/docs repository for querying compliance documentation, FRMR datasets, and security guidance materials

How do I use FedRAMP Docs MCP Server?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@FedRAMP Docs MCP Server search for vulnerability detection requirements in the latest FRMR documents" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

The FedRAMP Docs MCP Server provides structured, queryable access to FedRAMP compliance documentation through 20 specialized tools, enabling AI-powered analysis of Federal Risk and Authorization Management Program requirements.

Core Capabilities:

• Document Discovery & Access - List and retrieve 12 FRMR document types (KSI, MAS, VDR, SCN, FRD, ADS, CCM, FSI, ICP, PVA, RSC, UCM) with version tracking and structured diffing between versions

• Key Security Indicators (KSI) Analysis - Filter and inspect 72 KSI requirements by ID, impact level (low/moderate/high), category, or text; access comprehensive theme summaries for 11 themes (IAM, CNA, MLA, CMT, SVC, INR, RPL, TPR, AFR, PIY, CED) with related NIST controls

• Evidence Collection Support - Get community-suggested, automation-friendly evidence examples including API calls, CLI commands, and security tool integrations for KSI compliance

• NIST Control Mapping - Flatten FRMR→control mappings, find all FedRAMP requirements for specific NIST controls, analyze control family coverage, and search control references in documentation

• Documentation Search & Lookup - Full-text search across 62+ markdown files with Lunr indexing, read specific markdown contents, search FedRAMP definitions by term, and retrieve any requirement by ID

• Change Analysis - Compute structured diffs between document versions with per-item change detection and aggregate guidance on Significant Change notifications

• Repository Management - Auto-clones to ~/.cache/fedramp-docs, automatic updates every 24 hours (configurable), manual force updates, and health checks for indexing status

• AI Tool Integration - Compatible with Claude Desktop, Claude Code, LM Studio, OpenCode, Goose, and Kiro, offering slash commands, agent skills, and a specialized compliance analyst agent

• Deployment Options - Local development, global installation, or Docker containers with security hardening

Use Cases: Compliance analysis, control mapping, evidence planning, change tracking, documentation research, dashboard design, and authorization preparation.

FedRAMP Docs MCP Server

Disclaimer: This is an unofficial, community project and is not affiliated with, endorsed by, or associated with FedRAMP or the U.S. federal government. The author is not officially affiliated with FedRAMP. The FedRAMP name and any related marks are property of their respective owners.

Custom Model Context Protocol (MCP) server that makes the FedRAMP/docs repository queryable with FRMR-aware tooling. The server scans FRMR JSON datasets and supporting markdown guidance, exposes structured tools for analysis, and can optionally clone and cache the upstream repository for you.

Demo

See the FedRAMP Docs MCP Server in action with Claude Desktop:

https://github.com/user-attachments/assets/653c3956-0bfb-46c4-9e72-8a6d75e3a80d

Documentation

Resource	Description
Quick Start Guide	Get running in under 5 minutes
Full Documentation	Complete guides and reference
MCP Client Setup	Configure Claude Desktop, Cursor, VS Code
Tools Reference	All 20 MCP tools with parameters
Troubleshooting	Common issues and solutions

Additional resources:

Local Development - Build from source
Docker Setup - Container deployment
Security Hardening - Production configurations
Contributing - How to contribute

Prerequisites

Node.js 18 or higher
npm 8 or higher

Features

Auto-detects all 12 FRMR JSON document types and builds typed metadata.
Extracts KSI entries, flattened control mappings, and Significant Change references.
Fast markdown search via an inverted index backed by Lunr with snippets and line numbers.
Indexes 62+ markdown files from tools/site/content/ (Zensical static site content).
Structured diffing between FRMR versions, including per-item change detection.
Health check, version listing, and curated Significant Change guidance aggregator.
Claude Plugin with slash commands, agent skills, and compliance analyst agent.
Docker support with security hardening following 2025 best practices.

Supported Document Types

Type	Full Name
KSI	Key Security Indicators
MAS	Minimum Assessment Scope
VDR	Vulnerability Detection and Response
SCN	Significant Change Notifications
FRD	FedRAMP Definitions
ADS	Authorization Data Sharing
CCM	Collaborative Continuous Monitoring
FSI	FedRAMP Security Inbox
ICP	Incident Communications Procedures
PVA	Persistent Validation and Assessment
RSC	Recommended Secure Configuration
UCM	Using Cryptographic Modules

Getting Started

Local Development

Install dependencies:

npm install

Build the project:

npm run build

Run the server:

node dist/index.js

Global Installation

To install globally and use the fedramp-docs-mcp command:

npm install -g . fedramp-docs-mcp

Note: Global installation is required if you want to use fedramp-docs-mcp as the command in MCP client configurations (Claude Desktop, Goose, etc.). Alternatively, you can use the full path to the built server: node /path/to/fedramp-docs-mcp/dist/index.js

CLI Commands

The package includes helpful CLI commands:

# Show help and usage information npx fedramp-docs-mcp help # Install Claude Code plugin npx fedramp-docs-mcp setup # Print MCP server configuration for Claude Desktop/Code npx fedramp-docs-mcp mcp-config # Start MCP server (used by MCP clients) npx fedramp-docs-mcp

During startup the server ensures a FedRAMP/docs repository is available, indexes FRMR JSON and markdown content, then begins serving requests on MCP stdio.

Configuration

Environment variables control repository discovery and indexing behaviour:

Variable	Default	Description
`FEDRAMP_DOCS_PATH`	`~/.cache/fedramp-docs`	Path to an existing FedRAMP/docs checkout.
`FEDRAMP_DOCS_REMOTE`	`https://github.com/FedRAMP/docs`	Remote used when cloning.
`FEDRAMP_DOCS_BRANCH`	`main`	Branch to checkout when cloning.
`FEDRAMP_DOCS_ALLOW_AUTO_CLONE`	`true`	Clone automatically when the path is missing.
`FEDRAMP_DOCS_AUTO_UPDATE`	`true`	Automatically check for and fetch repository updates.
`FEDRAMP_DOCS_UPDATE_CHECK_HOURS`	`24`	Hours between automatic update checks (when auto-update is enabled).
`FEDRAMP_DOCS_INDEX_PERSIST`	`true`	Persist the in-memory index under `~/.cache/fedramp-docs/index-v1.json`.

Set FEDRAMP_DOCS_PATH if you maintain a local clone. Otherwise leave it unset and allow the server to create a shallow cached copy.

Keeping Data Up-to-Date

The server includes automatic update checking to keep the FedRAMP docs current:

Automatic Updates (Default Behavior):

Every 24 hours (configurable), the server checks if the cached repository needs updating
If updates are available, they're fetched automatically on server startup
This ensures you always have recent FedRAMP data without manual intervention

Manual Updates:

Use the update_repository tool to force an immediate update
Example query in Claude Desktop: "Update the FedRAMP docs repository"
Useful when you know new requirements or guidance has been published

Disabling Auto-Update:

{ "mcpServers": { "fedramp-docs": { "command": "fedramp-docs-mcp", "env": { "FEDRAMP_DOCS_AUTO_UPDATE": "false" } } } }

Custom Update Frequency (check every 6 hours):

{ "mcpServers": { "fedramp-docs": { "command": "fedramp-docs-mcp", "env": { "FEDRAMP_DOCS_UPDATE_CHECK_HOURS": "6" } } } }

Available Tools

The server provides 20 tools organized into categories. All tools follow the error model and respond with JSON payloads.

Document Discovery

Tool	Description
`list_frmr_documents`	Enumerate indexed FRMR JSON documents
`get_frmr_document`	Return full JSON and summary for a document
`list_versions`	Collate version metadata by FRMR document type

KSI (Key Security Indicators)

Tool	Description
`list_ksi`	Filter and inspect Key Security Indicators
`get_ksi`	Get a specific KSI item by ID
`filter_by_impact`	Filter KSI items by impact level (low/moderate/high)
`get_theme_summary`	Get comprehensive guidance for a KSI theme (IAM, CNA, etc.)
`get_evidence_examples`	Get automation-friendly evidence suggestions for KSI compliance (community suggestions, not official FedRAMP)

Control Mapping

Tool	Description
`list_controls`	Flatten FRMR → control mappings
`get_control_requirements`	Get all requirements mapped to a specific control
`analyze_control_coverage`	Report which control families have FedRAMP requirements

Search & Lookup

Tool	Description
`search_markdown`	Full-text search across documentation
`read_markdown`	Read specific markdown file contents
`search_definitions`	Search FedRAMP definitions (FRD) by term
`get_requirement_by_id`	Get any FRMR requirement by ID (KSI-, FRR-, FRD-*)

Analysis

Tool	Description
`diff_frmr`	Structured diff of two FRMR datasets
`grep_controls_in_markdown`	Locate control references in markdown
`get_significant_change_guidance`	Curated Significant Change references

System

Tool	Description
`health_check`	Confirm the server indexed successfully
`update_repository`	Force update the cached FedRAMP docs

Evidence Collection Suggestions

The get_evidence_examples tool provides community-suggested evidence examples for each KSI. These are automation-friendly suggestions showing how to programmatically collect compliance evidence via APIs, CLI commands, and security tools.

Important: These are NOT official FedRAMP guidance. Always verify requirements with official FedRAMP documentation.

What's Included

For each of the 72 KSI indicators, we provide:

Evidence types: API calls, reports, scans, logs, configurations, documentation
Automation sources: AWS, Azure, GCP, Okta, Splunk, Terraform, GitHub Actions, etc.
Example commands: Ready-to-use CLI commands and API endpoints

Example Evidence Sources by Theme

Theme	Example Sources
IAM	Okta/Entra MFA policies, AWS IAM credential reports, PAM tools (CyberArk, Vault)
CNA	AWS Security Groups, VPC Flow Logs, Container scans (Trivy), CSPM (Wiz, Prisma)
MLA	SIEM config (Splunk, Sentinel), CloudTrail, IaC scans (Checkov, tfsec)
CMT	Git history, CI/CD pipelines (GitHub Actions), Change tickets (ServiceNow, Jira)
SVC	TLS scans (SSL Labs), Secrets Manager rotation, Patch compliance (SSM)
INR	PagerDuty incidents, Post-mortems (Blameless), ServiceNow tickets
RPL	AWS Backup reports, DR test logs, Chaos engineering results
TPR	Vendor ratings (SecurityScorecard), Dependency scans (Dependabot, Snyk)

Usage Example

"What evidence do I need for KSI-IAM-01 (Phishing-Resistant MFA)?" → Returns suggested API calls, CLI commands, and artifacts to collect "Get evidence checklist for the CNA theme" → Returns automation sources for all Cloud Native Architecture indicators

See src/tools/ for the precise schemas implemented with Zod. Each tool returns either a successful object or an error payload containing code, message, and optional hint.

Usage Examples

When using the MCP server with Claude Desktop or other MCP clients, here are some example queries:

Getting KSI Information:

"List all available FedRAMP documents" → Uses list_frmr_documents "Show me all KSI items for moderate impact systems" → Uses filter_by_impact with impact='moderate' "Give me a summary of the IAM theme requirements" → Uses get_theme_summary with theme='IAM' "What evidence do I need for IAM compliance?" → Uses get_evidence_examples with theme='IAM'

Searching Documentation:

"Search for information about continuous monitoring" → Uses search_markdown with query 'continuous monitoring' "What does 'federal customer data' mean in FedRAMP?" → Uses search_definitions with term='federal customer data' "Get the details for requirement KSI-IAM-01" → Uses get_requirement_by_id with id='KSI-IAM-01'

Working with Controls:

"What FedRAMP requirements map to control AY-01?" → Uses get_control_requirements with control='AY-01' "Which control families have the most FedRAMP coverage?" → Uses analyze_control_coverage "Find all markdown files that reference AC-2" → Uses grep_controls_in_markdown with control='AC-2'

Analyzing Changes:

"What's new in the latest KSI release?" → Uses list_versions then diff_frmr to compare versions "Show significant change guidance" → Uses get_significant_change_guidance

Advanced Queries: Dashboard & Architecture Insights

These prompts combine FedRAMP data with Claude's analytical capabilities to help you design compliance dashboards and features:

Dashboard Architecture:

"Using the FedRAMP KSI data, design a compliance dashboard architecture. What components would I need? How should I structure the data for real-time monitoring?" "Get all KSI themes and their indicators. Then recommend how to organize them into a dashboard with drill-down navigation."

Visualization Design:

"Analyze the FedRAMP control coverage data. What would be the best chart types to visualize control family coverage? Suggest a color scheme for compliance status." "List the KSIs filtered by impact level. Design a risk heat map visualization showing low/moderate/high impact requirements."

Feature Planning:

"Get the evidence checklist from FedRAMP. How would you build a feature that tracks evidence collection progress with percentage completion per KSI theme?" "What are the requirements for AC-2 (Account Management)? Design a feature that helps users track their implementation status against these requirements."

Data Modeling:

"Analyze the structure of KSI indicators and their control mappings. What database schema would you recommend for a compliance tracking app?" "Get a theme summary for IAM. How would you model the relationship between KSIs, NIST controls, and evidence in a graph database?"

Executive Reporting:

"Using the control coverage analysis, design an executive summary dashboard that shows compliance posture at a glance." "Analyze all high-impact KSI requirements and create a prioritized remediation roadmap template."

MCP Client Configuration

The FedRAMP Docs MCP server works with any MCP-compatible client. Below are setup instructions for the most popular and reliable clients.

Recommended clients:

Claude Desktop - Most mature MCP integration, excellent tool discovery
Claude Code CLI - Official Anthropic CLI tool, great for terminal workflows
LM Studio - Native MCP support, works with local models for privacy
OpenCode - Terminal-based coding agent with MCP support
Goose - Experimental support, may have tool discovery issues

Claude Desktop

Add the server to your Claude Desktop configuration file:

Location: ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows)

Option 1: Using npx (Recommended - no install required)

{ "mcpServers": { "fedramp-docs": { "command": "npx", "args": ["fedramp-docs-mcp"], "env": { "FEDRAMP_DOCS_AUTO_UPDATE": "true" } } } }

Option 2: Global installation

npm install -g fedramp-docs-mcp

{ "mcpServers": { "fedramp-docs": { "command": "fedramp-docs-mcp", "env": { "FEDRAMP_DOCS_PATH": "/path/to/FedRAMP/docs" } } } }

After updating the config, restart Claude Desktop. The FedRAMP Docs tools will appear in your conversations.

Claude Code CLI

Claude Code is Anthropic's official CLI tool with built-in MCP support.

Method 1: Using CLI (Recommended)

# Add the FedRAMP Docs MCP server claude mcp add --transport stdio fedramp-docs fedramp-docs-mcp # With full path claude mcp add --transport stdio fedramp-docs /path/to/node/bin/fedramp-docs-mcp # List configured servers claude mcp list # Remove if needed claude mcp remove fedramp-docs

Method 2: Configuration File

Claude Code supports three configuration scopes:

Project-scoped (recommended for teams): .mcp.json in project root
User-scoped: ~/.claude/settings.local.json
Project-local: .claude/settings.local.json in project root

Example

{ "mcpServers": { "fedramp-docs": { "command": "fedramp-docs-mcp", "args": [], "env": { "FEDRAMP_DOCS_AUTO_UPDATE": "true" } } } }

With environment variable expansion:

{ "mcpServers": { "fedramp-docs": { "command": "fedramp-docs-mcp", "args": [], "env": { "FEDRAMP_DOCS_PATH": "${HOME}/fedramp-docs", "FEDRAMP_DOCS_AUTO_UPDATE": "true" } } } }

Testing:

Restart Claude Code after configuration changes
Use /mcp command for interactive management
Use --mcp-debug flag for troubleshooting: claude --mcp-debug
Verify with: claude mcp list

Note: Project-scoped configurations in .mcp.json enable team collaboration by ensuring all team members have access to the same MCP tools.

LM Studio

LM Studio (v0.3.17+) has native MCP support and works great with local models for privacy-focused workflows.

Setup Instructions

Open LM Studio and click the Program tab (terminal icon >_) in the right sidebar
Click "Edit mcp.json" under the Install section
Add the FedRAMP Docs configuration:

Config file location:

macOS/Linux: ~/.lmstudio/mcp.json
Windows: %USERPROFILE%\.lmstudio\mcp.json

Basic configuration:

{ "mcpServers": { "fedramp-docs": { "command": "fedramp-docs-mcp", "args": [], "env": { "FEDRAMP_DOCS_AUTO_UPDATE": "true" } } } }

Using full path (recommended if command not found):

{ "mcpServers": { "fedramp-docs": { "command": "/path/to/node/bin/fedramp-docs-mcp", "args": [], "env": { "FEDRAMP_DOCS_AUTO_UPDATE": "true", "FEDRAMP_DOCS_PATH": "/path/to/FedRAMP/docs" } } } }

Save the file - LM Studio will automatically load the server
Start chatting - Open a chat with any local model
Test it - Ask: "List all FedRAMP FRMR documents"
Approve tool calls - LM Studio will show a confirmation dialog before executing each tool

Note: Requires global installation (npm install -g .) or use the full path to the executable. Find your path with: which fedramp-docs-mcp

OpenCode

OpenCode is a powerful AI coding agent built for the terminal with native MCP support.

Setup Instructions

Create or edit your OpenCode configuration file:

Config file location:

Global: ~/.config/opencode/opencode.json
Project: opencode.json (in your project root)

Add the FedRAMP Docs MCP server:

Basic configuration:

{ "mcp": { "fedramp-docs": { "type": "local", "command": ["fedramp-docs-mcp"], "enabled": true } } }

With full path:

{ "mcp": { "fedramp-docs": { "type": "local", "command": ["/path/to/node/bin/fedramp-docs-mcp"], "enabled": true } } }

With environment variables:

{ "mcp": { "fedramp-docs": { "type": "local", "command": ["fedramp-docs-mcp"], "enabled": true, "env": { "FEDRAMP_DOCS_AUTO_UPDATE": "true", "FEDRAMP_DOCS_PATH": "/path/to/FedRAMP/docs" } } } }

Restart OpenCode to load the MCP server
Test it - The FedRAMP tools will be automatically available alongside built-in tools

Note: MCP servers add to your context, so enable only the ones you need. Use "enabled": false to temporarily disable a server without removing it.

Goose

Goose is Block's open-source AI agent. You can add the FedRAMP Docs MCP server using any of these methods:

Method 1: Via Goose CLI (Recommended)

goose configure

Then select:

Add Extension
Command-line Extension
Enter the following details:
- Name: FedRAMP Docs
- Command: fedramp-docs-mcp
- Timeout: 300

Method 2: Via Goose Desktop App

Open Goose Desktop
Click Extensions in the sidebar
Click Add custom extension
Fill in the form:
- Extension Name: FedRAMP Docs
- Type: STDIO
- Command: fedramp-docs-mcp
- Timeout: 300
- Environment Variables: (optional)
  - FEDRAMP_DOCS_PATH: /path/to/FedRAMP/docs
  - FEDRAMP_DOCS_AUTO_UPDATE: true

Method 3: Via Config File

Edit ~/.config/goose/config.yaml (Linux/macOS) or %USERPROFILE%\.config\goose\config.yaml (Windows):

extensions: fedramp-docs: name: FedRAMP Docs cmd: fedramp-docs-mcp enabled: true type: stdio timeout: 300 envs: FEDRAMP_DOCS_PATH: "/path/to/FedRAMP/docs" # optional FEDRAMP_DOCS_AUTO_UPDATE: "true" # optional

After configuration, restart Goose or reload extensions. You can test by asking: "What FedRAMP tools are available?"

Note: Goose's MCP support is still maturing and may have issues discovering tools from stdio servers. If you experience problems with tool discovery, consider using Claude Desktop, Claude Code CLI, LM Studio, or OpenCode instead.

Kiro

Kiro is AWS's spec-driven IDE with native MCP support.

Setup Instructions

Open Kiro MCP settings:
- Global: ~/.kiro/settings/mcp.json
- Project: .kiro/settings/mcp.json (takes precedence)
Add the FedRAMP Docs configuration:

{ "mcpServers": { "fedramp-docs": { "command": "npx", "args": ["-y", "fedramp-docs-mcp"], "env": { "FEDRAMP_DOCS_AUTO_UPDATE": "true" } } } }

With global installation:

{ "mcpServers": { "fedramp-docs": { "command": "fedramp-docs-mcp", "args": [], "env": { "FEDRAMP_DOCS_AUTO_UPDATE": "true" } } } }

Save the file - Kiro automatically loads MCP servers on config change
Test it - Ask Kiro: "List all FedRAMP FRMR documents"

Note: Requires global installation (npm install -g fedramp-docs-mcp) or use npx. Find your path with: which fedramp-docs-mcp

MCP Inspector (Debugging)

The MCP Inspector is an official tool for testing and debugging MCP servers. It provides a visual UI to interactively call tools and explore resources.

Requirements: Node.js 22.7.5 or later

Interactive UI:

# Start the inspector with fedramp-docs-mcp npx @modelcontextprotocol/inspector node dist/index.js # Or if installed globally npx @modelcontextprotocol/inspector fedramp-docs-mcp

Open http://localhost:6274 to access the UI, then test tools like:

health_check - Verify the server is working
list_frmr_documents - See all indexed FedRAMP documents
list_ksi - Browse Key Security Indicators

CLI Mode (Quick Testing):

# List all available tools npx @modelcontextprotocol/inspector --cli node dist/index.js --method tools/list # Call a specific tool npx @modelcontextprotocol/inspector --cli node dist/index.js \ --method tools/call --tool-name health_check

Export Configuration: The Inspector UI includes buttons to copy server configurations for Claude Desktop, Cursor, and other MCP clients.

Claude Plugin

The repository includes a Claude Code plugin that provides slash commands, agent skills, and a specialized compliance analyst agent.

Quick Install

In Claude Code, run:

/plugin marketplace add ethanolivertroy/fedramp-docs-mcp /plugin install fedramp-docs

That's it! The plugin is ready to use.

# One-command setup npx fedramp-docs-mcp setup # Then start Claude Code with the plugin claude --plugin-dir ~/.fedramp-docs-mcp/plugin

Or add an alias to your shell profile:

alias claude-fedramp='claude --plugin-dir ~/.fedramp-docs-mcp/plugin'

Available Commands

Command	Description
`/fedramp-docs:search <query>`	Search FedRAMP documentation
`/fedramp-docs:search-definitions <term>`	Search FedRAMP definitions
`/fedramp-docs:list-controls [family]`	List NIST controls
`/fedramp-docs:control-requirements <control>`	Get requirements for a NIST control
`/fedramp-docs:control-coverage`	Analyze NIST control coverage
`/fedramp-docs:list-ksi [filter]`	List Key Security Indicators
`/fedramp-docs:filter-impact <level>`	Filter KSI by impact level
`/fedramp-docs:theme-summary <theme>`	Get theme guidance
`/fedramp-docs:evidence-checklist [theme]`	Get evidence checklist
`/fedramp-docs:get-requirement <id>`	Get requirement by ID
`/fedramp-docs:list-documents`	List all FRMR documents
`/fedramp-docs:compare <doc1> <doc2>`	Compare document versions
`/fedramp-docs:health`	Check MCP server status

Agent Skills

frmr-analysis - Automatically invoked when analyzing FRMR documents or control mappings
control-mapping - Automatically invoked when mapping NIST controls to FedRAMP requirements

See plugin/README.md for full documentation.

Docker

Run the MCP server in a security-hardened Docker container.

Quick Start

# Build the image docker build -t fedramp-docs-mcp . # Run interactively (for MCP stdio) docker run --rm -i \ --security-opt no-new-privileges:true \ --cap-drop ALL \ --read-only \ --memory 512m \ -v fedramp-cache:/home/mcpuser/.cache/fedramp-docs \ fedramp-docs-mcp

Docker Compose

# Start with docker-compose (security hardening included) docker compose up -d

Claude Desktop with Docker

Configure Claude Desktop to use the Docker container:

{ "mcpServers": { "fedramp-docs": { "command": "docker", "args": [ "run", "--rm", "-i", "--security-opt", "no-new-privileges:true", "--cap-drop", "ALL", "--read-only", "--memory", "512m", "-v", "fedramp-cache:/home/mcpuser/.cache/fedramp-docs", "fedramp-docs-mcp:latest" ] } } }

Security Features

The Docker setup follows 2025 MCP security best practices:

Non-root user: Runs as mcpuser (UID 1001)
Read-only filesystem: Prevents unauthorized modifications
Dropped capabilities: --cap-drop ALL removes all Linux capabilities
No new privileges: Prevents privilege escalation
Resource limits: Memory and CPU constraints
Network isolation: Internal network with no external access by default

Development

Running in Development Mode

Use tsx for rapid iteration without building:

npm run dev

This runs the TypeScript source directly, automatically recompiling on changes.

Running Tests

The repository includes Vitest-based unit and contract tests with small fixtures:

npm test

Tests set FEDRAMP_DOCS_PATH to tests/fixtures/repo, ensuring the indexer, search, and diff logic run deterministically without needing the real FedRAMP repo.

Code Structure

The codebase uses:

TypeScript 5.4+ with strict mode enabled
ES Modules ("type": "module" in package.json)
Node.js module resolution (moduleResolution: "NodeNext")
Zod for runtime schema validation
MCP SDK v1.24+ for server implementation

Project Structure

src/ index.ts # MCP bootstrap repo.ts # repo discovery and cloning indexer.ts # FRMR + markdown indexing logic frmr.ts # FRMR-centric helpers search.ts # markdown search + aggregations diff.ts # structured FRMR diff engine tools/ # individual MCP tool handlers

Fixtures live under tests/fixtures, while Vitest specs reside in tests/.

Troubleshooting

Build Errors

Error:

Ensure you have the correct SDK version installed:

npm install @modelcontextprotocol/sdk@^1.20.0

Error:

The project uses ES modules with NodeNext resolution. Make sure you're using Node.js 18+ and that your TypeScript configuration matches:

{ "compilerOptions": { "module": "NodeNext", "moduleResolution": "NodeNext" } }

Runtime Errors

Error:

The server couldn't clone the FedRAMP docs repository. Check:

Network connectivity
Set FEDRAMP_DOCS_PATH to an existing local clone, or
Ensure FEDRAMP_DOCS_ALLOW_AUTO_CLONE=true (default)

Server starts but no tools appear

Verify the build completed successfully:

npm run build ls dist/ # Should contain index.js, tools/, etc.

Development Issues

TypeScript errors about missing types

Install all development dependencies:

npm install

Required type packages:

@types/node
@types/fs-extra
@types/lunr
@types/glob

Install Server

security – no known vulnerabilities

license - permissive license

quality - confirmed to work

How are these scores calculated?

Resources

Need Help?

Report Issue

Related Servers

Tools

View all tools

FedRAMP Docs MCP Server

Demo

Documentation

Prerequisites

Features

Supported Document Types

Getting Started

Local Development

Global Installation

CLI Commands

Configuration

Keeping Data Up-to-Date

Available Tools

Document Discovery

KSI (Key Security Indicators)

Control Mapping

Search & Lookup

Analysis

System

Evidence Collection Suggestions

What's Included

Example Evidence Sources by Theme

Usage Example

Usage Examples

Advanced Queries: Dashboard & Architecture Insights

MCP Client Configuration

Claude Desktop

Claude Code CLI

Method 1: Using CLI (Recommended)

Method 2: Configuration File

LM Studio

Setup Instructions

OpenCode

Setup Instructions

Goose

Method 1: Via Goose CLI (Recommended)

Method 2: Via Goose Desktop App

Method 3: Via Config File

Kiro

Setup Instructions

MCP Inspector (Debugging)

Claude Plugin

Quick Install

Available Commands

Agent Skills

Docker

Quick Start

Docker Compose

Claude Desktop with Docker

Security Features

Development

Running in Development Mode

Running Tests

Code Structure

Project Structure

Troubleshooting

Build Errors

Runtime Errors

Development Issues

Resources

Tools

New MCP Servers

Latest Blog Posts

MCP directory API