Skip to content

Home

Jump to bottom
AGI Corp edited this page Mar 20, 2026 · 3 revisions

CMMC AI Compliance Platform

Welcome to the CMMC AI Compliance Platform wiki – an intelligent agent ecosystem for navigating the Cybersecurity Maturity Model Certification (CMMC) 2.0 landscape with speed, precision, and audit-ready transparency. github

This project turns CMMC compliance into a living, machine-readable system: agents converse with OSCAL catalogs, orchestrate evidence collection, score controls, and generate SSP/POAM artifacts on demand via Model Context Protocol (MCP) and a FastAPI backend. github

Mission and Problem Space

CMMC 2.0 has become a gating requirement for Defense Industrial Base (DIB) contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). github

Traditional compliance is slow, fragmented, and spreadsheet-driven; this platform aims to: github

  • Transform static controls into OSCAL-backed APIs that agents can reason over in real time. github
  • Automate evidence collection and mapping from technical systems to CMMC controls. github
  • Continuously compute SPRS risk scores and compliance posture, instead of one-off assessments. github
  • Generate System Security Plan (SSP) and POAM artifacts directly from structured assessment data. github

What This Platform Does

At its core, the CMMC repo is an AI-augmented compliance engine wired for CMMC 2.0 Levels 1 and 2, with an eye toward Level 3 extensions. github

Key capabilities: github

  • Control intelligence

    • OSCAL JSON catalogs for CMMC controls, split by Level 1 and Level 2. github
    • API endpoints and MCP tools to list, query, and drill into individual controls by domain, level, and ID. github

  • Assessment automation

    • MCP tools and HTTP APIs to submit assessment results for each control (implemented, partially implemented, not implemented). github
    • Automatic calculation of SPRS score from these assessments. github

  • Evidence orchestration

    • Machine-readable evidence schema for mapping log files, policies, screenshots, and system outputs to specific controls. github
    • MCP tools to upload evidence metadata and associate it with controls and assessments. github

  • Reporting & GRC artifacts

    • On-demand SSP generation in Markdown, built from control catalogs and assessment states. github
    • POAM CSV export for unimplemented/partially implemented controls, suitable for GRC workflows. github

  • Interactive dashboards

    • React + TypeScript frontend with dashboards, controls grids, upload flows, and export wizards for non-technical stakeholders. github

Architecture Overview

The platform is structured as an AI-native compliance stack built around MCP, FastAPI, OSCAL schemas, and a React frontend. github

High-level architecture: github

  • MCP Host Layer

    • Claude Desktop / Goose Desktop act as interactive agent shells. github
    • Agents invoke MCP tools to explore controls, submit assessments, and request reports. github

  • FastAPI + MCP Backend

    • backend/main.py exposes both REST endpoints and an /mcp endpoint via fastapi-mcp. github
    • Routers handle controls, assessments, evidence, and reporting. github

  • OSCAL Schema Layer

    • JSON catalogs for CMMC controls (cmmc_oscal_catalog.json, cmmc_controls_l1.json, cmmc_controls_l2.json) live under schema/. github
    • Evidence schema defines a unified representation for artifacts linked to controls. github

  • Database Layer

    • db/database.py configures SQLite for development and PostgreSQL for production deployments. github

  • MCP Server & Tools

    • mcp/cmmc_mcp_server.py implements the domain-specific MCP server. github
    • tools/ includes logic for control lookup, evidence collection, SPRS scoring, and report generation. github

  • Frontend UI

    • React 19 + TypeScript + Tailwind, with components for dashboards, controls views, evidence upload, assessment wizards, and report export. github

Repository Map

This is how the repository is organized on disk. github

CMMC/
  README.md
  requirements.txt
  .env.example

  schema/
    cmmc_oscal_catalog.json     # Full OSCAL catalog for Levels 1 & 2
    cmmc_controls_l1.json       # Level 1 controls (17)
    cmmc_controls_l2.json       # Level 2 controls (110)
    evidence_schema.json        # Evidence metadata schema

  backend/
    main.py                     # FastAPI + fastapi-mcp server entrypoint
    routers/
      controls.py               # Controls CRUD & lookup
      assessment.py             # Assessment scoring & status
      evidence.py               # Evidence submission & mapping
      reports.py                # SSP / POAM generation APIs
    models/
      control.py                # Pydantic models for controls
      assessment.py
      evidence.py
    db/
      database.py               # SQLite/PostgreSQL configuration

  mcp/
    mcp.json                    # MCP server configuration
    cmmc_mcp_server.py          # Custom CMMC MCP server
    tools/
      control_lookup.py         # Domain/level-based control discovery
      evidence_collector.py     # Evidence workflow helpers
      score_calculator.py       # SPRS score computation
      report_generator.py       # SSP / POAM builders

  frontend/
    package.json
    src/
      App.tsx
      components/
        Dashboard.tsx           # At-a-glance compliance posture
        ControlsGrid.tsx        # 14-domain controls grid
        EvidenceUpload.tsx      # Evidence intake & mapping UI
        AssessmentWizard.tsx    # Guided assessment flow
        ReportExport.tsx        # SSP/POAM export screens
      types/
        cmmc.ts                 # Shared TypeScript types

  docs/
    SSP_template.md             # Narrative SSP scaffold
    POAM_template.md            # POAM template
    deployment.md               # Deployment instructions

Tech Stack at a Glance

The stack is intentionally modern and agent-friendly, optimized for MCP-based automation and cloud deployment. github

Layer Technology / Tooling
MCP Host Claude Desktop, Goose Desktop
MCP Server fastapi-mcp (Python)
Backend FastAPI + Uvicorn
Schema NIST OSCAL JSON catalogs
Database SQLite (dev) / PostgreSQL (prod)
Frontend React 19, TypeScript, Tailwind CSS
AI Models OpenAI GPT‑4, Claude, Ollama (local LLMs)
GRC Automation ComplianceCow MCP integration
Repo Automation GitHub MCP Server
github

Quick Start: Backend, Frontend, MCP

These steps assume a local developer environment (Python + Node.js) and will bring up both the FastAPI backend and the React frontend. github

1. Backend (FastAPI + MCP)

# Clone the repo
git clone https://github.com/AGI-Corporation/CMMC.git
cd CMMC

# Install dependencies
pip install -r requirements.txt

# Configure environment
cp .env.example .env
# Edit .env with DB connection, AI keys, and other settings as needed

# Run the FastAPI + MCP server
uvicorn backend.main:app --reload

# MCP endpoint will be available at:
#   http://localhost:8000/mcp

2. Frontend (React Dashboard)

cd frontend
npm install
npm run dev

Open the printed localhost URL in your browser to access the compliance dashboard, controls grid, evidence upload, and report export flows. github

3. Claude Desktop MCP Integration

Add the CMMC MCP server to claude_desktop_config.json: github

{
  "mcpServers": {
    "cmmc": {
      "url": "http://localhost:8000/mcp"
    },
    "github": {
      "url": "https://api.githubcopilot.com/mcp/"
    }
  }
}

Once configured, you can ask Claude to “list CMMC Level 2 controls,” “calculate the SPRS score for my current assessments,” or “generate an SSP draft” directly from your desktop. github

CMMC Domains and Coverage

The platform models the 14 CMMC control families with explicit counts of Level 1 and Level 2 controls. github

Domain Code L1 Controls L2 Controls
Access Control AC 2 22
Audit & Accountability AU 0 9
Configuration Management CM 0 9
Identification & Authentication IA 1 11
Incident Response IR 0 3
Maintenance MA 0 6
Media Protection MP 1 9
Personnel Security PS 0 2
Physical Protection PE 4 6
Risk Assessment RA 0 5
Security Assessment CA 0 4
Situational Awareness SA 0 1
System & Comms Protection SC 2 16
System & Info Integrity SI 5 7
Totals 17 110
github

MCP Tools for Agents

When the MCP server is running, AI agents gain access to a rich toolbox tailored for CMMC workflows. github

Available tools: github

  • list_controls – Enumerate controls by domain, level, or ID pattern. github
  • get_control_detail – Retrieve full metadata, OSCAL fields, and narrative guidance for a control. github
  • submit_assessment – Record implementation status and comments for a control. github
  • upload_evidence – Attach evidence artifacts (URLs, references, descriptions) to specific controls. github
  • calculate_sprs_score – Compute current SPRS score from the assessment dataset. github
  • generate_ssp – Produce an SSP in Markdown, suitable for tailoring and submission. github
  • generate_poam – Export a POAM CSV listing gaps and remediation plans. github
  • get_compliance_dashboard – Return a structured snapshot of overall compliance posture. github

These tools make CMMC an API-first problem that agents can reason about, instead of a static PDF or spreadsheet. github

Example End-to-End Workflow

A typical DIB team might use the platform as follows: github

  1. Initialize the environment

    • Stand up backend + frontend, connect PostgreSQL if needed, plug in AI keys. github

  2. Import controls and define scope

    • Use MCP tools or the UI to focus on Level 1, Level 2, or a specific subset of domains. github

  3. Run guided assessments

    • Walk through the Assessment Wizard, answering implementation questions and attaching evidence. github

  4. Compute risk and posture

    • Invoke calculate_sprs_score and review dashboards for gaps by domain and control family. github

  5. Generate SSP & POAM

    • Produce the SSP and POAM artifacts for auditors, then iterate as remediations close gaps. github

  6. Integrate with GRC and repos

    • Leverage ComplianceCow and GitHub MCP servers to wire assessments into existing workflows and code repositories. github

Roadmap and Extensions

Planned or natural extensions of this platform include: github

  • Level 3 and NIST SP 800‑172 enhancements for advanced CUI environments. github
  • Deeper integrations with SIEM, ticketing, and asset inventory tools for automated evidence harvesting. github
  • Additional MCP hosts and agent templates (e.g., shared “CMMC Copilot” configurations). github
  • Pre-built policy libraries and control implementation patterns to accelerate remediation. github

Contributions expanding any of these areas are especially valuable. github

Contributing

This repository is licensed under the MIT License (AGI Corporation 2026) and welcomes contributions from security engineers, compliance officers, and agent-framework builders. github

Ways to contribute: github

  • Open issues for bugs, usability gaps, or compliance edge cases. github
  • Add new MCP tools, frontend components, or OSCAL extensions for additional frameworks. github
  • Improve documentation in docs/, especially deployment guides and real-world examples. github

Before submitting a pull request, please review the existing README and follow the established patterns for routers, models, and MCP tools. github

External References

For deeper background on CMMC and OSCAL, see: github

  • Official CMMC site (DoD CIO). github
  • NIST SP 800‑171 Rev 2 and OSCAL catalog model documentation. github
  • ComplianceCow MCP and GitHub MCP server docs for broader automation patterns. githubalt

Clone this wiki locally