nist-mcp
nist-mcp gives AI assistants structured access to NIST cybersecurity data and live NVD vulnerability information.
š NIST Publications
Search across SP 800, FIPS, IR, CSWP, and AI series by keyword, series, status, or type
Retrieve full metadata (abstract, authors, supersedes chains, supplemental materials)
Read publication content as Markdown (PDF, XLSX, CSV, JSON, XML); specify page ranges or sections
Download documents to local cache; resolve any publication ID to its latest revision
š SP 800-53 Rev 5 Controls
Search by keyword, family (AC, IA, SC, etc.), or baseline (LOW/MODERATE/HIGH)
Get full control details: statement, guidance, parameters, related controls, and enhancements
šļø CSF 2.0 Framework
Browse/search functions, categories, and subcategories with mapped SP 800-53 control counts
Cross-reference SP 800-53 controls and CSF categories bidirectionally
š Glossary
Look up NIST cybersecurity/privacy terms by exact match or keyword, with definitions and authoritative sources
š CMVP (Cryptographic Module Validation)
Search FIPS 140-2/3 validated modules by vendor, module name, algorithm, FIPS level, or validation status
ā NCP Security Checklists
Find configuration checklists by product, format (XCCDF, OVAL, PDF), or authority (DISA, CIS, NIST)
š· NICE Framework Work Roles
Search cybersecurity work roles by keyword or category (e.g., Analyze, Investigate, Protect and Defend)
š”ļø Live NVD CVE & CPE Data
Search CVEs by keyword, CVSS severity, CPE product, CWE type, date range, or CISA KEV status
Get full CVE details: CVSS scores, affected products, CWE classification, references, KEV status, and change history
Search the CPE database for products and platforms
š Cross-Domain & Utility
Search across ALL NIST data types simultaneously with one tool
Check local database freshness and trigger manual rebuilds from NIST sources
Data is cached locally and persists across sessions
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@nist-mcpWhat are the NIST SP 800-53 controls for multi-factor authentication?"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
nist-mcp
A small Model Context Protocol (MCP) server that gives AI assistants structured access to the NIST cybersecurity catalog: publications, SP 800-53 Rev 5 controls, CSF 2.0, CMVP modules, NCP checklists, glossary terms, NICE work roles, and live NVD CVE/CPE data. Local NIST data is served from a SQLite index that builds automatically on first use by downloading structured data directly from NIST.
Installation
Install directly from GitHub:
pipx install git+https://github.com/ball2jh/nist-mcp.git
# or
pip install git+https://github.com/ball2jh/nist-mcp.gitFor local development:
git clone https://github.com/ball2jh/nist-mcp.git
cd nist-mcp
pip install -e ".[dev,scraper]"Configuration
Environment Variables
Variable | Default | Description |
|
| Directory for the local database and cached documents |
| (none) | Optional NVD API key for higher rate limits (recommended) |
|
| Seconds between background database rebuilds (default: 7 days) |
config.toml
Create ~/.nist-mcp/config.toml (or $NIST_MCP_DATA_DIR/config.toml) for persistent settings:
nvd_api_key = "your-api-key-here"
update_interval = 43200 # 12 hoursEnvironment variables take precedence over the config file.
MCP Client Config
Add to your MCP client's server list (e.g. Claude Desktop claude_desktop_config.json):
{
"mcpServers": {
"nist": {
"command": "nist-mcp",
"env": {
"NIST_MCP_NVD_API_KEY": "your-api-key-here"
}
}
}
}On first run, the server builds a local database by downloading structured data from NIST (~2 seconds). The database is cached and rebuilt automatically when stale (default: every 7 days).
MCP Safety Notes
This server is intended to run as a local stdio MCP server. It does not expose an HTTP listener, so access is limited to the MCP client process that launches it. Logs are written through Python logging, which writes to stderr by default and does not corrupt stdio JSON-RPC traffic.
Tool schemas constrain common option sets and result sizes. Document downloads are limited to HTTPS URLs from known NIST publication hosts, redirects are revalidated, filenames are sanitized before writing to the local cache, and page extraction is capped at 50 pages per request. Tools that download, cache, or rebuild local data are annotated as non-destructive but not purely read-only so clients can present appropriate confirmation UI.
Available Tools
Tool | Description |
| Search local NIST catalog data across publications, controls, CSF, glossary, CMVP, checklists, and NICE |
| Fetch a single local NIST record by source and ID |
| Download/cache and read publication content as Markdown; returns a PDF TOC by default |
| Search live NVD CVE or CPE data |
| Fetch one CVE with CVSS, weaknesses, references, KEV status, and optional change history |
| Show database build date, size, freshness, and file path |
| Rebuild the local NIST index by downloading fresh data from NIST sources |
Available Resources
URI | Description |
| Server version, database freshness, and quick-start tool guide |
Quick Examples
Find NIST guidance on zero trust
search_nist("zero trust architecture")Look up the SP 800-207 publication
search_nist("zero trust", source="publications")
get_nist_record(source="publications", record_id="SP.800-207")Review access control requirements for a MODERATE system
search_nist("account management", source="controls", detail="standard")
get_nist_record(source="controls", record_id="AC-2")Analyze Log4Shell
get_cve("CVE-2021-44228")Check if your cryptographic library is FIPS validated
search_nist("OpenSSL", source="cmvp")Find CSF guidance on incident response
search_nist("incident response", source="csf")License
MIT license. Note that pymupdf4llm, used for PDF-to-Markdown conversion, is licensed under AGPL-3.0.
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ball2jh/nist-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server