Security compliance controls, frameworks, and risk management for AI agents.
Give your AI assistant access to 1,451 SCF security controls, 354+ framework mappings (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR), evidence tracking, risk registers, and vendor risk management — all through the Model Context Protocol.
Built and maintained by ComplianceGenie.io | Platform: SCF Controls Platform
mcp-server-scf connects AI assistants to the SCF Controls Platform via MCP, enabling natural language interaction with your compliance program. Your AI can browse the full SCF control catalog, track implementation progress, manage evidence collection, assess risks, and monitor third-party vendors — all without leaving your editor or chat.
38 tools across 7 domains:
| Domain | Tools | Description |
|---|---|---|
| Catalog | 6 | Browse 1,451 controls, 354+ frameworks, 5,736 assessment objectives |
| Control Scoping | 6 | Track implementation status across an 8-state workflow |
| Evidence | 4 | Manage evidence collection and maturity scoring |
| Risk Management | 5 | 5x5 risk matrix, risk register, severity summaries |
| Vendor Risk (TPRM) | 7 | Vendor registry, AI-powered security research, DPSIA |
| Organization | 7 | Users, orgs, audit trail, work queue, notifications |
| Capabilities | 4 | KSI capability themes, systems inventory |
- Sign up at scfcontrolsplatform.com
- Go to Settings > API Keys
- Click Generate New Key
- Copy the key (shown once) — it starts with
scf_
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"scf": {
"command": "npx",
"args": ["-y", "mcp-server-scf"],
"env": {
"SCF_API_KEY": "scf_your_api_key_here",
"SCF_API_URL": "https://eu.scfcontrolsplatform.app"
}
}
}
}claude mcp add scf -- npx -y mcp-server-scfThen set environment variables in your shell:
export SCF_API_KEY="scf_your_api_key_here"
export SCF_API_URL="https://eu.scfcontrolsplatform.app"Add to your MCP config (.cursor/mcp.json or equivalent):
{
"mcpServers": {
"scf": {
"command": "npx",
"args": ["-y", "mcp-server-scf"],
"env": {
"SCF_API_KEY": "scf_your_api_key_here",
"SCF_API_URL": "https://eu.scfcontrolsplatform.app"
}
}
}
}{
"mcpServers": {
"scf": {
"command": "docker",
"args": ["run", "-i", "--rm", "-e", "SCF_API_KEY", "markac007/mcp-server-scf"],
"env": {
"SCF_API_KEY": "scf_your_api_key_here"
}
}
}
}| Variable | Required | Default | Description |
|---|---|---|---|
SCF_API_KEY |
Yes | — | Your SCF platform API key (starts with scf_) |
SCF_API_URL |
No | https://eu.scfcontrolsplatform.app |
Platform API endpoint |
Read-only access to the full SCF control catalog — 1,451 controls, 354+ frameworks, 272 evidence types, and 5,736 assessment objectives.
List SCF security controls with search, domain, and framework filters.
| Parameter | Type | Required | Description |
|---|---|---|---|
search |
string | No | Search by control title or description |
domain |
string | No | Filter by domain identifier (e.g., GOV, AST, IAC) |
framework |
string | No | Filter by framework (e.g., nist-800-53, iso-27001) |
limit |
number | No | Results to return (default: 25, max: 100) |
offset |
number | No | Results to skip for pagination (default: 0) |
Get detailed information about a specific SCF control including description, mapped frameworks, assessment objectives, and linked evidence items.
| Parameter | Type | Required | Description |
|---|---|---|---|
scf_id |
string | Yes | SCF control identifier (e.g., AST-01, IAC-15, GOV-02) |
List all 354+ compliance frameworks mapped in the SCF catalog (NIST 800-53, ISO 27001, SOC 2, FedRAMP, GDPR, and more).
No parameters.
List all compliance domains in the SCF taxonomy. Domains group related security controls (e.g., GOV = Governance, AST = Asset Management, IAC = Identity & Access Control).
No parameters.
List the 272 standard evidence types from the SCF reference catalog that can be collected to demonstrate control implementation.
| Parameter | Type | Required | Description |
|---|---|---|---|
search |
string | No | Search by evidence title or description |
limit |
number | No | Results to return (default: 25, max: 100) |
offset |
number | No | Results to skip for pagination (default: 0) |
List the 5,736 assessment test criteria used to evaluate control implementation. Can filter by specific control ID.
| Parameter | Type | Required | Description |
|---|---|---|---|
control_id |
string | No | Filter by SCF control ID (e.g., GOV-01, AST-02) |
search |
string | No | Search term to filter objectives |
limit |
number | No | Results to return (default: 25, max: 100) |
offset |
number | No | Results to skip for pagination (default: 0) |
Track implementation status of controls scoped to your organization. Supports an 8-state workflow: not_started, in_progress, implemented, ready_for_review, monitored, not_applicable, at_risk, deferred.
List controls scoped to your organization with implementation status. Supports filtering by status, domain, framework, and search.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) — use list_organizations to find |
scope_status |
string | No | Filter by status: not_started, in_progress, implemented, ready_for_review, monitored, not_applicable, at_risk, deferred |
domain |
string | No | Filter by SCF domain (e.g., GOV, AST, IAC) |
framework |
string | No | Filter by framework |
search |
string | No | Search by control ID or title |
limit |
number | No | Results to return (default: 25, max: 100) |
offset |
number | No | Results to skip for pagination (default: 0) |
Get detailed implementation status of a specific scoped control, including owner, notes, evidence links, and audit history.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
scf_id |
string | Yes | SCF control identifier (e.g., AST-01, GOV-02) |
Update a scoped control's implementation tracking fields. Only provided fields are updated.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
scf_id |
string | Yes | SCF control identifier (e.g., AST-01, GOV-02) |
implementation_status |
string | No | New status (lowercase): not_started, in_progress, implemented, ready_for_review, monitored, not_applicable, at_risk, deferred |
priority |
string | No | Priority: high, medium, low |
maturity_level |
string | No | Control maturity level |
owner |
string | No | Control owner (person accountable) |
assigned_to |
string | No | Assignee (person responsible for implementation) |
implementation_notes |
string | No | Implementation notes and context |
target_date |
string | No | Target completion date (YYYY-MM-DD) |
completion_date |
string | No | Actual completion date (YYYY-MM-DD) |
selection_reason |
string | No | Justification for status (required for not_applicable, deferred) |
Get implementation statistics — counts by status, completion percentage, and framework coverage breakdown.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
Bulk-scope all controls from a framework to your organization. Creates scoped control entries for every control in the selected framework.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
framework_id |
string | Yes | Framework ID to scope (e.g., nist-800-53-r5) |
Batch update up to 500 scoped controls in a single transaction.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
operations |
array | Yes | Array of update operations (max 500). Each operation: |
Each operation in the operations array accepts:
| Field | Type | Required | Description |
|---|---|---|---|
scf_id |
string | Yes | SCF control identifier (e.g., AST-01) |
selected |
boolean | No | Whether the control is in scope |
implementation_status |
string | No | Implementation status (lowercase) |
selection_reason |
string | No | Justification for selection or status |
priority |
string | No | Implementation priority |
owner |
string | No | Control owner |
assigned_to |
string | No | Assignee |
maturity_level |
string | No | Control maturity level |
target_date |
string | No | Target date (YYYY-MM-DD) |
completion_date |
string | No | Completion date (YYYY-MM-DD) |
implementation_notes |
string | No | Implementation notes |
Track evidence artifacts that demonstrate control implementation for audit readiness.
List evidence items tracked for an organization's controls.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
system_id |
string | No | Filter by system ID |
Create a new evidence item linked to a control.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
title |
string | Yes | Evidence title |
control_id |
string | No | Scoped control ID to link evidence to |
description |
string | No | Evidence description |
evidence_type |
string | No | Type: document, screenshot, log, etc. |
Get evidence maturity summary — average maturity score, automation percentage, distribution by maturity level, and improvement opportunities.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
List evidence collection tasks — the work queue for gathering evidence. Shows what needs to be collected, by whom, and by when.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | No | Organization ID (UUID) |
assignee |
string | No | Filter by assigned user |
status |
string | No | Filter by task status |
5x5 risk matrix with inherent and residual scoring, treatment tracking, and severity summaries.
List risk assessments in the organization's risk register.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
status |
string | No | Filter by treatment status |
page |
number | No | Page number (default: 1) |
per_page |
number | No | Results per page (default: 25, max: 100) |
Get detailed risk assessment including inherent and residual scores, treatment plan, owner, and review date.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
risk_id |
string | Yes | Risk assessment ID |
Create a new risk assessment in the 5x5 risk matrix.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
title |
string | Yes | Risk title |
description |
string | Yes | Risk description |
likelihood |
number | Yes | Inherent likelihood (1-5) |
impact |
number | Yes | Inherent impact (1-5) |
owner |
string | No | Risk owner |
treatment_status |
string | No | Treatment: mitigate, accept, transfer, avoid |
control_id |
string | No | Linked control ID |
Get the 5x5 risk matrix visualization data showing risk distribution across likelihood and impact.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
Get aggregated risk summary — total risks by severity, treatment status breakdown, and trend data.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
Third-party risk management with AI-powered security research, breach detection, and data protection impact assessments.
List vendors in the TPRM registry with status and criticality filters.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
status |
string | No | Filter: active, inactive, under_review |
criticality |
string | No | Filter: critical, high, medium, low |
page |
number | No | Page number (default: 1) |
per_page |
number | No | Results per page (default: 25, max: 100) |
Get detailed vendor information including certifications, assessments, risk score, and research results.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
vendor_id |
string | Yes | Vendor ID |
Add a new vendor to the TPRM registry.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
name |
string | Yes | Vendor name |
description |
string | No | Vendor description |
category |
string | No | Category: SaaS, Infrastructure, Consulting, etc. |
criticality |
string | No | Criticality: critical, high, medium (default), low |
website |
string | No | Vendor website URL |
contact_email |
string | No | Primary contact email |
Trigger AI-powered security research for a vendor — checks HIBP (breach databases), NVD (vulnerability databases), and public security posture.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
vendor_id |
string | Yes | Vendor ID |
Get the latest AI-powered research results for a vendor, including breach history, known vulnerabilities, and security posture analysis.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
vendor_id |
string | Yes | Vendor ID |
Trigger a Data Protection Security Impact Assessment (DPSIA) for a vendor. Evaluates security posture against CIA triad and certification requirements.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
vendor_id |
string | Yes | Vendor ID |
User management, audit trail, work queue, and notifications.
Get the current authenticated user's profile, including name, email, organizations, and role.
No parameters.
List organizations the current user has access to. Returns org ID, name, tier, and member count.
No parameters.
Get detailed organization information including subscription tier, member count, usage limits, and settings.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
List members of an organization with their roles (admin, editor, viewer).
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
Get the authenticated user's prioritized work queue — pending tasks, assignments, and action items across all organizations.
No parameters.
Get the field-level audit trail for an organization. Shows changes to controls, evidence, and other entities with actor, timestamp, and before/after values.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
limit |
number | No | Results to return (default: 50, max: 100) |
offset |
number | No | Results to skip for pagination (default: 0) |
Get notifications for the current user — new assignments, comments, status changes, and system alerts.
| Parameter | Type | Required | Description |
|---|---|---|---|
unread_only |
boolean | No | Only return unread notifications (default: false) |
limit |
number | No | Notifications to return (default: 25, max: 100) |
KSI-aligned capability themes and infrastructure systems inventory.
List the 11 KSI-aligned capability themes for an organization. Capability themes group NIST 800-53 controls into security capability areas.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
List security capabilities mapped to systems and evidence, showing what security functions your infrastructure supports.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
List infrastructure systems in the organization's inventory.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
Add a system to the organization's infrastructure inventory. Systems can be linked to capabilities and evidence.
| Parameter | Type | Required | Description |
|---|---|---|---|
org_id |
string | Yes | Organization ID (UUID) |
name |
string | Yes | System name |
system_type |
string | Yes | Type: cloud_provider, identity_provider, ticketing, logging, security_tool, code_repository, document_management, custom |
description |
string | No | System description |
status |
string | No | Status: active (default), inactive, deprecated |
Once connected, try asking your AI assistant:
- "What NIST 800-53 controls apply to access control?"
- "Show me my organization's control implementation progress"
- "List all critical vendors and their risk scores"
- "Create a risk assessment for our cloud migration"
- "What evidence do I need to collect for SOC 2 audit?"
- "Show the 5x5 risk matrix for my organization"
- "Scope the ISO 27001 framework for my org"
- "Batch update all access control controls to in_progress"
- "What's in my compliance work queue today?"
- "Run a DPSIA on our cloud provider vendor"
- API keys are never logged or included in error messages
- All communication uses HTTPS
- Keys are SHA-256 hashed server-side
- Rate limiting: 100 req/min (read), 20 req/min (write)
- Multi-tenant: all operations scoped to your organization
- npm package published with provenance attestation via OIDC trusted publishing
- CI includes Gitleaks secret detection, CodeQL analysis, and Semgrep SAST
src/
├── index.ts # Server entry point (stdio transport)
├── tools/
│ ├── catalog.ts # SCF reference data (read-only, 6 tools)
│ ├── scoped-controls.ts # Control implementation tracking (6 tools)
│ ├── evidence.ts # Evidence collection (4 tools)
│ ├── risk.ts # Risk register (5 tools)
│ ├── vendors.ts # Third-party risk management (7 tools)
│ ├── organization.ts # Org, users, audit, notifications (7 tools)
│ └── capabilities.ts # KSI themes, systems (4 tools)
└── lib/
├── api-client.ts # HTTP client with auth
└── errors.ts # Structured error handling
git clone https://github.com/MarkAC007/mcp-server-scf.git
cd mcp-server-scf
npm install
npm run build
npm run dev # Watch mode
npm run lint # ESLintSCF_API_KEY=scf_your_key npx @modelcontextprotocol/inspector node build/index.jsContributions welcome! Please read CONTRIBUTING.md before submitting PRs.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
MIT - see LICENSE
- SCF Controls Platform — The compliance platform
- ComplianceGenie.io — Maintained by Compliance Genie
- Model Context Protocol — MCP specification
- SCF Framework — Secure Controls Framework
- npm Package — npm registry
- Changelog — Release history