List all available OSCAL model types with metadata.

Returns: dict: List of OSCAL models where the key is model's name as used in the schema, and value is an object that includes description, layer, formal and short names, and release status.

A tool that returns the schema for specified OSCAL model. Try this tool first for any questions about the structure of OSCAL models. By default we return a JSON schema, but schema_type parameter can change that behavior. You can use the list_models tool to get a list of valid model names. Request the complete schema only as a last resort - it's very large and may overflow your context window.

Args: ctx: MCP server context (should be injected automatically by MCP server) model_name: The name of the OSCAL model. If no value is provided, then we return a "complete" schema including all models, which is large. schema_type: If json (default) then return the JSON schema for the specified model. Otherwise, return its XSD (XML) schema.

Returns: str: The requested schema as JSON string

Retrieve a comprehensive directory of OSCAL community resources and tools.

This tool provides access to a curated collection of OSCAL (Open Security Controls Assessment Language) community resources that can help users:

• Find OSCAL-compatible tools and software implementations

• Discover educational content, tutorials, and documentation

• Access example OSCAL documents and templates

• Locate presentations, articles, and research papers about OSCAL

• Identify government and industry adoption examples

• Find libraries and SDKs for OSCAL development

• Access validation tools and utilities

The returned content is structured markdown that categorizes resources by type (tools, content, presentations, etc.) making it easy to find specific types of OSCAL resources based on user needs.

Use this tool when users ask about:

• "What OSCAL tools are available?"

• "How can I learn more about OSCAL?"

• "Are there examples of OSCAL implementations?"

• "What resources exist for OSCAL development?"

• "Who is using OSCAL in production?"

Args: ctx: MCP server context (should be injected automatically by MCP server)

Returns: str: Complete markdown content containing categorized OSCAL community resources, tools, documentation, examples, and educational materials

Raises: FileNotFoundError: If the awesome-oscal.md content cannot be found IOError: If there are issues reading the content

Query OSCAL Component Definition documents to find Capabilities and Components.

OSCAL Component Definitions follow a hierarchy: a Component Definition contains Capabilities and Components. A Capability groups related Components and describes a higher-level security function. This tool reflects that hierarchy — when a query matches a Capability (by title or UUID), the Capability is returned directly, including its list of incorporated Components. Only when no matching Capability is found does the search fall through to individual Components.

Prefer querying by Capability name/UUID when exploring what a Component Definition offers. Query by Component only when you need details about a specific service, software, region, or similar leaf-level element.

Use the companion tools to discover valid query filters:

• list_capabilities() — lists all Capability UUIDs and names

• list_components() — lists all Component UUIDs and titles

• list_component_definitions() — lists all Component Definition UUIDs and titles

If you need details about the Component Definition schema, use the tool get_oscal_schema.

Args: ctx: MCP server context (injected automatically by MCP server) component_definition_filter: Optional UUID or metadata.title of a Component Definition to narrow the search scope. Case-insensitive for titles. If omitted, all loaded Component Definitions are searched. query_type: Type of query to perform: - "all": Return all components in the definition(s). Intended for use with a component_definition_filter. Results may be large. For a lightweight summary, use list_components() instead. - "by_uuid": Find a Capability or Component by UUID (requires query_value). Capabilities are checked first. - "by_title": Find a Capability by name or a Component by title (requires query_value). Capabilities are checked first; if no Capability matches, Components are searched with a fallback to property-value matching. - "by_type": Filter Components by type (requires query_value). Does not apply to Capabilities. query_value: The value to search for. Required for by_uuid, by_title, and by_type queries. return_format: Response format. Currently only "raw" is supported, returning complete OSCAL objects as JSON. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: dict: When a Capability matches, the response contains: - capability: Full OSCAL Capability object as JSON - component_count: Number of Components the Capability incorporates - offset, limit, total, hasMore: Pagination metadata (always 0, 1, 1, False for single-capability results) - query_type, component_definitions_searched, filtered_by

When Components are returned instead, the response contains:
    - components: Paginated list of OSCAL Component objects as JSON
    - total_count: Total number of matching Components across all pages
    - offset, limit, hasMore: Pagination metadata
    - query_type, component_definitions_searched, filtered_by

Raises: ValueError: If required query parameters are missing or no data is loaded.

List loaded Component Definitions with summary metadata.

A Component Definition is the top-level OSCAL document that contains Capabilities and Components. Use this tool to discover available definitions and obtain UUIDs or titles for use as the component_definition_filter in query_component_definition().

Args: ctx: MCP server context (injected automatically by MCP server) offset: Zero-based index of the first item to return (default 0). limit: Maximum number of items to return, 1-100 (default 10).

Returns: dict: Page_Response with keys items, total, offset, limit, hasMore. Each item in items has keys: uuid, title, componentCount, importedComponentDefinitionsCount, sizeInBytes.

List loaded Components with summary metadata.

Components are leaf-level elements within a Component Definition that represent individual services, software, regions, or similar items. A Component may belong to one or more Capabilities. Use this tool to discover Component UUIDs and titles for targeted queries via query_component_definition().

Args: ctx: MCP server context (injected automatically by MCP server) offset: Zero-based index of the first item to return (default 0). limit: Maximum number of items to return, 1-100 (default 10).

Returns: dict: Page_Response with keys items, total, offset, limit, hasMore. Each item in items has keys: uuid, title, parentComponentDefinitionTitle, parentComponentDefinitionUuid, sizeInBytes.

List loaded Capabilities with summary metadata.

Capabilities sit above Components but are optional in the OSCAL hierarchy. Each Capability groups related Components and describes a collection or higher-level offering. Start here when exploring what a Component Definition provides — then drill into individual Components as needed.

Use the returned UUIDs or names as query_value in query_component_definition() to retrieve full Capability details.

Args: ctx: MCP server context (injected automatically by MCP server) offset: Zero-based index of the first item to return (default 0). limit: Maximum number of items to return, 1-100 (default 10).

Returns: dict: Page_Response with keys items, total, offset, limit, hasMore. Each item in items has keys: uuid, name, parentComponentDefinitionTitle, parentComponentDefinitionUuid, sizeInBytes.

Retrieve a single Capability by UUID, returning its full OSCAL representation.

A Capability groups related Components and may include control implementations, description, and a list of incorporated Components. Use list_capabilities() to discover available UUIDs.

Args: ctx: MCP server context (injected automatically by MCP server) uuid: UUID of the Capability to retrieve.

Returns: dict | None: Full OSCAL Capability object as a dict, or None if the UUID is not found.

Validate OSCAL JSON content through a multi-level validation pipeline.

Runs up to four validation levels in sequence:

1. Well-formedness - Is it valid JSON and a JSON object?

2. JSON Schema - Does it conform to the NIST OSCAL JSON schema?

3. Trestle - Semantic checks via compliance-trestle Pydantic models

4. oscal-cli - Full NIST validation if oscal-cli is installed

If Level 1 fails, Levels 2-4 are skipped. If oscal-cli is not installed, Level 4 is gracefully skipped. The overall result is valid only when all non-skipped levels pass.

Args: ctx: MCP server context (injected automatically by MCP server) content: OSCAL JSON content as a string model_type: Optional OSCAL model type (e.g. "catalog", "profile"). If omitted, the model type is auto-detected from the root key.

Returns: dict: Structured validation results with per-level detail

Validate OSCAL JSON file through a multi-level validation pipeline.

Runs up to four validation levels in sequence:

1. Well-formedness - Is it valid JSON and a JSON object?

2. JSON Schema - Does it conform to the NIST OSCAL JSON schema?

3. Trestle - Semantic checks via compliance-trestle Pydantic models

4. oscal-cli - Full NIST validation if oscal-cli is installed

If Level 1 fails, Levels 2-4 are skipped. If oscal-cli is not installed, Level 4 is gracefully skipped. The overall result is valid only when all non-skipped levels pass.

Args: ctx: MCP server context (injected automatically by MCP server) file_uri: URI of the file to be validated. This can be local or remote but remote URI will fail unless config.allow_remote_uris == True. model_type: Optional OSCAL model type (e.g. "catalog", "profile"). If omitted, the model type is auto-detected from the root key.

Returns: dict: Structured validation results with per-level detail

Query OSCAL Catalog documents.

Catalogs are structured collections of security controls and control enhancements. Use list_catalogs to discover available catalogs, then drill into specific ones with this tool.

Args: ctx: MCP server context (injected automatically). query_type: "all" (paginated), "by_uuid", "by_title", or "by_type". query_value: Required for by_uuid, by_title, by_type queries. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

List loaded OSCAL Catalogs with summary metadata.

Returns UUID, title, model type, child count, and size for each catalog. Use the returned UUIDs or titles as query_value in query_catalog for detailed results.

Args: ctx: MCP server context (injected automatically). offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

Query OSCAL System Security Plan (SSP) documents.

SSPs document how a system implements required security controls.

Args: ctx: MCP server context (injected automatically). query_type: "all" (paginated), "by_uuid", "by_title", or "by_type". query_value: Required for by_uuid, by_title, by_type queries. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

List loaded OSCAL System Security Plans with summary metadata.

Args: ctx: MCP server context (injected automatically). offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

Query OSCAL Profile documents.

Profiles are baselines or overlays that select and customise controls from one or more catalogs.

Args: ctx: MCP server context (injected automatically). query_type: "all" (paginated), "by_uuid", "by_title", or "by_type". query_value: Required for by_uuid, by_title, by_type queries. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

List loaded OSCAL Profiles with summary metadata.

Args: ctx: MCP server context (injected automatically). offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

Query OSCAL Assessment Plan documents.

Assessment Plans define how security controls will be assessed.

Args: ctx: MCP server context (injected automatically). query_type: "all" (paginated), "by_uuid", "by_title", or "by_type". query_value: Required for by_uuid, by_title, by_type queries. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

List loaded OSCAL Assessment Plans with summary metadata.

Args: ctx: MCP server context (injected automatically). offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

Query OSCAL Assessment Results documents.

Assessment Results document the outcomes of control assessments.

Args: ctx: MCP server context (injected automatically). query_type: "all" (paginated), "by_uuid", "by_title", or "by_type". query_value: Required for by_uuid, by_title, by_type queries. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

List loaded OSCAL Assessment Results with summary metadata.

Args: ctx: MCP server context (injected automatically). offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

Query OSCAL Plan of Action and Milestones (POA&M) documents.

POA&Ms document remediation plans for identified security issues.

Args: ctx: MCP server context (injected automatically). query_type: "all" (paginated), "by_uuid", "by_title", or "by_type". query_value: Required for by_uuid, by_title, by_type queries. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

List loaded OSCAL Plans of Action and Milestones with summary metadata.

Args: ctx: MCP server context (injected automatically). offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

Query OSCAL Mapping Collection documents.

Mapping Collections describe how one set of security controls relates to another set of controls.

Args: ctx: MCP server context (injected automatically). query_type: "all" (paginated), "by_uuid", "by_title", or "by_type". query_value: Required for by_uuid, by_title, by_type queries. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

List loaded OSCAL Mapping Collections with summary metadata.

Args: ctx: MCP server context (injected automatically). offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore.

Full-text search across all OSCAL documents and child elements.

Searches titles, descriptions, and other indexed text fields using SQLite FTS5. Results are ranked by relevance. Optionally scope the search to a single OSCAL model type.

Args: ctx: MCP server context (injected automatically). query_text: The search string. oscal_model_type: Optional model type value to scope results (e.g. "catalog", "system-security-plan"). When omitted, all model types are searched. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: entity_type, entity_id, title, description, model_type.

List controls within OSCAL Catalog documents.

Controls are the primary structural elements of a catalog, each identified by a human-readable token ID (e.g. ac-1, sc-7).

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single catalog. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List groups within OSCAL Catalog documents.

Groups organise controls into families (e.g. ac for Access Control). Group IDs are human-readable tokens unique within the containing catalog.

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single catalog. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List control-implementation elements within OSCAL SSP documents.

The control-implementation is a singleton element within each SSP that describes how the system implements required security controls.

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single SSP. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List system-component elements within OSCAL SSP documents.

System components describe the individual parts of a system (e.g. servers, services, software) and are identified by UUID.

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single SSP. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List import elements within OSCAL Profile documents.

Imports reference the catalogs or profiles from which controls are selected. Import IDs are synthetic positional identifiers (e.g. import-0, import-1).

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single profile. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List modify elements within OSCAL Profile documents.

The modify element is a singleton within each profile that describes customisations applied to imported controls (e.g. parameter settings, additions, alterations).

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single profile. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List task elements within OSCAL Assessment Plan documents.

Tasks define the specific assessment activities to be performed. Each task is identified by a UUID.

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single assessment plan. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List activity elements within OSCAL Assessment Plan documents.

Activities describe the methods and procedures used to assess controls. Each activity is identified by a UUID.

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single assessment plan. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List result elements within OSCAL Assessment Results documents.

Results capture the outcome of an assessment, including observations and risk determinations. Each result is identified by a UUID.

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single assessment results document. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List finding elements within OSCAL Assessment Results documents.

Findings document specific determinations about control implementation status. Each finding is identified by a UUID.

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single assessment results document. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List POA&M item elements within OSCAL POA&M documents.

POA&M items document specific security issues and their remediation plans. Each item is identified by a UUID (optional in the OSCAL schema).

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single POA&M document. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

List mapping elements within OSCAL Mapping Collection documents.

Mappings describe how controls from one framework relate to controls in another framework. Each mapping is identified by a UUID.

Args: ctx: MCP server context (injected automatically). parent_doc_uuid: Optional UUID to scope results to a single mapping collection document. offset: Zero-based pagination offset (default 0). limit: Maximum items to return, 1-100 (default 10).

Returns: Page_Response dict with keys: items, total, offset, limit, hasMore. Each item contains: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid.

Retrieve a single child element by its identifier.

OSCAL uses two identifier schemes:

• UUIDs (globally unique) for most elements such as tasks, activities, results, findings, POA&M items, mappings, and system-components.

• Token IDs (e.g. ac-1, sc) for catalog controls and groups — these are human-readable but only unique within their containing document.

For elements with token-based IDs, parent_doc_uuid should be provided to disambiguate. For elements with UUIDs, parent_doc_uuid is optional.

If parent_doc_uuid is omitted and the element_id matches elements in more than one document, an error dict is returned with error: "ambiguous_element_id" and a list of matching parent document UUIDs so the caller can retry with disambiguation.

Args: ctx: MCP server context (injected automatically). element_id: The element identifier (UUID or token ID). parent_doc_uuid: Optional parent document UUID to scope the lookup using the composite key (element_id, parent_doc_uuid).

Returns: A dict with keys: id, title, element_type, description, parentDocumentTitle, parentDocumentUuid, raw_json — or None if not found. Returns an error dict if the element_id is ambiguous across documents.

A tool to query OSCAL-related documentation. Use this tool when a question about OSCAL cannot be answered just by analyzing model schemas. In case the question is about an explicit property of an OSCAL model, try to find the answer using the get_schema tool first.

Args: query: Question or search query about OSCAL

Returns: dict: Results retrieved from knowledge base, structured as a Bedrock RetrieveResponseTypeDef object.

Get metadata about the server itself