# üéì Understanding RAG and the NIST RAG Agent

**Welcome!** This notebook will teach you about **RAG (Retrieval-Augmented Generation)** and how to use the NIST RAG Agent. Don't worry if you're not technical - we'll explain everything in simple terms with real-world analogies.

---

## üìö Table of Contents

1. [What is RAG? (Explained Simply)](#part1)
2. [Why RAG is Better Than Regular AI](#part2)
3. [How the NIST RAG Agent Works](#part3)
4. [Setting Up Your Agent](#part4)
5. [Your First Query](#part5)
6. [Practical Examples](#part6)
7. [Understanding the Results](#part7)
8. [Tips and Best Practices](#part8)

---

## Part 1: What is RAG? (Explained Simply) ü§î
<a id="part1"></a>

### The Library Analogy

Imagine you have a smart assistant who can answer questions. There are two types:

**üß† Regular AI (like ChatGPT without RAG):**
- Like a person who memorized a lot of information years ago
- Can answer from memory, but might forget details or make things up
- Doesn't know about new information after their training
- Sometimes confidently gives wrong answers (called "hallucinations")

**üìö RAG AI (like our NIST Agent):**
- Like a person with access to a huge library
- First searches the library for relevant books
- Reads the actual pages before answering
- Shows you which books they used (citations)
- Always bases answers on real documents

### Breaking Down R-A-G:

1. **R - Retrieval**: Find relevant documents (like searching in a library)
2. **A - Augmented**: Enhanced with real information (like reading the books)
3. **G - Generation**: Create an answer using what was found (like writing a summary)

### Real-World Benefit:

**Without RAG:**
> "I think NIST recommends changing passwords every 90 days..." ‚ùå (Outdated/Wrong)

**With RAG:**
> "According to NIST SP 800-63B, passwords should NOT be changed regularly without reason. Source: NIST Digital Identity Guidelines, page 15" ‚úÖ (Accurate with proof)

---

## Part 2: Why RAG is Better Than Regular AI üåü
<a id="part2"></a>

### Key Advantages:

| Feature | Regular AI | RAG AI |
|---------|-----------|--------|
| **Accuracy** | Based on old training | Based on current documents |
| **Citations** | No sources | Shows exact sources |
| **Updates** | Needs retraining | Updates with new docs |
| **Hallucinations** | Common | Minimal (tied to real data) |
| **Trustworthiness** | Hard to verify | Easy to verify sources |

### Perfect Use Cases for RAG:

‚úÖ **Legal/Compliance** - Need exact references
‚úÖ **Technical Documentation** - Need accurate procedures
‚úÖ **Research** - Need to cite sources
‚úÖ **Enterprise Knowledge** - Search company documents
‚úÖ **Medical/Scientific** - Need verified information

### How Our NIST RAG Agent Helps:

- **596 NIST documents** with **530,000+ examples**
- Covers all major frameworks: CSF 2.0, Zero Trust, 800-53, etc.
- Always provides citations
- Understands context from previous questions
- Falls back to web search if needed

---

## Part 3: How the NIST RAG Agent Works üîß
<a id="part3"></a>

### The 5-Step Process:

```
Your Question ‚Üí Agent ‚Üí Tools ‚Üí AI Response ‚Üí You
```

#### Step-by-Step Breakdown:

**1Ô∏è‚É£ You Ask a Question**
```
"What are the access control requirements?"
```

**2Ô∏è‚É£ Question is Converted to Numbers (Embeddings)**
- Your text becomes a mathematical representation
- Think of it like a GPS coordinate for your question
- Similar questions get similar "coordinates"

**3Ô∏è‚É£ Find Similar Documents (Vector Search)**
- Agent searches through 596 NIST documents
- Finds the 5 most relevant sections
- Like Google search, but for NIST docs only

**4Ô∏è‚É£ AI Reads & Understands**
- GPT-4 reads the found documents
- Combines information from multiple sources
- Maintains conversation context

**5Ô∏è‚É£ Generate Response with Citations**
- Creates a clear answer in natural language
- Includes which documents were used
- Shows control IDs and links

### The Agent's Tools:

üîç **RAG Search Tool** - Primary search through NIST documents
üìã **Control Lookup** - Direct lookup of control IDs (like AC-2, AU-6)
üìñ **Document Search** - Searches titles and metadata
üåê **Web Search** - Fallback for very new or external info

### Smart Decision Making:

The agent automatically chooses the best tool:
- "Explain AC-2" ‚Üí Uses Control Lookup (fastest)
- "What is access control?" ‚Üí Uses RAG Search (most comprehensive)
- "Latest NIST news" ‚Üí Uses Web Search (most current)

---

## Part 4: Setting Up Your Agent üõ†Ô∏è
<a id="part4"></a>

### Prerequisites:

Before we start, you need:
1. **Python 3.10 or higher** installed
2. **OpenAI API Key** (get one at https://platform.openai.com/api-keys)
3. **Internet connection** (for first-time setup)

### Step 1: Install Required Packages

In [None]:
# Run this cell to install dependencies (only needed once)
# Note: This may take a few minutes

!pip install openai langchain langchain-openai langchain-community datasets faiss-cpu python-dotenv

### Step 2: Set Up Your API Key

**Important:** Never share your API key! Keep it secret like a password.

In [None]:
import os

# Replace 'your-api-key-here' with your actual OpenAI API key
os.environ['OPENAI_API_KEY'] = 'your-api-key-here'

# Verify it's set
if os.environ.get('OPENAI_API_KEY'):
    print("‚úÖ API key is set!")
else:
    print("‚ùå API key not found. Please add it above.")

### Step 3: Import the Agent

Make sure you're in the correct directory with the `agent.py` file.

In [None]:
# Import the NIST RAG Agent
from agent import NistRagAgent

print("‚úÖ Successfully imported NistRagAgent!")

### Step 4: Initialize the Agent

**‚ö†Ô∏è First-Time Setup:** This will download ~7GB of NIST documents. It takes 5-15 minutes depending on your internet speed. After the first time, it's much faster!

In [None]:
# Initialize the agent
# First time: Downloads dataset and creates search index (~7GB)
# Subsequent times: Uses cached data (fast!)

print("Initializing NIST RAG Agent...")
print("‚è≥ First time? This may take 5-15 minutes to download NIST documents...")
print("")

agent = NistRagAgent()

print("\n‚úÖ Agent initialized and ready!")
print("üìö Loaded 596 NIST publications with 530K+ training examples")

---

## Part 5: Your First Query üéØ
<a id="part5"></a>

Let's ask our first question! We'll use a simple question about cybersecurity.

In [None]:
# Ask a simple question
question = "What is access control?"

print(f"Question: {question}")
print("\n" + "="*60)
print("Thinking...")
print("="*60 + "\n")

# Query the agent with a session ID (helps maintain conversation context)
response = agent.query(
    question=question,
    session_id="tutorial_session"  # Use same session_id for related questions
)

# Display the answer
print("\nüìù Answer:")
print(response['answer'])

### Understanding the Response:

The `response` is a dictionary with useful information:

- **`answer`**: The main response text
- **`sources`**: Which documents were used
- **`session_id`**: Your conversation ID

Let's look at the complete response structure:

In [None]:
# Let's examine the full response structure
import json

print("üîç Full Response Structure:")
print("\nKeys available:", list(response.keys()))
print("\n" + "="*60)

# Pretty print the response (excluding the long answer)
for key, value in response.items():
    if key != 'answer':  # We already saw the answer
        print(f"\n{key}:")
        if isinstance(value, list) and len(value) > 0:
            for i, item in enumerate(value[:3], 1):  # Show first 3 sources
                print(f"  {i}. {item}")
            if len(value) > 3:
                print(f"  ... and {len(value) - 3} more")
        else:
            print(f"  {value}")

---

## Part 6: Practical Examples üíº
<a id="part6"></a>

Let's try different types of questions to see how the agent handles various scenarios.

### Example 1: Looking Up a Specific Control

In [None]:
# Control Lookup - When you know the control ID
question = "Explain control AC-2 in detail"

print(f"‚ùì Question: {question}\n")
response = agent.query(question, session_id="tutorial_session")
print(f"‚úÖ Answer:\n{response['answer']}")

**üí° What happened?**
- Agent recognized "AC-2" as a control ID
- Used the Control Lookup tool (fastest)
- Provided detailed information with enhancements

### Example 2: Conceptual Question

In [None]:
# Conceptual Question - Broader topic
question = "What are NIST's recommendations for password policies?"

print(f"‚ùì Question: {question}\n")
response = agent.query(question, session_id="tutorial_session")
print(f"‚úÖ Answer:\n{response['answer']}")

**üí° What happened?**
- Agent used RAG Search to find relevant documents
- Searched across multiple NIST publications
- Combined information from several sources

### Example 3: Latest Framework (CSF 2.0)

In [None]:
# Latest NIST Standards
question = "What's new in NIST Cybersecurity Framework 2.0?"

print(f"‚ùì Question: {question}\n")
response = agent.query(question, session_id="tutorial_session")
print(f"‚úÖ Answer:\n{response['answer']}")

**üí° What happened?**
- Agent accessed the latest CSF 2.0 documentation
- Found information about the new "Govern" function
- Explained updates and changes

### Example 4: Follow-Up Question (Context Awareness)

In [None]:
# Follow-up question - Agent remembers previous context
question = "Can you give me an example of how to implement that?"

print(f"‚ùì Question: {question}\n")
print("üí≠ Note: This refers to the previous question about CSF 2.0\n")
response = agent.query(question, session_id="tutorial_session")
print(f"‚úÖ Answer:\n{response['answer']}")

**üí° What happened?**
- Agent remembered the conversation history
- Used the same session_id to maintain context
- Understood "that" refers to the previous topic

### Example 5: Zero Trust Architecture

In [None]:
# Zero Trust - Hot topic in cybersecurity
question = "What are the core principles of Zero Trust Architecture according to NIST?"

print(f"‚ùì Question: {question}\n")
response = agent.query(question, session_id="tutorial_session")
print(f"‚úÖ Answer:\n{response['answer']}")

**üí° What happened?**
- Agent found SP 800-207 (Zero Trust Architecture)
- Extracted core principles from the document
- Provided comprehensive explanation with sources

---

## Part 7: Understanding the Results üî¨
<a id="part7"></a>

Let's create a helper function to better understand what the agent returns:

In [None]:
def analyze_response(response):
    """
    Pretty print and analyze the agent's response
    """
    print("‚ïê" * 70)
    print("üìä RESPONSE ANALYSIS")
    print("‚ïê" * 70)
    
    # 1. Answer
    print("\n1Ô∏è‚É£ ANSWER:")
    print("‚îÄ" * 70)
    print(response['answer'])
    
    # 2. Sources Used
    if 'sources' in response and response['sources']:
        print("\n2Ô∏è‚É£ SOURCES USED:")
        print("‚îÄ" * 70)
        for i, source in enumerate(response['sources'], 1):
            print(f"   {i}. {source}")
    
    # 3. Session Info
    if 'session_id' in response:
        print("\n3Ô∏è‚É£ SESSION INFO:")
        print("‚îÄ" * 70)
        print(f"   Session ID: {response['session_id']}")
        print("   (Use same session_id for follow-up questions)")
    
    # 4. Response Statistics
    print("\n4Ô∏è‚É£ STATISTICS:")
    print("‚îÄ" * 70)
    print(f"   Answer length: {len(response['answer'])} characters")
    print(f"   Number of sources: {len(response.get('sources', []))}")
    print(f"   Approximate tokens: ~{len(response['answer'].split())} words")
    
    print("\n" + "‚ïê" * 70)

# Test it with a new query
test_response = agent.query(
    "What is the purpose of audit logs?",
    session_id="analysis_demo"
)

analyze_response(test_response)

### Interpreting Citations:

NIST documents follow naming conventions:

- **SP 800-53**: Security and Privacy Controls
- **SP 800-171**: Protecting Controlled Unclassified Information
- **SP 800-37**: Risk Management Framework
- **FIPS 200**: Minimum Security Requirements
- **CSWP**: Cybersecurity White Papers
- **IR**: Interagency/Internal Reports

Control IDs are formatted as: **FAMILY-NUMBER**
- **AC-2**: Access Control family, control #2 (Account Management)
- **AU-6**: Audit and Accountability family, control #6 (Audit Review)
- **SI-4**: System and Information Integrity family, control #4 (Monitoring)

---

## Part 8: Tips and Best Practices üåü
<a id="part8"></a>

### Writing Good Questions:

#### ‚úÖ DO:

‚úîÔ∏è **Be specific**
```python
"What are NIST's password requirements in SP 800-63B?"
```

‚úîÔ∏è **Use control IDs when known**
```python
"Explain AC-2 and its enhancements"
```

‚úîÔ∏è **Use same session_id for related questions**
```python
agent.query("What is encryption?", session_id="crypto_session")
agent.query("Which algorithms does NIST recommend?", session_id="crypto_session")
```

‚úîÔ∏è **Ask for implementation guidance**
```python
"How do I implement multi-factor authentication per NIST guidelines?"
```

#### ‚ùå DON'T:

‚ùå **Too vague**
```python
"Tell me about security"  # Too broad
```

‚ùå **Multiple unrelated questions at once**
```python
"What is AC-2 and also tell me about firewalls and quantum computing?"  # Split into separate queries
```

‚ùå **Questions outside NIST scope**
```python
"What does ISO 27001 say?"  # Agent specializes in NIST
```

### Session Management:

**Use different session IDs for different topics:**

In [None]:
# Example: Separate sessions for different projects

# Project A - Access Control Implementation
response1 = agent.query(
    "What are the access control requirements?",
    session_id="project_a_access_control"
)

# Project B - Incident Response
response2 = agent.query(
    "What is NIST's incident response lifecycle?",
    session_id="project_b_incident_response"
)

# Follow-up for Project A
response3 = agent.query(
    "How do I implement the principle of least privilege?",
    session_id="project_a_access_control"  # Same session = remembers context
)

print("‚úÖ Used separate sessions for better context management")

### Performance Tips:

**1. First query is slower** (initializes tools)
   - Subsequent queries are faster
   - Keep agent instance alive for multiple queries

**2. Specific queries are faster**
   - "Explain AC-2" ‚Üí Direct control lookup
   - "Tell me about access control" ‚Üí Full RAG search

**3. Limit follow-up depth**
   - After 10-15 exchanges, start new session
   - Long histories can slow response time

### Batch Processing Multiple Questions:

In [None]:
# Example: Process a list of questions efficiently

questions_to_ask = [
    "What is AC-2?",
    "What is AU-6?",
    "What is SI-4?",
    "What is IA-2?"
]

print("Processing multiple questions...\n")

for i, question in enumerate(questions_to_ask, 1):
    print(f"\n{'='*60}")
    print(f"Question {i}/{len(questions_to_ask)}: {question}")
    print('='*60)
    
    response = agent.query(
        question,
        session_id=f"batch_query_{i}"  # Separate sessions for unrelated queries
    )
    
    # Print just the first 200 characters of each answer
    answer_preview = response['answer'][:200] + "..."
    print(f"\nAnswer: {answer_preview}\n")

print("\n‚úÖ Batch processing complete!")

---

## üéì Summary: Key Takeaways

### What You Learned:

1. **RAG = Retrieval + Augmented + Generation**
   - Searches real documents before answering
   - More accurate than regular AI
   - Always provides sources

2. **The NIST RAG Agent:**
   - Access to 596 NIST publications
   - 530,000+ training examples
   - Multiple search tools
   - Remembers conversation context

3. **How to Use It:**
   - Initialize once
   - Ask specific questions
   - Use session IDs for context
   - Check sources for verification

4. **Best Practices:**
   - Be specific in questions
   - Use control IDs when known
   - Separate sessions for different topics
   - Verify important answers with sources

### Next Steps:

1. **Try it yourself!** Use the cells above to ask your own questions
2. **Explore different NIST frameworks** (CSF 2.0, Zero Trust, 800-53)
3. **Build your own applications** using the agent
4. **Check the examples folder** for more advanced usage

### Helpful Resources:

- üìñ [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
- üìñ [NIST SP 800-53 Catalog](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
- üìñ [Project Documentation](README.md)
- üìñ [HuggingFace Dataset](https://huggingface.co/datasets/ethanolivertroy/nist-cybersecurity-training)

---

## üöÄ Try It Yourself!

Use the cell below to ask your own questions:

In [None]:
# YOUR TURN! Ask anything about NIST cybersecurity standards

your_question = "Your question here"
your_session_id = "my_session"  # Choose a meaningful session ID

print(f"‚ùì Your Question: {your_question}\n")
print("‚è≥ Thinking...\n")

response = agent.query(your_question, session_id=your_session_id)

# Analyze the response
analyze_response(response)

---

## üí° Suggested Questions to Try:

**For Beginners:**
- "What is the NIST Cybersecurity Framework?"
- "Explain the difference between authentication and authorization"
- "What are the main security control families in SP 800-53?"

**For Intermediate:**
- "What are the requirements for multi-factor authentication?"
- "Explain the Risk Management Framework process"
- "What is continuous monitoring according to NIST?"

**For Advanced:**
- "Compare the security controls in SP 800-53 vs SP 800-171"
- "What are the privacy controls in SP 800-53 Rev 5?"
- "How does Zero Trust Architecture integrate with the CSF?"

**For Compliance:**
- "What controls apply to cloud service providers?"
- "Explain FedRAMP baseline requirements"
- "What are the CUI protection requirements?"

---

### üéâ Congratulations!

You now understand RAG and how to use the NIST RAG Agent. Start asking questions and exploring NIST cybersecurity standards with confidence!

**Questions or Issues?**
- Check the [README.md](README.md) for detailed documentation
- Review the [examples/](examples/) folder for more code samples
- Open an issue on GitHub if you encounter problems

---

*Happy learning! üìöü§ñ*

---

## üöÄ Updated: Multi-Provider & Llama Support



This agent now supports multiple LLM providers (OpenAI, Anthropic, Google, Azure, HuggingFace, Ollama, Bedrock, Cohere, LiteLLM) and TIMA local models (Llama 3.1 70B, GPT-OSS, Qwen).



- **Provider-agnostic:** Easily switch between cloud and local models using `model_config.py` presets.
- **Llama & TIMA:** Use the new `react_agent.py` for Llama and other models that output text-based tool calls.
- **Test scripts:** See `.internal/tests/` for archived test and validation scripts.
- **Old READMEs:** Archived in `.internal/readme_archive/`.



**How to use:**

1. Set up your model provider in `model_config.py` (see `MODEL_PROVIDERS.md`).

2. For Llama/TIMA, use `react_agent.py` instead of the standard agent.
3. All test scripts are now in `.internal/tests/` for reference.

---

*Ready for production and public release!*