Threat Intelligence MCP Server

nist_mapping.py•33.2 KiB

""" NIST SP 800-53 and NIST Cybersecurity Framework (CSF) Mapping. Maps threat intelligence capabilities to NIST SP 800-53 Rev. 5 security controls and NIST CSF 2.0 functions for compliance evidence generation and security posture assessment. References: - NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final - NIST CSF 2.0: Cybersecurity Framework https://www.nist.gov/cyberframework - NIST SP 800-150: Guide to Cyber Threat Information Sharing - CNSSI 1253: Security Categorization and Control Selection for NSS """ import logging from dataclasses import dataclass, field from datetime import datetime, timezone from enum import Enum from typing import Any, Optional logger = logging.getLogger("threat-intel-mcp.nist") # ============================================================================= # NIST CSF 2.0 Functions # ============================================================================= class NISTCSFFunction(str, Enum): """NIST Cybersecurity Framework 2.0 core functions.""" GOVERN = "GV" # Govern (new in CSF 2.0) IDENTIFY = "ID" PROTECT = "PR" DETECT = "DE" RESPOND = "RS" RECOVER = "RC" CSF_FUNCTION_DETAILS: dict[NISTCSFFunction, dict[str, str]] = { NISTCSFFunction.GOVERN: { "name": "Govern", "description": "Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy.", }, NISTCSFFunction.IDENTIFY: { "name": "Identify", "description": "Understand the organization's cybersecurity risks to systems, assets, data, and capabilities.", }, NISTCSFFunction.PROTECT: { "name": "Protect", "description": "Implement safeguards to ensure delivery of critical infrastructure services.", }, NISTCSFFunction.DETECT: { "name": "Detect", "description": "Identify the occurrence of cybersecurity events in a timely manner.", }, NISTCSFFunction.RESPOND: { "name": "Respond", "description": "Take action regarding a detected cybersecurity incident.", }, NISTCSFFunction.RECOVER: { "name": "Recover", "description": "Maintain plans for resilience and restore capabilities impaired by cybersecurity incidents.", }, } # ============================================================================= # NIST SP 800-53 Rev. 5 Control Definitions # ============================================================================= @dataclass class NISTControl: """NIST SP 800-53 Rev. 5 security control definition.""" control_id: str family: str title: str description: str priority: str # P1 (highest), P2, P3 baselines: list[str] # LOW, MODERATE, HIGH csf_functions: list[NISTCSFFunction] related_controls: list[str] = field(default_factory=list) supplemental_guidance: str = "" threat_intel_relevance: str = "" def to_dict(self) -> dict[str, Any]: return { "control_id": self.control_id, "family": self.family, "title": self.title, "description": self.description, "priority": self.priority, "baselines": self.baselines, "csf_functions": [f.value for f in self.csf_functions], "related_controls": self.related_controls, "supplemental_guidance": self.supplemental_guidance, "threat_intel_relevance": self.threat_intel_relevance, } # Comprehensive NIST SP 800-53 Rev. 5 controls relevant to threat intelligence NIST_CONTROLS: dict[str, NISTControl] = { # Risk Assessment (RA) Family "RA-3": NISTControl( control_id="RA-3", family="Risk Assessment", title="Risk Assessment", description=( "Conduct risk assessments to identify, estimate, and prioritize risks " "from the operation and use of organizational systems." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY], related_controls=["RA-5", "PM-9", "PM-28", "CA-2"], threat_intel_relevance=( "Threat intelligence feeds provide current threat landscape data to " "inform risk assessments. IOC reputation data quantifies threat likelihood." ), ), "RA-3(1)": NISTControl( control_id="RA-3(1)", family="Risk Assessment", title="Risk Assessment | Supply Chain Risk Assessment", description=( "Conduct supply chain risk assessments on systems, components, and services." ), priority="P1", baselines=["MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY], related_controls=["RA-3", "SR-6"], threat_intel_relevance=( "Threat intelligence on supply chain compromises (e.g., T1195) directly " "supports supply chain risk assessments." ), ), "RA-5": NISTControl( control_id="RA-5", family="Risk Assessment", title="Vulnerability Monitoring and Scanning", description=( "Monitor and scan for vulnerabilities in organizational systems and " "hosted applications. Employ tools and techniques to automate scanning." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY, NISTCSFFunction.DETECT], related_controls=["CA-2", "CA-7", "RA-3", "SA-11", "SI-2", "SI-5"], supplemental_guidance=( "Vulnerability scanning includes scanning for patch levels, misconfigurations, " "and known exploitable vulnerabilities in software and firmware." ), threat_intel_relevance=( "CISA KEV catalog integration provides authoritative vulnerability intelligence. " "Cross-referencing scan results with threat feeds identifies actively exploited " "vulnerabilities requiring urgent remediation." ), ), "RA-5(2)": NISTControl( control_id="RA-5(2)", family="Risk Assessment", title="Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned", description=( "Update the system vulnerabilities to be scanned prior to a new scan or " "when new vulnerabilities are identified and reported." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY], related_controls=["RA-5", "SI-5"], threat_intel_relevance=( "Automated threat feed ingestion ensures vulnerability scanning databases " "are updated with the latest CVE and IOC information." ), ), "RA-5(5)": NISTControl( control_id="RA-5(5)", family="Risk Assessment", title="Vulnerability Monitoring and Scanning | Privileged Access", description=( "Implement privileged access authorization to selected system components " "for vulnerability scanning activities." ), priority="P1", baselines=["MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY], related_controls=["RA-5"], threat_intel_relevance=( "Threat intelligence identifying credential-based attacks (T1078) " "supports privileged access vulnerability scanning priorities." ), ), # System and Information Integrity (SI) Family "SI-2": NISTControl( control_id="SI-2", family="System and Information Integrity", title="Flaw Remediation", description=( "Identify, report, and correct system flaws. Install security-relevant " "software and firmware updates within the organization-defined time period." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.PROTECT, NISTCSFFunction.RESPOND], related_controls=["CA-7", "MA-2", "RA-5", "SA-10", "SI-5"], threat_intel_relevance=( "CISA KEV catalog mandates remediation timelines. Threat intelligence " "prioritizes which flaws to remediate based on active exploitation." ), ), "SI-4": NISTControl( control_id="SI-4", family="System and Information Integrity", title="System Monitoring", description=( "Monitor the system to detect attacks and indicators of potential attacks " "in accordance with monitoring objectives and detect unauthorized changes." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.DETECT], related_controls=["AC-3", "AU-12", "CA-7", "IR-4", "SC-7", "SI-3"], supplemental_guidance=( "System monitoring includes network-based, host-based, and wireless monitoring." ), threat_intel_relevance=( "IOC feeds (IP, domain, hash, URL) provide the indicator signatures for " "system monitoring tools to detect. Real-time feed updates ensure monitoring " "covers current threats." ), ), "SI-4(4)": NISTControl( control_id="SI-4(4)", family="System and Information Integrity", title="System Monitoring | Inbound and Outbound Communications Traffic", description=( "Monitor inbound and outbound communications traffic for unusual or " "unauthorized activities or conditions." ), priority="P1", baselines=["MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.DETECT], related_controls=["SI-4"], threat_intel_relevance=( "IP and domain threat feeds enable detection of C2 communications, " "data exfiltration, and connections to known malicious infrastructure." ), ), "SI-5": NISTControl( control_id="SI-5", family="System and Information Integrity", title="Security Alerts, Advisories, and Directives", description=( "Receive system security alerts, advisories, and directives from " "authoritative sources on an ongoing basis. Generate internal alerts, " "advisories, and directives. Disseminate to appropriate personnel." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.DETECT, NISTCSFFunction.RESPOND], related_controls=["PM-15", "RA-5", "SI-2"], supplemental_guidance=( "Authoritative sources include US-CERT, CISA, and vendor security bulletins." ), threat_intel_relevance=( "Core capability: aggregation and dissemination of CISA alerts, advisories, " "KEV updates, and vendor security bulletins. Automated feed ingestion ensures " "timely receipt. TLP markings control dissemination scope." ), ), "SI-5(1)": NISTControl( control_id="SI-5(1)", family="System and Information Integrity", title="Security Alerts | Automated Alerts and Advisories", description=( "Broadcast security alert and advisory information using automated mechanisms." ), priority="P1", baselines=["HIGH"], csf_functions=[NISTCSFFunction.DETECT, NISTCSFFunction.RESPOND], related_controls=["SI-5"], threat_intel_relevance=( "Automated threat feed processing and alert generation. MCP tool integration " "enables automated broadcast to connected systems and analysts." ), ), # Incident Response (IR) Family "IR-4": NISTControl( control_id="IR-4", family="Incident Response", title="Incident Handling", description=( "Implement an incident handling capability that includes preparation, " "detection and analysis, containment, eradication, and recovery." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.RESPOND], related_controls=["AU-6", "IR-5", "IR-6", "IR-8", "PE-6", "SC-7", "SI-4"], threat_intel_relevance=( "Threat intelligence supports incident detection (IOC matching), analysis " "(ATT&CK mapping), and containment (understanding adversary TTPs)." ), ), "IR-5": NISTControl( control_id="IR-5", family="Incident Response", title="Incident Monitoring", description=( "Track and document incidents on an ongoing basis." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.RESPOND], related_controls=["AU-6", "IR-4", "IR-6", "IR-8"], threat_intel_relevance=( "Provenance tracking provides chain-of-custody documentation for incidents. " "STIX sighting objects record confirmed observations." ), ), "IR-6": NISTControl( control_id="IR-6", family="Incident Response", title="Incident Reporting", description=( "Require personnel to report suspected incidents to the incident response " "capability. Report incidents to designated authorities." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.RESPOND], related_controls=["IR-4", "IR-5", "IR-8"], supplemental_guidance=( "Federal agencies report to CISA. DoD organizations report to USCYBERCOM." ), threat_intel_relevance=( "STIX/TAXII 2.1 export enables standardized incident reporting to CISA, " "US-CERT, and sector ISACs. TLP markings ensure appropriate handling." ), ), "IR-6(1)": NISTControl( control_id="IR-6(1)", family="Incident Response", title="Incident Reporting | Automated Reporting", description=( "Report incidents using automated mechanisms." ), priority="P1", baselines=["MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.RESPOND], related_controls=["IR-6"], threat_intel_relevance=( "TAXII 2.1 publication capability enables automated incident reporting " "to TAXII-capable recipients." ), ), # Program Management (PM) Family "PM-15": NISTControl( control_id="PM-15", family="Program Management", title="Security and Privacy Groups and Associations", description=( "Establish and institutionalize contact with security groups and associations " "to facilitate ongoing security education, share threat intelligence, and " "address current security and privacy issues." ), priority="P0", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY, NISTCSFFunction.GOVERN], related_controls=["SI-5", "PM-16"], threat_intel_relevance=( "STIX/TAXII integration enables standardized threat intelligence sharing " "with ISACs, CERTs, and sector partners." ), ), "PM-16": NISTControl( control_id="PM-16", family="Program Management", title="Threat Awareness Program", description=( "Implement a threat awareness program that includes a cross-organization " "information-sharing capability that provides threat awareness to " "organizational personnel." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY, NISTCSFFunction.DETECT], related_controls=["PM-12", "PM-15", "SI-5"], supplemental_guidance=( "Effective threat awareness programs include participation in " "threat intelligence sharing organizations." ), threat_intel_relevance=( "Core capability: this MCP server IS the threat awareness program's technical " "implementation. Multi-source feed aggregation, automated analysis, MITRE ATT&CK " "mapping, and STIX sharing provide comprehensive threat awareness." ), ), "PM-16(1)": NISTControl( control_id="PM-16(1)", family="Program Management", title="Threat Awareness Program | Automated Means for Sharing Threat Intelligence", description=( "Employ automated mechanisms to share threat intelligence with organizational " "information sharing partners." ), priority="P1", baselines=["HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY, NISTCSFFunction.DETECT], related_controls=["PM-16"], threat_intel_relevance=( "TAXII 2.1 client enables automated bidirectional threat intelligence sharing " "with TAXII-capable partners (ISACs, CERTs, DIB sector partners)." ), ), # Security Assessment and Authorization (CA) Family "CA-2": NISTControl( control_id="CA-2", family="Security Assessment and Authorization", title="Control Assessments", description=( "Assess the controls in the system and its environment of operation " "to determine the extent to which they are implemented correctly and " "producing the desired outcome." ), priority="P2", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY, NISTCSFFunction.GOVERN], related_controls=["CA-5", "CA-7", "RA-5", "SA-11"], threat_intel_relevance=( "Compliance report generation provides evidence of threat intelligence " "control implementation for assessors." ), ), "CA-7": NISTControl( control_id="CA-7", family="Security Assessment and Authorization", title="Continuous Monitoring", description=( "Develop a system-level continuous monitoring strategy and implement " "continuous monitoring in accordance with the strategy." ), priority="P1", baselines=["LOW", "MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.DETECT, NISTCSFFunction.GOVERN], related_controls=["AC-2", "CA-2", "RA-3", "RA-5", "SI-4"], threat_intel_relevance=( "Continuous threat feed monitoring and automated IOC checking provide " "the threat intelligence component of continuous monitoring strategy." ), ), # Supply Chain Risk Management (SR) Family "SR-6": NISTControl( control_id="SR-6", family="Supply Chain Risk Management", title="Supplier Assessments and Reviews", description=( "Assess and review the supply chain-related risks associated with " "suppliers or contractors and the system, system component, or system " "service they provide." ), priority="P1", baselines=["MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.IDENTIFY, NISTCSFFunction.GOVERN], related_controls=["RA-3(1)", "SR-3"], threat_intel_relevance=( "Supply chain threat intelligence (e.g., T1195 mapping) supports " "supplier risk assessments." ), ), # System and Services Acquisition (SA) Family "SA-11": NISTControl( control_id="SA-11", family="System and Services Acquisition", title="Developer Testing and Evaluation", description=( "Require the developer of the system, system component, or system " "service to create and implement a plan for ongoing testing and evaluation." ), priority="P1", baselines=["MODERATE", "HIGH"], csf_functions=[NISTCSFFunction.PROTECT, NISTCSFFunction.IDENTIFY], related_controls=["CA-2", "CA-7", "RA-5", "SA-15", "SA-17", "SI-2"], threat_intel_relevance=( "Vulnerability intelligence from CISA KEV and NVD feeds informs " "security testing priorities and known-vulnerability scanning." ), ), } # ============================================================================= # Control-to-Capability Mapping # ============================================================================= # Maps MCP tool capabilities to the NIST controls they satisfy CAPABILITY_CONTROL_MAP: dict[str, list[str]] = { "threat_feed_aggregation": [ "SI-5", "SI-5(1)", "PM-16", "PM-16(1)", "RA-5(2)", ], "ip_reputation_check": [ "SI-4", "SI-4(4)", "RA-5", "CA-7", ], "hash_reputation_check": [ "SI-4", "RA-5", "CA-7", ], "domain_reputation_check": [ "SI-4", "SI-4(4)", "RA-5", "CA-7", ], "bulk_ip_check": [ "SI-4", "SI-4(4)", "RA-5", "CA-7", ], "cisa_kev_monitoring": [ "SI-5", "RA-5", "RA-5(2)", "SI-2", ], "network_threat_check": [ "SI-4", "SI-4(4)", "CA-7", ], "stix_export": [ "IR-6", "IR-6(1)", "PM-15", "PM-16(1)", ], "taxii_sharing": [ "PM-16(1)", "PM-15", "IR-6(1)", ], "mitre_attack_mapping": [ "RA-3", "IR-4", "PM-16", ], "provenance_tracking": [ "IR-5", "IR-4", "CA-2", ], "tlp_enforcement": [ "PM-15", "IR-6", "PM-16", ], "confidence_scoring": [ "RA-3", "RA-3(1)", "PM-16", ], "defense_feed_integration": [ "SI-5", "SI-5(1)", "RA-5(2)", "PM-16", ], "compliance_reporting": [ "CA-2", "CA-7", "PM-16", ], "dashboard_visualization": [ "SI-4", "CA-7", "PM-16", ], } # ============================================================================= # NIST Control Mapper # ============================================================================= class NISTControlMapper: """ Maps threat intelligence capabilities to NIST SP 800-53 Rev. 5 controls and NIST CSF 2.0 functions for compliance evidence generation. """ def __init__(self) -> None: self.controls = NIST_CONTROLS self.capability_map = CAPABILITY_CONTROL_MAP def get_control(self, control_id: str) -> Optional[NISTControl]: """ Look up a NIST control by ID. Args: control_id: NIST control ID (e.g., 'RA-5', 'SI-5(1)') Returns: NISTControl or None """ return self.controls.get(control_id) def get_controls_for_capability(self, capability: str) -> list[NISTControl]: """ Get all NIST controls satisfied by a capability. Args: capability: Capability name (e.g., 'threat_feed_aggregation') Returns: List of NISTControl objects """ control_ids = self.capability_map.get(capability, []) return [ self.controls[cid] for cid in control_ids if cid in self.controls ] def get_controls_for_csf_function( self, function: NISTCSFFunction, ) -> list[NISTControl]: """ Get all controls mapped to a NIST CSF function. Args: function: NIST CSF function Returns: List of NISTControl objects """ return [ c for c in self.controls.values() if function in c.csf_functions ] def get_controls_for_baseline(self, baseline: str) -> list[NISTControl]: """ Get all controls required at a given baseline level. Args: baseline: Baseline level ('LOW', 'MODERATE', 'HIGH') Returns: List of NISTControl objects """ baseline_upper = baseline.upper() return [ c for c in self.controls.values() if baseline_upper in c.baselines ] def assess_compliance_posture( self, active_capabilities: list[str], ) -> dict[str, Any]: """ Assess the overall compliance posture based on active capabilities. Args: active_capabilities: List of active capability names Returns: Compliance posture assessment dict """ # Determine which controls are satisfied satisfied_control_ids: set[str] = set() capability_coverage: dict[str, list[str]] = {} for cap in active_capabilities: control_ids = self.capability_map.get(cap, []) capability_coverage[cap] = control_ids satisfied_control_ids.update(control_ids) # Assess against baselines all_control_ids = set(self.controls.keys()) satisfied_controls = { cid: self.controls[cid] for cid in satisfied_control_ids if cid in self.controls } # CSF function coverage csf_coverage: dict[str, dict[str, Any]] = {} for func in NISTCSFFunction: func_controls = self.get_controls_for_csf_function(func) func_satisfied = [c for c in func_controls if c.control_id in satisfied_control_ids] csf_coverage[func.value] = { "function": CSF_FUNCTION_DETAILS[func]["name"], "total_controls": len(func_controls), "satisfied_controls": len(func_satisfied), "coverage_pct": round( (len(func_satisfied) / len(func_controls) * 100) if func_controls else 0, 1 ), "satisfied": [c.control_id for c in func_satisfied], "gaps": [ c.control_id for c in func_controls if c.control_id not in satisfied_control_ids ], } # Baseline coverage baseline_coverage: dict[str, dict[str, Any]] = {} for baseline in ["LOW", "MODERATE", "HIGH"]: baseline_controls = self.get_controls_for_baseline(baseline) baseline_satisfied = [ c for c in baseline_controls if c.control_id in satisfied_control_ids ] baseline_coverage[baseline] = { "total_controls": len(baseline_controls), "satisfied_controls": len(baseline_satisfied), "coverage_pct": round( (len(baseline_satisfied) / len(baseline_controls) * 100) if baseline_controls else 0, 1 ), "gaps": [ c.control_id for c in baseline_controls if c.control_id not in satisfied_control_ids ], } # Priority assessment (P1 controls are highest priority) p1_controls = [c for c in self.controls.values() if c.priority == "P1"] p1_satisfied = [c for c in p1_controls if c.control_id in satisfied_control_ids] return { "assessment_date": datetime.now(timezone.utc).isoformat(), "framework": "NIST SP 800-53 Rev. 5", "csf_version": "2.0", "total_mapped_controls": len(self.controls), "satisfied_controls": len(satisfied_controls), "overall_coverage_pct": round( (len(satisfied_controls) / len(self.controls) * 100) if self.controls else 0, 1 ), "priority_coverage": { "p1_total": len(p1_controls), "p1_satisfied": len(p1_satisfied), "p1_coverage_pct": round( (len(p1_satisfied) / len(p1_controls) * 100) if p1_controls else 0, 1 ), }, "csf_function_coverage": csf_coverage, "baseline_coverage": baseline_coverage, "capability_to_controls": capability_coverage, "active_capabilities": active_capabilities, } # ============================================================================= # Compliance Report Generation # ============================================================================= def generate_compliance_report( active_capabilities: Optional[list[str]] = None, include_control_details: bool = True, baseline: str = "MODERATE", capability_status: Optional[dict[str, bool]] = None, ) -> dict[str, Any]: """ Generate a NIST compliance posture report for the threat intelligence program. Args: active_capabilities: List of active capability names. If None and capability_status is also None, all controls are marked NOT_ASSESSED. include_control_details: Whether to include full control descriptions baseline: Target baseline level (LOW, MODERATE, HIGH) capability_status: Optional dict mapping capability names to their actual runtime active/inactive state (True = running, False = not running). When provided, only capabilities with True are treated as active. Returns: Comprehensive compliance report dict """ if capability_status is not None: # Use runtime state: only capabilities confirmed active active_capabilities = [ cap for cap, is_active in capability_status.items() if is_active ] elif active_capabilities is None: # No runtime state and no explicit list: nothing confirmed active active_capabilities = [] mapper = NISTControlMapper() posture = mapper.assess_compliance_posture(active_capabilities) # Build control details section control_details: list[dict[str, Any]] = [] if include_control_details: for control_id, control in NIST_CONTROLS.items(): if baseline.upper() not in control.baselines: continue satisfied_control_ids_set = { cid for cap in active_capabilities for cid in CAPABILITY_CONTROL_MAP.get(cap, []) } is_satisfied = control_id in satisfied_control_ids_set # If no capabilities were confirmed at all, mark as NOT_ASSESSED # rather than claiming a GAP (which implies we checked) if not active_capabilities: status = "NOT_ASSESSED" elif is_satisfied: status = "SATISFIED" else: status = "GAP" detail: dict[str, Any] = { "control_id": control.control_id, "title": control.title, "family": control.family, "priority": control.priority, "status": status, "threat_intel_relevance": control.threat_intel_relevance, } if is_satisfied: # Find which capabilities satisfy this control satisfying_caps = [ cap for cap in active_capabilities if control_id in CAPABILITY_CONTROL_MAP.get(cap, []) ] detail["satisfied_by"] = satisfying_caps detail["evidence"] = ( f"Control satisfied by active threat intelligence capabilities: " f"{', '.join(satisfying_caps)}. " f"Relevance: {control.threat_intel_relevance}" ) elif status == "GAP": detail["remediation"] = ( f"Implement capability to address {control.title}. " f"Relevance: {control.threat_intel_relevance}" ) else: detail["note"] = ( "Runtime capability state unknown. Provide actual " "capability status for accurate assessment." ) control_details.append(detail) # Recommendations recommendations: list[str] = [] baseline_gaps = posture["baseline_coverage"].get(baseline.upper(), {}).get("gaps", []) if baseline_gaps: recommendations.append( f"Address {len(baseline_gaps)} control gap(s) for {baseline.upper()} baseline: " f"{', '.join(baseline_gaps[:5])}" + (f" and {len(baseline_gaps) - 5} more" if len(baseline_gaps) > 5 else "") ) p1_coverage = posture["priority_coverage"]["p1_coverage_pct"] if p1_coverage < 100: recommendations.append( f"Priority 1 control coverage is {p1_coverage}%. " f"Address P1 gaps before lower-priority controls." ) report: dict[str, Any] = { "report_title": "NIST SP 800-53 Rev. 5 Compliance Posture - Threat Intelligence Program", "report_date": datetime.now(timezone.utc).isoformat(), "framework": "NIST SP 800-53 Rev. 5", "csf_version": "NIST CSF 2.0", "target_baseline": baseline.upper(), "posture_summary": posture, "recommendations": recommendations, } if include_control_details: report["control_details"] = control_details report["attestation"] = { "statement": ( "This compliance report documents the threat intelligence program's " "alignment with NIST SP 800-53 Rev. 5 security controls and NIST " "Cybersecurity Framework 2.0 functions. Control satisfaction is based " "on active capability implementation." ), "standards_references": [ "NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations", "NIST CSF 2.0: Cybersecurity Framework", "NIST SP 800-150: Guide to Cyber Threat Information Sharing", "CNSSI 1253: Security Categorization and Control Selection for National Security Systems", ], } return report

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/marc-shade/threat-intel-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

nist_mapping.py•33.2 KiB