Skip to content

Compliance and Frameworks

AbrahamOO edited this page Jun 18, 2026 · 1 revision

Compliance and Frameworks

security-mcp does not just find issues; it maps every finding to the standards an auditor recognizes and produces the evidence to prove it. This page lists the full framework catalog and the audit artifacts the tool generates.

Framework catalog

Application and API security

  • OWASP Top 10 (Web and API)
  • OWASP ASVS L2 and L3
  • OWASP MASVS (mobile)
  • OWASP LLM Top 10
  • OWASP Testing Guide

Adversary and weakness modeling

  • MITRE ATT&CK (Enterprise, Cloud, Mobile)
  • MITRE D3FEND (countermeasures)
  • MITRE ATLAS (adversarial ML)
  • MITRE CAPEC (attack patterns)

NIST

  • NIST 800-53 r5 (control families)
  • NIST CSF 2.0
  • NIST 800-207 (Zero Trust)
  • NIST 800-218 (SSDF, secure software development)
  • NIST AI RMF
  • NIST 800-131A (algorithm transition)

Compliance and audit

  • PCI DSS 4.0
  • SOC 2 Type II
  • ISO 27001:2022 and ISO 27002
  • ISO 42001:2023 (AI management)
  • GDPR, CCPA, HIPAA

Supply chain and benchmarks

  • SLSA L3
  • CIS Benchmarks L2
  • AWS Foundational Security Best Practices (FSBP)
  • Microsoft Cloud Security Benchmark

Scoring

  • CVSS v4.0 and EPSS

What each area covers

Area Covers
OWASP Web, API, mobile, and LLM application risk, plus verification levels and test methodology
MITRE Adversary techniques, countermeasures, ML-specific attacks, and attack patterns, used to map and deduplicate findings by technique
NIST Security controls, the cybersecurity framework, zero trust, secure development, AI risk, and cryptographic transition
Compliance The certifications and regulations enterprises are audited against, from payments to privacy to AI management
Cloud and supply chain Provider hardening benchmarks (see Cloud Security Controls) and build-integrity levels
Scoring Severity and real-world exploit probability that drive SLA escalation in the gate

Audit artifacts

The tool produces the documents an audit asks for, written into .mcp/reports/:

  • Compliance report. Generated by generate_compliance_report, it maps findings and controls to the frameworks above (SOC 2, PCI DSS 4.0, ISO 27001, NIST 800-53, HIPAA, GDPR, and more) and shows coverage and gaps.
  • Attestations. SHA-256 attested reports that record a passing gate result, and the tamper-evident attestation hash chain that links agent attestations. Attestation refuses to sign over a non-PASS result, so an attested report is defensible evidence.
  • Risk register. Produced in the orchestrator program, with findings ranked by severity and tied to remediation SLA deadlines.

Together these give an auditor a control-by-control mapping, dated evidence, and a verifiable chain. See CISO Orchestrator for how the compliance-grc team assembles audit-grade evidence packages.

Clone this wiki locally