framework-mcp

Vendor Framework Analyzer MCP Server

A Model Context Protocol (MCP) server that determines vendor tool capability roles (Full Implementation, Partial Implementation, Facilitates, Governance, Validates) against the CIS Controls Framework. This tool helps security professionals accurately categorize vendor capabilities for specific CIS Control safeguards through comprehensive content-based analysis.

🎯 Purpose

This MCP server enables security teams to:

• Determine vendor tool capability roles for specific CIS Control safeguards (1.1, 5.1, 6.3, etc.)
• Validate implementation capability claims through comprehensive content analysis
• Accurately categorize vendor roles across 5 capability types: Full, Partial, Facilitates, Governance, and Validates
• Generate evidence-based assessments showing capability alignment and confidence scores

🎯 The 5 Capability Roles

Capability Role	Description	Assessment Approach
FULL	Complete implementation of safeguard requirements	Comprehensive content analysis for complete coverage
PARTIAL	Limited scope implementation with clear boundaries	Content analysis identifies explicit scope limitations
FACILITATES	Enhancement capabilities that enable others to implement safeguards better/faster/stronger	Analysis identifies facilitation language and indirect support
GOVERNANCE	Policy/process management and oversight capabilities	Analysis identifies policy, process, and oversight elements
VALIDATES	Verification capabilities providing evidence and reporting	Analysis identifies audit, monitoring, and reporting capabilities

🎨 CIS Controls Framework Integration

The server uses the CIS Controls visual framework with color-coded categorization:

• 🟠 Orange Elements: Governance requirements that MUST be met
• 🟢 Green Elements: Core "what" of the safeguard
• 🟡 Yellow Elements: Sub-taxonomical components
• ⚫ Gray Elements: Implementation suggestions and methods

🚀 Installation & Deployment

Prerequisites

• Node.js 18+
• Claude Code CLI tool (for MCP usage)
• Microsoft Copilot Studio (for custom connector usage)

Install from npm

npm install -g framework-mcp

Update to Latest Version

npm update -g framework-mcp

Or reinstall to get the latest version:

npm uninstall -g framework-mcp
npm install -g framework-mcp

Install from source

git clone https://github.com/therealcybermattlee/FrameworkMCP.git
cd FrameworkMCP
npm install
npm run build

Cloud Deployment Options

Option 1: DigitalOcean App Services

# Deploy using the included configuration
doctl apps create .do/app.yaml

Option 2: Railway

railway login
railway up

Option 3: Render

Connect your GitHub repository and use:

• Build Command: npm install && npm run build
• Start Command: npm run start:http
• Port: 8080

Option 4: Microsoft Copilot Custom Connector

Deploy to any cloud platform and use the included swagger.json for Copilot integration.

⚙️ Configuration

Claude Code MCP Integration

Add to your MCP configuration file (~/.config/claude-code/mcp.json):

{
  "mcpServers": {
    "framework-analyzer": {
      "command": "node",
      "args": ["/path/to/FrameworkMCP/dist/index.js"],
      "env": {}
    }
  }
}

Microsoft Copilot Custom Connector Setup

Step 1: Deploy HTTP API

Deploy the Framework MCP HTTP API to any cloud platform (DigitalOcean, Railway, Render, etc.)

Step 2: Create Custom Connector in Copilot Studio

• Open Microsoft Copilot Studio
• Navigate to Data → Custom connectors
• Click + New custom connector → Import from OpenAPI file
• Upload the swagger.json file from this repository
• Update the Host field to your deployed API URL
• Save and test the connector

Step 3: Configure Connection

• Create a new connection using your custom connector
• No authentication required (public API)
• Test with the /health endpoint to verify connectivity

Step 4: Create Copilot Actions

In your Copilot, create actions for capability assessment:

Primary Action - Validate Vendor Capability:

Action: Validate Vendor Mapping
Description: Validate vendor capability claims against CIS Controls through content analysis
Connector: Framework MCP Custom Connector
Operation: validateVendorMapping
Parameters:
- vendor_name: {User provided vendor name}
- safeguard_id: {CIS safeguard ID like "1.1"}  
- claimed_capability: {full|partial|facilitates|governance|validates}
- supporting_text: {Vendor response text}

Secondary Action - Analyze Response:

Action: Analyze Vendor Response
Description: Determine appropriate capability role for vendor response
Connector: Framework MCP Custom Connector
Operation: analyzeVendorResponse
Parameters:
- vendor_name: {User provided vendor name}
- safeguard_id: {CIS safeguard ID}
- response_text: {Vendor response to analyze}

Step 5: Example Copilot Prompts

Once configured, users can interact with your Copilot:

"Validate this vendor capability: CrowdStrike Falcon claims FULL coverage for safeguard 1.1 with this response: 'Our platform provides comprehensive enterprise asset inventory with real-time discovery, automated classification, and continuous monitoring of all hardware and software assets.'"

"Analyze this vendor response for safeguard 5.1: Microsoft Entra ID - 'We provide centralized identity management with automated user provisioning, role-based access controls, and integration with all major business applications.'"

"What are the requirements for CIS safeguard 6.3?"

Verify Installation

# For MCP usage
claude-code "List available CIS Control safeguards"

# For HTTP API usage  
curl https://your-api-url.com/health

# For Copilot testing
curl -X POST https://your-api-url.com/api/validate-vendor-mapping \
  -H "Content-Type: application/json" \
  -d '{"vendor_name":"Test Vendor","safeguard_id":"1.1","claimed_capability":"facilitates","supporting_text":"We provide supplemental asset tracking capabilities that enhance existing inventory systems."}'

📋 Usage Examples

Analyze Single Vendor Response

claude-code "Determine the capability role for this vendor response to safeguard 5.1:
Vendor: SecureIAM Corp
Response: 'Our tool is a full identity provider with comprehensive account management. We maintain detailed user inventories including names, usernames, departments, and access rights. Automated quarterly reviews ensure all accounts are authorized and compliant.'"

Validate Implementation Capability Claims

claude-code "Validate this implementation capability claim:
Vendor: ComplianceBot
Safeguard: 5.1  
Claimed Capability: FULL
Response: 'We provide automated account lifecycle management with real-time inventory tracking and compliance reporting.'"

Analyze Multiple Vendors from File

Create vendors.csv:

vendor,safeguard,response
VendorA,5.1,"Complete IAM solution with policy management and quarterly reviews"
VendorB,5.1,"Basic user directory with manual account tracking"
VendorC,6.3,"MFA enforcement for all external applications with SSO integration"

claude-code "Determine capability roles for the vendor responses in vendors.csv and provide recommendations"

Get Safeguard Details

claude-code "Show me the detailed breakdown of safeguard 5.1 including all sub-elements"

Validate Vendor Capability Claims

PRIMARY TOOL: Validate whether a vendor's stated capability mapping is actually supported by their explanatory text.

claude-code "Use validate_vendor_mapping with vendor_name 'SecureAssets Corp', safeguard_id '1.1', claimed_capability 'full', and supporting_text 'Our comprehensive asset management platform performs automated discovery of all enterprise devices, maintains detailed hardware and software inventories, tracks ownership and location data, provides real-time asset status monitoring, and includes documented inventory procedures with bi-annual review capabilities.'"

📊 Sample Output

Standard Capability Role Analysis Output

{
  "vendor": "SecureIAM Corp",
  "safeguardId": "5.1",
  "safeguardTitle": "Establish and Maintain an Inventory of Accounts",
  "capabilityRole": "full",
  "additionalRoles": ["governance", "validates"],
  "confidence": 87,
  "contentAnalysis": {
    "implementationLanguage": "strong",
    "scopeDefinition": "comprehensive",
    "evidenceQuality": "high"
  },
  "evidenceAnalysis": {
    "coreRequirements": 85,
    "subElements": 75,
    "governance": 90,
    "languageConsistency": 88
  },
  "evidence": [
    "comprehensive account management",
    "detailed user inventories",
    "automated quarterly reviews"
  ]
}

Primary Validation Tool Output (validate_vendor_mapping)

{
  "vendor": "SecureAssets Corp",
  "safeguard_id": "1.1",
  "safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
  "claimed_capability": "full",
  "validation_status": "SUPPORTED",
  "confidence_score": 85,
  "evidence_analysis": {
    "core_requirements_coverage": 100,
    "sub_elements_coverage": 47,
    "governance_alignment": 80,
    "language_consistency": 90
  },
  "content_validation": {
    "implementation_depth": "comprehensive",
    "scope_clarity": "well_defined",
    "evidence_strength": "strong",
    "capability_aligned": true
  },
  "gaps_identified": [],
  "strengths_identified": [
    "High coverage of core requirements and sub-elements",
    "Strong implementation language consistency",
    "Comprehensive coverage with clear implementation details"
  ],
  "recommendations": [],
  "detailed_feedback": "Validation of FULL capability claim: SUPPORTED (85% alignment)\n\nSTRENGTHS:\n• High coverage of core requirements and sub-elements\n• Strong implementation language consistency\n• Comprehensive coverage with clear implementation details\n\nASSESSMENT: The vendor's supporting evidence strongly aligns with their claimed capability."
}

Insufficient Evidence Example Output

{
  "vendor": "BasicTracker Pro",
  "safeguard_id": "1.1", 
  "safeguard_title": "Establish and Maintain a Detailed Enterprise Asset Inventory",
  "claimed_capability": "full",
  "validation_status": "UNSUPPORTED",
  "confidence_score": 35,
  "evidence_analysis": {
    "core_requirements_coverage": 40,
    "sub_elements_coverage": 15,
    "governance_alignment": 25,
    "language_consistency": 60
  },
  "content_validation": {
    "implementation_depth": "limited",
    "scope_clarity": "vague",
    "evidence_strength": "weak",
    "capability_aligned": false
  },
  "gaps_identified": [
    "Insufficient detail on asset tracking capabilities",
    "Missing governance and review processes",
    "Limited coverage of sub-elements"
  ],
  "strengths_identified": [
    "Basic asset visibility mentioned"
  ],
  "recommendations": [
    "Provide more detailed implementation specifics",
    "Consider repositioning as FACILITATES capability based on limited scope"
  ],
  "detailed_feedback": "Validation of FULL capability claim: UNSUPPORTED (35% alignment)\n\nGAPS IDENTIFIED:\n• Insufficient detail on asset tracking capabilities\n• Missing governance and review processes\n• Limited coverage of sub-elements\n\nASSESSMENT: The vendor's supporting evidence does not adequately support their FULL capability claim. Consider FACILITATES role instead."
}

🔧 Available Tools

Tool	Description
validate_vendor_mapping	PRIMARY Validate vendor's claimed capability role against supporting evidence through content analysis
analyze_vendor_response	Determine vendor tool capability role for specific safeguard
get_safeguard_details	Get detailed safeguard breakdown
list_available_safeguards	List all available CIS safeguards

📁 File Formats Supported

JSON Format

[
  {
    "name": "VendorName",
    "safeguard_id": "5.1",
    "response": "Vendor response text..."
  }
]

CSV Format

vendor,safeguard,response
VendorName,5.1,"Response text..."

Text Format

Vendor: VendorName - Safeguard: 5.1
Response text here...

Vendor: AnotherVendor - Safeguard: 6.3
Another response...

🆕 Vendor Mapping Validation

The validate_vendor_mapping tool provides evidence-based validation of vendor capability claims. This addresses a critical need: vendors often self-assess their capabilities, but practitioners need to verify whether the supporting evidence actually justifies the claimed mapping.

Validation Criteria

Capability	Requirements	Validation Thresholds
FULL	Complete implementation within scope	≥70% core requirements + ≥40% sub-elements
PARTIAL	Limited scope with clear boundaries	≥30% core requirements OR some core + ≥20% sub-elements
FACILITATES	Enables/enhances implementation	Facilitation language present, no direct implementation claims
GOVERNANCE	Policy/process management	≥60% governance elements + policy language
VALIDATES	Evidence collection & reporting	Audit/monitoring/reporting capabilities present

Content-Based Validation Approach

APPROACH: The validation tool uses comprehensive content analysis to assess capability claims:

Analysis Dimension	Description	Assessment Focus
Core Requirements Coverage	Alignment with primary safeguard elements	Direct implementation language and specific capabilities
Sub-Elements Coverage	Support for detailed safeguard components	Breadth of coverage across safeguard sub-requirements
Governance Alignment	Policy/process management elements	Governance language and oversight capabilities
Implementation Depth	Specificity and detail of implementation	Technical depth and implementation specifics
Language Consistency	Alignment between claim and evidence	Consistency between stated capability and supporting text

Content Analysis Logic: Evidence is evaluated across multiple dimensions:

• Strong Evidence: Detailed implementation specifics with comprehensive coverage
• Moderate Evidence: Good coverage with some gaps or general language
• Weak Evidence: Limited specifics or scope, vague implementation details

Validation Statuses

• SUPPORTED (70-100%): Evidence strongly supports the claimed capability
• QUESTIONABLE (40-69%): Evidence partially supports but has notable gaps or inconsistencies
• UNSUPPORTED (0-39%): Evidence does not adequately support the claim

Usage Examples

# Validate a FULL coverage claim with strong evidence
claude-code "Use validate_vendor_mapping for vendor 'AssetMax Pro', safeguard '1.1', claimed capability 'full', with supporting text: 'Our platform provides comprehensive automated discovery, detailed inventory management, and complete asset lifecycle tracking for all enterprise devices including servers, workstations, and network equipment.'"

# Validate a FACILITATES claim  
claude-code "Use validate_vendor_mapping for vendor 'ThreatIntel Feed', safeguard '1.1', claimed capability 'facilitates', with supporting text: 'Our threat intelligence service provides supplemental risk data that enriches existing asset management systems, enabling organizations to prioritize asset security based on threat exposure.'"

# Partial capability claim with clear scope limitations
claude-code "Use validate_vendor_mapping for vendor 'NetworkScanner Pro', safeguard '1.1', claimed capability 'partial', with supporting text: 'Our scanner provides comprehensive network device discovery and maintains detailed hardware inventories, but is limited to network-accessible devices and does not track software installations or offline systems.'"

# Insufficient evidence example
claude-code "Use validate_vendor_mapping for vendor 'BasicTracker', safeguard '1.1', claimed capability 'full', with supporting text: 'We help track computers and provide some visibility into your IT environment.'"

🎯 CIS Controls Coverage

Complete CIS Controls v8.1 Framework Implementation

• 153 total safeguards across all 18 controls
• Full framework coverage from Controls 1-18
• Comprehensive vendor analysis capability for all CIS safeguards

Current Version Highlights

• ✅ All 18 Controls implemented (Enterprise Assets through Penetration Testing)
• ✅ Color-coded element categorization (Orange/Green/Yellow/Gray)
• ✅ Enhanced capability detection (Governance, Facilitates, Coverage, Validates)
• ✅ Production-ready vendor analysis for complete compliance assessments

🛠️ Development

Build from Source

git clone https://github.com/therealcybermattlee/FrameworkMCP.git
cd FrameworkMCP
npm install
npm run build

Add New Safeguards

Edit src/core/safeguard-manager.ts and add to the initializeSafeguards() method:

"X.Y": {
  id: "X.Y",
  title: "Safeguard Title",
  description: "Description...",
  implementationGroup: "IG1",
  governanceElements: [...],    // Orange - MUST be met
  coreRequirements: [...],      // Green - The "what"
  subTaxonomicalElements: [...], // Yellow - Sub-elements
  implementationSuggestions: [...], // Gray - Suggestions
  // ...
}

Testing

npm test

🤝 Contributing

• Fork the repository
• Create a feature branch (git checkout -b feature/amazing-feature)
• Commit your changes (git commit -m 'Add amazing feature')
• Push to the branch (git push origin feature/amazing-feature)
• Open a Pull Request

Guidelines

• Follow the existing code style
• Add tests for new features
• Update documentation
• Ensure all tests pass

📖 Documentation

• Installation Guide
• API Reference
• CIS Safeguards Reference
• Example Usage
• Microsoft Copilot Integration Guide - Complete setup guide for custom connectors
• Deployment Guide - Cloud deployment instructions
• OpenAPI Specification - Complete API schema for integrations

🐛 Troubleshooting

Common Issues

Permission denied:

chmod +x dist/index.js

Module not found:

npm install
npm run build

MCP server not connecting:

• Check Claude Code MCP configuration
• Verify file paths are absolute
• Ensure Node.js version compatibility

📄 License

This project is licensed under the Creative Commons Attribution 4.0 International License by Cyber RISE, Inc - see the LICENSE file for details.

You are free to:

• Share — copy and redistribute the material in any medium or format
• Adapt — remix, transform, and build upon the material for any purpose, even commercially

Under the following terms:

• Attribution — You must give appropriate credit to Cyber RISE, Inc, provide a link to the license, and indicate if changes were made

🙏 Acknowledgments

• Center for Internet Security (CIS) for the CIS Controls Framework
• Pax8 and community contributors for the CIS Controls visualizations
• Anthropic for the Model Context Protocol and Claude Code

📞 Support

• 📧 Issues: GitHub Issues
• 📖 Documentation: Project Wiki
• 💬 Discussions: GitHub Discussions
• 🐦 Updates: Follow @cybermattlee for project updates

Built with ❤️ for the cybersecurity community by Matt Lee