eu.ansvar/us-regulations-mcp
US compliance: HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA, EPA, FFIEC, NYDFS + 4 state privacy laws
Ask AI about eu.ansvar/us-regulations-mcp
Powered by Claude Β· Grounded in docs
I know everything about eu.ansvar/us-regulations-mcp. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
US Regulations MCP Server
Navigate US compliance from the AI age.
Query HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA 21 CFR Part 11, FDA 21 CFR 820 (QSR/QMSR), FDA Premarket & Postmarket Cybersecurity Guidance, FD&C Act Section 524B (PATCH Act), CIRCIA, EPA RMP, FFIEC, NYDFS 500, and 4 state privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA) directly from Claude, Cursor, or any MCP-compatible client.
If you're building healthcare tech, consumer apps, or financial services for the US market, this is your compliance reference.
Built by Ansvar Systems β Stockholm, Sweden
Why This Exists
US compliance is scattered across regulations.gov PDFs, eCFR.gov pages, state legislative sites, and agency guidance documents. Whether you're:
- A developer implementing HIPAA security controls or CCPA consumer rights
- A product team navigating breach notification requirements across multiple states
- A compliance officer mapping NIST controls to regulatory obligations
- A legal researcher comparing incident response timelines across federal and state laws
...you shouldn't need to navigate fragmented federal agencies, 50 state legislatures, and conflicting PDF formats. Ask Claude. Get the exact section. With context.
This MCP server makes US regulations searchable, cross-referenceable, and AI-readable.
Quick Start
Use Remotely (No Install Needed)
Connect directly to the hosted version β zero dependencies, nothing to install.
Endpoint: https://us-regulations-mcp.vercel.app/mcp
| Client | How to Connect |
|---|---|
| Claude.ai | Settings > Connectors > Add Integration > paste URL |
| Claude Code | claude mcp add us-regulations --transport http https://us-regulations-mcp.vercel.app/mcp |
| Claude Desktop | Add to config (see below) |
| GitHub Copilot | Add to VS Code settings (see below) |
Claude Desktop β add to claude_desktop_config.json:
{
"mcpServers": {
"us-regulations": {
"type": "url",
"url": "https://us-regulations-mcp.vercel.app/mcp"
}
}
}
GitHub Copilot β add to VS Code settings.json:
{
"github.copilot.chat.mcp.servers": {
"us-regulations": {
"type": "http",
"url": "https://us-regulations-mcp.vercel.app/mcp"
}
}
}
Use Locally (npm)
npx @ansvar/us-regulations-mcp
Claude Desktop β add to claude_desktop_config.json:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"us-regulations": {
"command": "npx",
"args": ["-y", "@ansvar/us-regulations-mcp"]
}
}
}
Cursor / VS Code:
{
"mcp.servers": {
"us-regulations": {
"command": "npx",
"args": ["-y", "@ansvar/us-regulations-mcp"]
}
}
}
Security & Compliance
This MCP server follows OpenSSF Best Practices for secure open source development:
-
β Automated Security Scanning
- CodeQL (semantic code analysis)
- Semgrep (SAST security rules)
- Trivy (vulnerability scanning)
- Gitleaks (secret detection)
- Socket Security (supply chain monitoring)
-
β Daily Freshness Monitoring
- Automated checks for regulation updates from official sources
- Auto-generates PRs when changes detected
-
β Secure Publishing
- npm provenance attestation (signed packages)
- MCP Registry cryptographic signing
- Azure Key Vault for secret management
-
β Security Metrics
- OpenSSF Scorecard weekly evaluation
- GitHub Security tab for vulnerability tracking
Report security issues: See SECURITY.md
Example Queries
Once connected, just ask naturally:
Healthcare & HIPAA
- "What are the HIPAA security rule requirements for access controls?"
- "Does my telemedicine app need to comply with HIPAA?"
- "What audit logs does HIPAA require for ePHI access?"
- "How long do I have to report a HIPAA breach?"
Privacy & CCPA
- "Compare breach notification timelines between HIPAA and CCPA"
- "What consumer rights does CCPA provide for data deletion?"
- "Do I need to comply with CCPA if I have 10,000 California customers?"
- "What is a 'sale' of personal information under CCPA?"
Financial & SOX
- "What IT controls does SOX Section 404 require?"
- "Which NIST 800-53 controls satisfy SOX audit requirements?"
- "How long must I retain financial records under SOX?"
- "What are the requirements for SOX internal control assessments?"
Financial Services & GLBA
- "What are the GLBA safeguards rule requirements for customer data protection?"
- "Compare encryption requirements across HIPAA, GLBA, and SOX"
Banking & FFIEC
- "What are the FFIEC guidelines for information security governance?"
- "What does FFIEC require for business continuity planning?"
- "Compare FFIEC cybersecurity requirements with NYDFS 500"
New York Financial Services & NYDFS
- "What are the NYDFS 500 requirements for multi-factor authentication?"
- "When must I notify NYDFS of a cybersecurity event?"
- "What are the penetration testing requirements under NYDFS 500?"
- "What information security program elements does GLBA require?"
State Privacy Laws - Virginia CDPA
- "What consumer rights does Virginia CDPA provide?"
- "What are the data protection assessment requirements under Virginia CDPA?"
- "Compare opt-out mechanisms between CCPA and Virginia CDPA"
State Privacy Laws - Colorado CPA
- "What is the universal opt-out mechanism under Colorado CPA?"
- "What data subject rights does Colorado CPA grant?"
- "Colorado CPA requirements for data controllers vs processors"
State Privacy Laws - Connecticut CTDPA
- "What are Connecticut CTDPA data protection assessment requirements?"
- "Compare consumer rights between CCPA and Connecticut CTDPA"
- "What sensitive data processing restrictions apply under Connecticut law?"
State Privacy Laws - Utah UCPA
- "What are Utah UCPA consumer privacy rights?"
- "Utah UCPA data controller obligations and exemptions"
- "Compare Utah UCPA with other state privacy laws"
Education & FERPA
- "What are FERPA requirements for student record access?"
- "Can I share student data with third-party analytics tools under FERPA?"
- "What parental consent is needed to disclose student directory information?"
Children's Privacy & COPPA
- "What parental consent mechanisms are acceptable under COPPA?"
- "COPPA requirements for collecting personal information from children under 13"
- "Do I need COPPA compliance for a kids' mobile app?"
Pharmaceutical & FDA
- "What are FDA 21 CFR Part 11 requirements for electronic signatures?"
- "How must clinical trial data be validated under 21 CFR Part 11?"
- "What audit trail requirements apply to electronic records in pharma?"
Medical Device Cybersecurity
- "What is required in an SBOM for FDA premarket submissions?"
- "What is a 'cyber device' under Section 524B?"
- "What threat modeling approach does FDA require for medical devices?"
Environmental & EPA
- "Which chemical facilities must submit an EPA Risk Management Plan?"
- "What accident prevention requirements does EPA RMP mandate?"
- "How often must I update my facility's EPA RMP?"
Cross-Regulation Analysis
- "Compare incident response requirements across HIPAA, CCPA, and SOX"
- "Which regulations apply to a fintech company in California?"
- "Map NIST CSF to our HIPAA and SOX obligations"
- "What are my data retention requirements across all regulations?"
What's Included
v1.2 Regulations (20 total, ~192 sections)
Healthcare & Privacy:
-
HIPAA - Health Insurance Portability and Accountability Act
- Privacy Rule (45 CFR Part 164 Subpart E)
- Security Rule (45 CFR 164 Subpart C)
- Breach Notification Rule (45 CFR 164 Subpart D)
-
CCPA/CPRA - California Consumer Privacy Act / Privacy Rights Act
- California Civil Code Β§1798.100-1798.199
- Consumer rights and business obligations
Financial Services:
-
SOX - Sarbanes-Oxley Act
- Key statute sections (Sections 101, 201, 301, 302, 404, 409, 802, 806, 906)
- SEC implementing regulations (17 CFR 229.308, 240.13a-14, 240.13a-15)
- PCAOB auditing standards (AS 2201)
- IT General Controls guidance
-
GLBA - Gramm-Leach-Bliley Act Safeguards Rule (NEW in v1.1)
- 16 CFR Part 314
- Financial institution data security requirements
Education:
- FERPA - Family Educational Rights and Privacy Act (NEW in v1.1)
- 34 CFR Part 99
- Student education records privacy
Children's Privacy:
- COPPA - Children's Online Privacy Protection Act (NEW in v1.1)
- 16 CFR Part 312
- Requirements for collecting data from children under 13
Pharmaceutical & Medical Devices:
- FDA 21 CFR Part 11 - Electronic Records and Signatures (NEW in v1.1)
- Electronic record keeping and digital signatures for FDA-regulated industries
- FDA Premarket Cybersecurity Guidance - Cybersecurity in Medical Devices (NEW)
- Secure Product Development Framework (SPDF), threat modeling, SBOM requirements
- Covers cyber device definition (Section 524B), OTS software, and premarket submission content
- FDA Postmarket Cybersecurity Guidance - Postmarket Management (NEW)
- Controlled vs. uncontrolled risk assessment, CVD, ISAO participation, SBOM maintenance
- Vulnerability monitoring, remediation timelines, and FDA reporting requirements
- FD&C Act Section 524B (PATCH Act 2022) - Statutory Cybersecurity Requirements (NEW)
- Cyber device definition, mandatory SBOM, premarket cybersecurity plans
- FDA refuse-to-accept authority for non-compliant submissions (effective March 2023)
- FDA 21 CFR Part 820 (QSR/QMSR) - Quality System Regulation (NEW)
- Design Controls (820.30), CAPA (820.90/820.100), Software Validation (820.70(i))
- QMSR amendment (effective February 2, 2026) aligns with ISO 13485:2016
Critical Infrastructure & Incident Reporting:
- CIRCIA - Cyber Incident Reporting for Critical Infrastructure Act of 2022 (NEW)
- 72-hour cyber incident reporting and 24-hour ransom payment reporting to CISA
- Applies to entities in 16 critical infrastructure sectors (healthcare, financial, IT, etc.)
- Final implementing rule expected March 2026
Environmental & Chemical Safety:
- EPA RMP - Risk Management Plan Rule (NEW in v1.1)
- 40 CFR Part 68
- Chemical facility accident prevention
Banking & Financial Institutions:
- FFIEC - IT Examination Handbook (NEW in v1.1)
- Federal Financial Institutions Examination Council guidelines
- Information security and cybersecurity for banking
State Financial Services:
- NYDFS 500 - NY DFS Cybersecurity Regulation (NEW in v1.1)
- 23 NYCRR 500
- Cybersecurity requirements for New York financial services institutions
State Privacy Laws:
-
Virginia CDPA - Consumer Data Protection Act (NEW in v1.2)
- Va. Code Ann. Β§59.1-575 to 59.1-585
- Consumer privacy rights and business obligations
-
Colorado CPA - Colorado Privacy Act (NEW in v1.2)
- C.R.S. Β§6-1-1301 to 6-1-1313
- Universal opt-out mechanism requirements
-
Connecticut CTDPA - Connecticut Data Privacy Act (NEW in v1.2)
- Conn. Gen. Stat. Β§42-515 to 42-524
- Data protection assessment requirements
-
Utah UCPA - Utah Consumer Privacy Act (NEW in v1.2)
- Utah Code Ann. Β§13-61-101 to 13-61-404
- Business-friendly privacy approach
Payment Card Industry:
- PCI DSS - Payment Card Industry Data Security Standard (cross-reference)
- See security-controls-mcp for PCI DSS v4.0 requirements
- This MCP provides PCI SSC official requirements and testing procedures
Control Framework Mappings
- NIST 800-53 - Security and Privacy Controls (Rev 5)
- NIST CSF 2.0 - Cybersecurity Framework
- ISO 27001 - Information Security Management (planned)
Roadmap
Additional regulations in development:
- State breach notification laws (50 states) - Breach reporting requirements across all US states
- FISMA - Federal Information Security Management Act - Federal agency cybersecurity
- CAN-SPAM - Email marketing regulations - Commercial email requirements
- State privacy laws - Expansion to additional states (Montana, Iowa, Indiana, Tennessee, Oregon)
Detailed coverage: docs/coverage.md
π¬ See It In Action
Why This Works
Verbatim Source Text (No LLM Processing):
- All regulatory text is ingested from official sources (eCFR.gov, California LegInfo)
- Snippets are returned unchanged from SQLite FTS5 database rows
- Zero LLM summarization or paraphrasing β the database contains regulation text, not AI interpretations
- Note: HTML-to-text conversion normalizes whitespace/formatting, but preserves content
Smart Context Management:
- Search returns 32-token snippets with highlighted matches (safe for context)
- Section retrieval warns about token usage (some sections can be large)
- Cross-references help navigate without loading everything at once
Technical Architecture:
eCFR/LegInfo HTML β Parse β SQLite β FTS5 snippet() β MCP response
β β
Formatting only Verbatim database query
Example: regulations.gov vs. This MCP
| regulations.gov / eCFR | This MCP Server |
|---|---|
| Search by CFR citation | Search by plain English: "breach notification timeline" |
| Navigate fragmented agency sites | Get the exact section with context |
| Manual cross-referencing across federal/state | compare_requirements tool does it instantly |
| "Which regulations apply to me?" β weeks of research | check_applicability tool β answer in seconds |
| Copy-paste from PDFs with formatting issues | Section + definitions + related requirements |
| Check eCFR, regulations.gov, 50 state sites | Unified search across all sources |
| No API for most sources | MCP protocol β AI-native |
regulations.gov example: Download HIPAA PDF β Ctrl+F "breach" β Read Β§164.410 β Google "What's a 'reportable breach'?" β Cross-reference CCPA β Check California site β Repeat for SOX
This MCP: "Compare breach notification requirements across HIPAA, CCPA, and SOX" β Done.
β οΈ Important Disclaimers
Legal Advice
π¨ THIS TOOL IS NOT LEGAL ADVICE π¨
This tool provides regulatory text for research and educational purposes. However:
- Control mappings (NIST 800-53, NIST CSF) are interpretive guidance, NOT official HHS, NIST, or agency crosswalks
- Applicability rules are generalizations, not legal determinations
- Cross-references are research helpers, not compliance mandates
Always verify against official sources and consult qualified legal counsel for compliance decisions.
Data Source Transparency
π Source Quality Disclosure
Tier 1 - Official API Sources (Authoritative):
- HIPAA, GLBA, FERPA, COPPA, FDA 21 CFR 11, EPA RMP β sourced from eCFR.gov official API
- CCPA/CPRA β sourced from California LegInfo official site
Tier 2 - Official State Sources (HTML Scraping):
- Virginia CDPA β sourced from law.lis.virginia.gov
- Connecticut CTDPA β sourced from cga.ct.gov
- Utah UCPA β sourced from le.utah.gov
- Colorado CPA β seed data verified against leg.colorado.gov
Tier 3 - Seed Data (Verified but Static):
- FFIEC IT Handbook β examination guidance extracted from ffiec.gov booklets
- NYDFS 500 β regulatory text from dfs.ny.gov
- SOX β statute and SEC implementing regulations
Seed data sources include official source attribution and verification dates. Users should check official sources for updates.
Control Framework Mappings: HIPAA-to-NIST and CCPA-to-NIST mappings are interpretive guidance to assist compliance research. They are NOT official agency crosswalks. Consult NIST SP 800-66 and official agency guidance for authoritative mappings.
Token Usage
β οΈ Context Window Warning
Some regulation sections can be large (e.g., HIPAA Privacy Rule sections with extensive commentary). The MCP server:
- Search tool: Returns smart snippets (safe for context)
- Get section tool: Returns full text (may consume significant tokens)
- Recommendation: Use search first, then fetch specific sections as needed
Claude Desktop has a 200k token context window. Monitor your usage when retrieving multiple large sections.
MVP Status
π Initial Release
This is a production-ready MVP with three foundational regulations (HIPAA, CCPA, SOX). The database schema and all 9 MCP tools are fully functional and thoroughly tested (100% test coverage).
Data Ingestion: Automated ingestion from official API sources (eCFR.gov, California LegInfo) is operational. Additional regulations are being added to the database.
Coming Soon: Additional federal regulations (GLBA, FERPA, FISMA) and state breach notification laws.
NIST Standards
No copyrighted NIST standards are included. Control mappings reference NIST 800-53 control IDs only (e.g., "AC-1", "SI-4"). While NIST standards are freely available from NIST, this tool helps map regulations to controls but doesn't replace reading the standards themselves.
Available Tools
The server provides 9 MCP tools:
| Tool | Description |
|---|---|
search_regulations | Full-text search across all regulations with highlighted snippets |
get_section | Retrieve full text of a specific regulation section |
list_regulations | List available regulations or get hierarchical structure |
compare_requirements | Compare topic across multiple regulations |
map_controls | Map NIST controls to regulation sections |
check_applicability | Determine which regulations apply to your sector |
get_evidence_requirements | Get compliance evidence requirements for a section |
get_compliance_action_items | Generate structured compliance action items |
Detailed tool reference: docs/tools.md
Development
Branching Strategy
This repository uses a dev integration branch. Do not push directly to main.
feature-branch β PR to dev β verify on dev β PR to main β deploy
mainis production-ready. Only receives merges fromdevvia PR.devis the integration branch. All changes land here first.- Feature branches are created from
dev.
Prerequisites
- Node.js 18 or higher
- npm or yarn
Setup
# Clone the repository
git clone https://github.com/Ansvar-Systems/US_compliance_MCP.git
cd US_compliance_MCP
# Install dependencies
npm install
# Build the database schema
npm run build:db
# Load seed data
npm run load-seed
# Build the TypeScript code
npm run build
# Run in development mode
npm run dev
Available Scripts
npm run build # Compile TypeScript to dist/
npm run dev # Run server in development mode with tsx
npm run build:db # Initialize database schema
npm run load-seed # Load seed data for testing
npm test # Run test suite with vitest (100% coverage)
npm run test:mcp # Test MCP tool integration
Project Structure
us-regulations-mcp/
βββ src/
β βββ index.ts # MCP server entry point
β βββ tools/ # MCP tool implementations
β β βββ registry.ts # Central tool registry
β β βββ search.ts # Full-text search
β β βββ section.ts # Section retrieval
β β βββ list.ts # List regulations
β β βββ compare.ts # Compare requirements
β β βββ map.ts # Control mappings
β β βββ applicability.ts # Applicability checker
β β βββ definitions.ts # Term definitions
β β βββ evidence.ts # Evidence requirements
β β βββ action-items.ts # Compliance action items
β βββ ingest/ # Ingestion framework
β βββ framework.ts # Base interfaces
β βββ adapters/ # Source-specific adapters
βββ scripts/
β βββ build-db.ts # Database schema builder
β βββ load-seed-data.ts # Seed data loader
β βββ ingest.ts # Data ingestion orchestrator
βββ data/
β βββ regulations.db # SQLite database
βββ docs/ # Documentation
Architecture Overview
Database
The server uses SQLite with FTS5 (full-text search) for efficient querying:
- regulations - Metadata for each regulation
- sections - Regulation sections with full text
- sections_fts - FTS5 index for fast full-text search
- definitions - Official term definitions
- control_mappings - NIST control to regulation mappings
- applicability_rules - Sector applicability rules
- source_registry - Data source tracking for updates
Ingestion Framework
The ingestion framework uses an adapter pattern to normalize data from multiple US regulatory sources:
- eCFR.gov API - Electronic Code of Federal Regulations (HIPAA, SOX)
- California LegInfo API - State legislation (CCPA/CPRA)
- regulations.gov API - Federal regulatory documents
- Agency-specific sources - HHS, SEC, FTC guidance
Each adapter handles source-specific pagination, authentication, and data normalization.
MCP Protocol
The server implements the Model Context Protocol specification:
- stdio transport for Claude Desktop integration
- Centralized tool registry for consistent tool definitions
- Structured error handling with informative messages
- Token-efficient responses with snippet highlighting
Related Projects: Complete Compliance Suite
This server is part of Ansvar's Compliance Suite - three MCP servers that work together for end-to-end compliance coverage:
πͺπΊ EU Regulations MCP
Query 47 EU regulations directly from Claude
- GDPR, AI Act, DORA, NIS2, MiFID II, PSD2, eIDAS, MDR, and 39 more
- Full regulatory text with article-level search
- Cross-regulation reference and comparison
- Install:
npx @ansvar/eu-regulations-mcp
πΊπΈ US Regulations MCP (This Project)
Query US federal and state compliance laws directly from Claude
- HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA QSR, CIRCIA, and 12 more
- Federal and state privacy law comparison
- Breach notification timeline mapping
- Install:
npm install @ansvar/us-regulations-mcp
π Security Controls MCP
Query 1,451 security controls across 28 frameworks
- ISO 27001, NIST CSF, DORA, PCI DSS, SOC 2, CMMC, FedRAMP, and 21 more
- Bidirectional framework mapping and gap analysis
- Import your purchased standards for official text
- Install:
pipx install security-controls-mcp
How They Work Together
Regulations β Controls Implementation Workflow:
1. "What are HIPAA's security safeguard requirements?"
β US Regulations MCP returns 45 CFR Β§ 164.306 full text
2. "What security controls satisfy HIPAA Β§164.306?"
β Security Controls MCP maps to NIST 800-53, ISO 27001, and SCF controls
3. "Show me NIST 800-53 AC-1 implementation details"
β Security Controls MCP returns control requirements and framework mappings
Complete compliance in one chat:
- EU/US Regulations MCPs tell you WHAT compliance requirements you must meet
- Security Controls MCP tells you HOW to implement controls that satisfy those requirements
About Ansvar Systems
We build AI-accelerated threat modeling and compliance tools for automotive, financial services, and healthcare. This MCP server started as our internal reference tool for US regulations β turns out everyone building for US markets has the same compliance research frustrations.
So we're open-sourcing it. Navigating federal and state regulations shouldn't require a legal team.
ansvar.eu β Stockholm, Sweden
More Open Source from Ansvar
We maintain a family of MCP servers for compliance and security professionals:
| Server | Description | Install |
|---|---|---|
| EU Regulations | 47 EU regulations (GDPR, AI Act, DORA, NIS2, MiFID II, eIDAS, MDR...) | npx @ansvar/eu-regulations-mcp |
| Security Controls | 1,451 controls across 28 frameworks (ISO 27001, NIST CSF, PCI DSS, CMMC...) | pipx install security-controls-mcp |
| OT Security | IEC 62443, NIST 800-82, MITRE ATT&CK for ICS | npx @ansvar/ot-security-mcp |
| Automotive | UNECE R155/R156, ISO 21434 for automotive cybersecurity | npx @ansvar/automotive-cybersecurity-mcp |
| Sanctions | Offline sanctions screening with OpenSanctions (30+ lists) | pip install ansvar-sanctions-mcp |
Browse all projects: ansvar.eu/open-source
Documentation
- Coverage Details β All regulations with section counts
- Available Tools β Detailed tool descriptions with examples
- Development Status β Current implementation status
- Privacy Policy β Data handling and retention notes
Directory Review Notes
Testing Account and Sample Data
This server is read-only and does not require a login account for functional review. For directory review, use the bundled dataset and these sample prompts:
- "What are HIPAA access control requirements?"
- "Compare HIPAA and CCPA breach notification timelines."
- "List regulations applicable to healthcare providers."
Remote Authentication (OAuth 2.0)
The default server runtime is read-only and can be deployed without authentication. If you deploy a remote authenticated endpoint, use OAuth 2.0 over TLS with certificates from recognized authorities.
Troubleshooting
- If startup fails, verify
US_COMPLIANCE_DB_PATHpoints to a readable SQLite file. - If HTTP tool calls fail, confirm
/mcpPOST routing andmcp-session-idheader forwarding. - If results are empty, call
list_regulationsfirst to verify dataset initialization.
Contributing
Contributions are welcome! Please read our Contributing Guide for details on:
- Development setup
- Pull request process
- Commit message conventions
- Code style guidelines
By participating in this project, you agree to abide by our Code of Conduct.
Support
For issues, questions, or feature requests:
- Open a GitHub issue
- Email: hello@ansvar.eu
Acknowledgments
- Regulatory data from official US government sources (eCFR.gov, California LegInfo)
- Uses the Model Context Protocol by Anthropic
- Inspired by the EU Regulations MCP architecture
License
Apache License 2.0. See LICENSE for details.
Built with care in Stockholm, Sweden