@cloudcraftwithfranck/govcloud-mcp

ssp_section

Generate a complete System Security Plan (SSP) section in eMASS-ready format for any NIST 800-18 topic, including system description, boundary, user types, and more.

Instructions

Generate a complete System Security Plan (SSP) section in eMASS-ready format. Covers system description, boundary, user types, interconnections, laws and regulations, or any NIST 800-18 section.

Input Schema

TableJSON Schema

Name	Required	Description
`section`	Yes	SSP section to generate
`systemName`	Yes	Official system name (e.g., "ACME Mission System")
`systemDescription`	Yes	Brief description of what the system does
`azureServices`	Yes	Azure services in scope e.g. ["AKS","Key Vault","Storage Account","Azure SQL"]
`impactLevel`	Yes
`additionalContext`	No	Additional context specific to your system (optional)

Implementation Reference

src/tools/documents/ssp-section.ts:70-93 (handler)

Main handler function for the ssp_section tool. Validates input via Zod schema, normalizes impact level strings, builds the prompt using sspSectionTemplate, calls Anthropic Claude API with retry logic, and returns the AI-generated SSP section text.

export async function handleSspSection(args: unknown): Promise<string> {
  return runTool('ssp_section', args, Schema, async ({ section, systemName, systemDescription, azureServices, impactLevel: rawImpactLevel, additionalContext }) => {
    const impactLevel = rawImpactLevel
      .replace('dod-il4', 'il4')
      .replace('dod-il5', 'il5')
      .replace(/^moderate$/, 'fedramp-moderate')
      .replace(/^high$/, 'fedramp-high');

    const systemInfo = `${systemName} — ${systemDescription}`;
    const prompt = sspSectionTemplate(section, systemInfo, azureServices, impactLevel, additionalContext);

    const response = await withRetry(
      () => anthropic.messages.create({
        model: MODEL,
        max_tokens: getTokenBudget('ssp_section'),
        system: DOCUMENT_SYSTEM,
        messages: [{ role: 'user', content: prompt }],
      }),
      { toolName: 'ssp_section' }
    );

    return response.content[0].type === 'text' ? response.content[0].text : '';
  });
}

src/tools/documents/ssp-section.ts:52-68 (schema)

Zod schema for validating ssp_section input: enforces enum for section (8 SSP section types), string max lengths, array constraints for azureServices, and enum for impactLevel.

const Schema = z.object({
  section: z.enum([
    'system-description',
    'system-boundary',
    'user-types',
    'interconnections',
    'laws-regulations',
    'information-types',
    'security-categorization',
    'control-summary',
  ]),
  systemName: z.string().max(500),
  systemDescription: z.string().max(2000),
  azureServices: z.array(z.string().max(500)).min(1).max(50),
  impactLevel: z.enum(['fedramp-moderate', 'fedramp-high', 'il4', 'il5', 'moderate', 'high', 'dod-il4', 'dod-il5']),
  additionalContext: z.string().max(500).optional(),
});

src/tools/documents/ssp-section.ts:8-50 (schema)

Tool definition object for ssp_section, including name 'ssp_section', description, and JSON Schema input schema (section enum, systemName, systemDescription, azureServices array, impactLevel enum, additionalContext).

export const sspSectionTool = {
  name: 'ssp_section',
  description:
    'Generate a complete System Security Plan (SSP) section in eMASS-ready format. Covers system description, boundary, user types, interconnections, laws and regulations, or any NIST 800-18 section.',
  inputSchema: {
    type: 'object' as const,
    properties: {
      section: {
        type: 'string',
        enum: [
          'system-description',
          'system-boundary',
          'user-types',
          'interconnections',
          'laws-regulations',
          'information-types',
          'security-categorization',
          'control-summary',
        ],
        description: 'SSP section to generate',
      },
      systemName: { type: 'string', description: 'Official system name (e.g., "ACME Mission System")' },
      systemDescription: {
        type: 'string',
        description: 'Brief description of what the system does',
      },
      azureServices: {
        type: 'array',
        items: { type: 'string' },
        description: 'Azure services in scope e.g. ["AKS","Key Vault","Storage Account","Azure SQL"]',
      },
      impactLevel: {
        type: 'string',
        enum: ['fedramp-moderate', 'fedramp-high', 'il4', 'il5', 'moderate', 'high', 'dod-il4', 'dod-il5'],
      },
      additionalContext: {
        type: 'string',
        description: 'Additional context specific to your system (optional)',
      },
    },
    required: ['section', 'systemName', 'systemDescription', 'azureServices', 'impactLevel'],
  },
};

src/tools/index.ts:60-87 (registration)

Tool dispatch in handleToolCall function: case 'ssp_section' routes to handleSspSection(args). Also imported and listed in allTools array at line 54.

export async function handleToolCall(name: string, args: unknown): Promise<string> {
  switch (name) {
    case 'bicep_analyze':         return handleBicepAnalyze(args);
    case 'bicep_remediate':       return handleBicepRemediate(args);
    case 'control_lookup':        return handleControlLookup(args);
    case 'control_narrative':     return handleControlNarrative(args);
    case 'poam_generate':         return handlePoamGenerate(args);
    case 'ato_readiness':         return handleAtoReadiness(args);
    case 'oscal_fragment':        return handleOscalFragment(args);
    case 'landing_zone_design':   return handleLandingZone(args);
    case 'landing_zone_reference': return handleLandingZoneReference(args);
    case 'azure_service_selector': return handleServiceSelect(args);
    case 'gcc_high_guidance':     return handleGccHigh(args);
    case 'private_endpoint_map':  return handlePrivateEndpoint(args);
    case 'bigbang_validate':      return handleBigbangValidate(args);
    case 'bigbang_harden':        return handleBigbangHarden(args);
    case 'ironbank_lookup':       return handleIronbankLookup(args);
    case 'addon_configurator':    return handleAddonConfigurator(args);
    case 'pipeline_audit':        return handlePipelineAudit(args);
    case 'signing_config':        return handleSigningConfig(args);
    case 'devsecops_scorecard':   return handleDevsecopsScorecard(args);
    case 'ssp_section':           return handleSspSection(args);
    case 'contingency_plan':      return handleContingencyPlan(args);
    case 'govcloud_quickstart':   return handleGovcloudQuickstart(args);
    default:
      throw new Error(`Unknown tool: ${name}`);
  }
}

src/prompts/templates.ts:71-91 (helper)

Prompt template function sspSectionTemplate that generates the system prompt sent to Claude, including system info, Azure services, impact level, and optional additional context.

export function sspSectionTemplate(
  section: string,
  systemInfo: string,
  azureServices: string[],
  impactLevel: string,
  additionalContext?: string
): string {
  return `Generate SSP section "${section}" for a federal system.

System Information: ${systemInfo}
Azure Services: ${azureServices.join(', ')}
Impact Level: ${impactLevel}
${additionalContext ? `Additional Context: ${additionalContext}` : ''}

Requirements:
- Match exact FedRAMP SSP template format for this section
- Reference FedRAMP SSP template section numbers
- Include required tables where the template specifies them
- AO-review quality prose
- Specific to Azure ${impactLevel} environment`;
}

Tool Definition Quality

A3.5/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It mentions the output format (eMASS-ready) but does not disclose whether the tool makes external calls, requires specific permissions, or has side effects. Essential behavioral traits are missing.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two sentences, front-loading the core action (generate SSP section) and listing coverage. Every sentence adds value without redundancy or fluff.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

The tool has 6 parameters, no output schema. The description explains the purpose and coverage but does not specify the return format beyond 'eMASS-ready', which leaves the agent guessing about structure. Given the complexity, more details on output would improve completeness.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 83%, with most parameters having descriptions. The description adds that the tool covers 'any NIST 800-18 section', which aligns with the enum but doesn't clarify if other sections are accepted. For impactLevel, the schema lacks a description, and the description does not elaborate on valid values or format.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states it generates a complete SSP section in eMASS-ready format, listing specific sections like system boundary and user types. This differentiates it from sibling tools like contingency_plan or control_narrative, which focus on other documents.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description lists the covered sections but does not explicitly say when to use this tool versus alternatives. It implies usage for generating SSP sections, but lacks guidance on prerequisites or situations where other tools might be better.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cloudcwfranck/govcloud-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server