US Regulations MCP Server

Navigate US compliance from the AI age.

Query 50 US regulations — HIPAA, HITECH, CCPA, SOX, GLBA, FERPA, COPPA, FFIEC, NYDFS 500, EPA RMP, CIRCIA, CISA BODs/EDs, FISMA, Dodd-Frank, SEC Cybersecurity Disclosure, FedRAMP, CMMC 2.0, BSA/AML, FAR/DFARS Cyber, ITAR, EAR, CFPB (Reg B / FDCPA / Reg Z), the full FDA medical device cybersecurity stack (21 CFR Part 11, 820 QSR/QMSR, §524B, Premarket, Postmarket, CSA, GPSV, OTS, SaMD, SBOM), and 18 state privacy laws (California, Virginia, Colorado, Connecticut, Utah, Montana, Texas, Oregon, Iowa, Nebraska, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Rhode Island, Indiana) — directly from Claude, Cursor, or any MCP-compatible client.

If you're building healthcare tech, consumer apps, or financial services for the US market, this is your compliance reference.

Built by Ansvar Systems — Stockholm, Sweden

---

Why This Exists

US compliance is scattered across regulations.gov PDFs, eCFR.gov pages, state legislative sites, and agency guidance documents. Whether you're:

• A developer implementing HIPAA security controls or CCPA consumer rights
• A product team navigating breach notification requirements across multiple states
• A compliance officer mapping NIST controls to regulatory obligations
• A legal researcher comparing incident response timelines across federal and state laws

...you shouldn't need to navigate fragmented federal agencies, 50 state legislatures, and conflicting PDF formats. Ask Claude. Get the exact section. With context.

This MCP server makes US regulations searchable, cross-referenceable, and AI-readable.

---

Quick Start

Use Remotely (No Install Needed)

Connect directly to the hosted version — zero dependencies, nothing to install.

Endpoint: https://mcp.ansvar.eu/us-regulations/mcp

Client	How to Connect
Claude.ai	Settings > Connectors > Add Integration > paste URL
Claude Code	claude mcp add us-regulations --transport http https://mcp.ansvar.eu/us-regulations/mcp
Claude Desktop	Add to config (see below)
GitHub Copilot	Add to VS Code settings (see below)

Claude Desktop — add to claude_desktop_config.json:

{
  "mcpServers": {
    "us-regulations": {
      "type": "url",
      "url": "https://mcp.ansvar.eu/us-regulations/mcp"
    }
  }
}

GitHub Copilot — add to VS Code settings.json:

{
  "github.copilot.chat.mcp.servers": {
    "us-regulations": {
      "type": "http",
      "url": "https://mcp.ansvar.eu/us-regulations/mcp"
    }
  }
}

Use Locally (npm)

npx @ansvar/us-regulations-mcp

Claude Desktop — add to claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "us-regulations": {
      "command": "npx",
      "args": ["-y", "@ansvar/us-regulations-mcp"]
    }
  }
}

Cursor / VS Code:

{
  "mcp.servers": {
    "us-regulations": {
      "command": "npx",
      "args": ["-y", "@ansvar/us-regulations-mcp"]
    }
  }
}

Security & Compliance

This MCP server follows OpenSSF Best Practices for secure open source development:

• ✅ Automated Security Scanning

  • CodeQL (semantic code analysis)
  • Semgrep (SAST security rules)
  • Trivy (vulnerability scanning)
  • Gitleaks (secret detection)
  • Socket Security (supply chain monitoring)

• ✅ Daily Freshness Monitoring

  • Automated checks for regulation updates from official sources
  • Auto-generates PRs when changes detected

• ✅ Secure Publishing

  • npm provenance attestation (signed packages)
  • MCP Registry cryptographic signing
  • Azure Key Vault for secret management

• ✅ Security Metrics

  • OpenSSF Scorecard weekly evaluation
  • GitHub Security tab for vulnerability tracking

Report security issues: See SECURITY.md

---

Example Queries

Once connected, just ask naturally:

Healthcare & HIPAA

• "What are the HIPAA security rule requirements for access controls?"
• "Does my telemedicine app need to comply with HIPAA?"
• "What audit logs does HIPAA require for ePHI access?"
• "How long do I have to report a HIPAA breach?"

Privacy & CCPA

• "Compare breach notification timelines between HIPAA and CCPA"
• "What consumer rights does CCPA provide for data deletion?"
• "Do I need to comply with CCPA if I have 10,000 California customers?"
• "What is a 'sale' of personal information under CCPA?"

Financial & SOX

• "What IT controls does SOX Section 404 require?"
• "Which NIST 800-53 controls satisfy SOX audit requirements?"
• "How long must I retain financial records under SOX?"
• "What are the requirements for SOX internal control assessments?"

Financial Services & GLBA

• "What are the GLBA safeguards rule requirements for customer data protection?"
• "Compare encryption requirements across HIPAA, GLBA, and SOX"

Banking & FFIEC

• "What are the FFIEC guidelines for information security governance?"
• "What does FFIEC require for business continuity planning?"
• "Compare FFIEC cybersecurity requirements with NYDFS 500"

New York Financial Services & NYDFS

• "What are the NYDFS 500 requirements for multi-factor authentication?"
• "When must I notify NYDFS of a cybersecurity event?"
• "What are the penetration testing requirements under NYDFS 500?"
• "What information security program elements does GLBA require?"

State Privacy Laws - Virginia CDPA

• "What consumer rights does Virginia CDPA provide?"
• "What are the data protection assessment requirements under Virginia CDPA?"
• "Compare opt-out mechanisms between CCPA and Virginia CDPA"

State Privacy Laws - Colorado CPA

• "What is the universal opt-out mechanism under Colorado CPA?"
• "What data subject rights does Colorado CPA grant?"
• "Colorado CPA requirements for data controllers vs processors"

State Privacy Laws - Connecticut CTDPA

• "What are Connecticut CTDPA data protection assessment requirements?"
• "Compare consumer rights between CCPA and Connecticut CTDPA"
• "What sensitive data processing restrictions apply under Connecticut law?"

State Privacy Laws - Utah UCPA

• "What are Utah UCPA consumer privacy rights?"
• "Utah UCPA data controller obligations and exemptions"
• "Compare Utah UCPA with other state privacy laws"

Education & FERPA

• "What are FERPA requirements for student record access?"
• "Can I share student data with third-party analytics tools under FERPA?"
• "What parental consent is needed to disclose student directory information?"

Children's Privacy & COPPA

• "What parental consent mechanisms are acceptable under COPPA?"
• "COPPA requirements for collecting personal information from children under 13"
• "Do I need COPPA compliance for a kids' mobile app?"

Pharmaceutical & FDA

• "What are FDA 21 CFR Part 11 requirements for electronic signatures?"
• "How must clinical trial data be validated under 21 CFR Part 11?"
• "What audit trail requirements apply to electronic records in pharma?"

Medical Device Cybersecurity

• "What is required in an SBOM for FDA premarket submissions?"
• "What is a 'cyber device' under Section 524B?"
• "What threat modeling approach does FDA require for medical devices?"

Environmental & EPA

• "Which chemical facilities must submit an EPA Risk Management Plan?"
• "What accident prevention requirements does EPA RMP mandate?"
• "How often must I update my facility's EPA RMP?"

Cross-Regulation Analysis

• "Compare incident response requirements across HIPAA, CCPA, and SOX"
• "Which regulations apply to a fintech company in California?"
• "Map NIST CSF to our HIPAA and SOX obligations"
• "What are my data retention requirements across all regulations?"

---

What's Included

v2.0.0 Regulations (50 total, 2,079 sections, 135 definitions)

Healthcare & Privacy:

• HIPAA — Health Insurance Portability and Accountability Act (45 CFR Parts 160, 162, 164)
  • Privacy, Security, and Breach Notification Rules
• HITECH — Health Information Technology for Economic and Clinical Health Act (42 U.S.C. §§ 17921-17954)

Financial Services:

• SOX — Sarbanes-Oxley Act (15 U.S.C. §§ 7201-7266) — statute sections, SEC implementing regs, PCAOB AS 2201, ITGC guidance
• GLBA — Gramm-Leach-Bliley Act Safeguards Rule (16 CFR Part 314)
• FFIEC — FFIEC IT Examination Handbook
• NYDFS 500 — NY DFS Cybersecurity Regulation (23 NYCRR 500)
• BSA/AML — Bank Secrecy Act / Anti-Money Laundering (31 CFR Chapter X — 8 parts)
• CFPB_REGS — CFPB Implementing Regulations: Reg B (12 CFR 1002), FDCPA (12 CFR 1006), Reg Z (12 CFR 1026)
• Dodd-Frank — Dodd-Frank Wall Street Reform Act (Pub.L. 111-203, Titles I, II, VI, VII, X — FSOC, Orderly Liquidation, Volcker Rule, Derivatives, CFPB)
• SEC Cyber — SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (17 CFR 229.106, 240 Item 1.05)

Federal Security & Critical Infrastructure:

• FISMA — Federal Information Security Modernization Act (44 U.S.C. Chapter 35 §§ 3551-3559)
• FedRAMP — Federal Risk and Authorization Management Program (GSA/OMB authorization process and continuous monitoring)
• CMMC 2.0 — Cybersecurity Maturity Model Certification (32 CFR Part 170) — defense industrial base
• FAR Cyber — Federal Acquisition Regulation Cybersecurity Clauses (48 CFR 252.204)
• DFARS Cyber — Defense FAR Supplement (48 CFR 252.204-7012, 7019-7021)
• CIRCIA — Cyber Incident Reporting for Critical Infrastructure Act of 2022 (6 USC §§ 681-681g) — 72h cyber incident / 24h ransomware reporting
• CISA BODs/EDs — CISA Binding Operational Directives and Emergency Directives (44 U.S.C. § 3553(b)) — BOD 22-01, 23-01, 23-02, 25-01; ED 24-01, 24-02
• CISA SBOM — Minimum Elements for a Software Bill of Materials

Export Controls:

• ITAR — International Traffic in Arms Regulations (22 CFR Parts 120-130)
• EAR — Export Administration Regulations (15 CFR Parts 730-774)

Education & Children's Privacy:

• FERPA — Family Educational Rights and Privacy Act (34 CFR Part 99)
• COPPA — Children's Online Privacy Protection Act (16 CFR Part 312)

Medical Device Cybersecurity & Quality (FDA CDRH):

• FDA 21 CFR Part 11 — Electronic Records and Electronic Signatures
• FDA 21 CFR Part 820 — Quality System Regulation (QSR/QMSR — ISO 13485:2016 aligned, effective 2026-02-02)
• FD&C Act Section 524B (PATCH Act) — Statutory Cybersecurity Requirements (21 USC 360n-2)
• FDA Premarket Cybersecurity Guidance — SPDF, threat modeling, SBOM for premarket submissions
• FDA Postmarket Cybersecurity Guidance — Controlled vs. uncontrolled risk, CVD, ISAO, vulnerability monitoring
• FDA CSA — Computer Software Assurance for Production and Quality System Software
• FDA GPSV — General Principles of Software Validation
• FDA OTS — Off-The-Shelf Software Use in Medical Devices
• FDA SaMD — Software as a Medical Device Framework

Environmental & Chemical Safety:

• EPA RMP — Risk Management Plan Rule (40 CFR Part 68)

State Privacy Laws (18 states):

• California CCPA/CPRA — Cal. Civ. Code §§ 1798.100-1798.199
• Virginia CDPA — Va. Code Ann. §§ 59.1-575 to 59.1-585 (effective 2023-01-01)
• Colorado CPA — C.R.S. §§ 6-1-1301 to 6-1-1313 (effective 2023-07-01)
• Connecticut CTDPA — Conn. Gen. Stat. §§ 42-515 to 42-523 (effective 2023-07-01)
• Utah UCPA — Utah Code §§ 13-61-101 to 13-61-404 (effective 2023-12-31)
• Texas TDPSA — Tex. Bus. & Com. Code Ch. 541 (effective 2024-07-01)
• Oregon OCPA — ORS 646A.570-604 (effective 2024-07-01, nonprofits covered from 2025-07-01)
• Montana MTCDPA — MCA §§ 30-14-2801 to 30-14-2818 (effective 2024-10-01)
• Delaware DPDPA — Del. Code tit. 6 Ch. 12D (effective 2025-01-01)
• Iowa ICDPA — Iowa Code Ch. 715D (effective 2025-01-01)
• Nebraska NEDPA (LB 1074) — Neb. Rev. Stat. §§ 87-1101 to 87-1130 (effective 2025-01-01)
• New Hampshire NHPA (SB 255) — RSA 507-H (effective 2025-01-01)
• New Jersey NJDPA — N.J.S.A. 56:8-166.4 et seq. (effective 2025-01-15)
• Tennessee TIPA — Tenn. Code Ann. §§ 47-18-3201 to -3213 (effective 2025-07-01, with NIST Privacy Framework safe harbor)
• Minnesota MCDPA — Minn. Stat. Ch. 325O (effective 2025-07-31)
• Maryland MODPA — Md. Comm. Law §§ 14-4601 to 14-4615 (effective 2025-10-01 — strictest data minimization in the country)
• Rhode Island RIDPA — R.I. Gen. Laws Ch. 6-48.1 (effective 2026-01-01 — requires public disclosure of all third parties receiving personal data)
• Indiana INCDPA — IC 24-15 (effective 2026-01-01)

Control Framework Mappings

• NIST 800-53 Rev 5 — Security and Privacy Controls
• NIST CSF 2.0 — Cybersecurity Framework
• Cross-references only — full NIST control text lives in security-controls-mcp

Explicitly Not Covered (by design — other fleet MCPs)

• NIST CSF / 800-53 / 800-171 (full text), PCI DSS v4.0.1, SWIFT CSF, HITRUST, SOC 2 → security-controls-mcp
• OFAC sanctions, entity screening → sanctions-law-mcp

Roadmap

• State breach notification laws (full 50-state matrix beyond the current 27 pinned rules) — ongoing
• Additional FDA guidance (cyber, SaMD iterations) — tracked in CDRH release cadence

Detailed coverage: COVERAGE.md · machine-readable: data/coverage.json

---

🎬 See It In Action

Why This Works

Verbatim Source Text (No LLM Processing):

• All regulatory text is ingested from official sources (eCFR.gov, California LegInfo)
• Snippets are returned unchanged from SQLite FTS5 database rows
• Zero LLM summarization or paraphrasing — the database contains regulation text, not AI interpretations
• Note: HTML-to-text conversion normalizes whitespace/formatting, but preserves content

Smart Context Management:

• Search returns 32-token snippets with highlighted matches (safe for context)
• Section retrieval warns about token usage (some sections can be large)
• Cross-references help navigate without loading everything at once

Technical Architecture:

eCFR/LegInfo HTML → Parse → SQLite → FTS5 snippet() → MCP response
                      ↑                    ↑
               Formatting only      Verbatim database query

Example: regulations.gov vs. This MCP

regulations.gov / eCFR	This MCP Server
Search by CFR citation	Search by plain English: "breach notification timeline"
Navigate fragmented agency sites	Get the exact section with context
Manual cross-referencing across federal/state	compare_requirements tool does it instantly
"Which regulations apply to me?" → weeks of research	check_applicability tool → answer in seconds
Copy-paste from PDFs with formatting issues	Section + definitions + related requirements
Check eCFR, regulations.gov, 50 state sites	Unified search across all sources
No API for most sources	MCP protocol → AI-native

regulations.gov example: Download HIPAA PDF → Ctrl+F "breach" → Read §164.410 → Google "What's a 'reportable breach'?" → Cross-reference CCPA → Check California site → Repeat for SOX

This MCP: "Compare breach notification requirements across HIPAA, CCPA, and SOX" → Done.

---

⚠️ Important Disclaimers

Legal Advice

🚨 THIS TOOL IS NOT LEGAL ADVICE 🚨

This tool provides regulatory text for research and educational purposes. However:

• Control mappings (NIST 800-53, NIST CSF) are interpretive guidance, NOT official HHS, NIST, or agency crosswalks
• Applicability rules are generalizations, not legal determinations
• Cross-references are research helpers, not compliance mandates

Always verify against official sources and consult qualified legal counsel for compliance decisions.

Data Source Transparency

📋 Source Quality Disclosure

Tier 1 - Official API Sources (Authoritative):

• HIPAA, GLBA, FERPA, COPPA, FDA 21 CFR 11, EPA RMP — sourced from eCFR.gov official API
• CCPA/CPRA — sourced from California LegInfo official site

Tier 2 - Official State Sources (HTML Scraping):

• Virginia CDPA — sourced from law.lis.virginia.gov
• Connecticut CTDPA — sourced from cga.ct.gov
• Utah UCPA — sourced from le.utah.gov
• Colorado CPA — seed data verified against leg.colorado.gov

Tier 3 - Seed Data (Verified but Static):

• FFIEC IT Handbook — examination guidance extracted from ffiec.gov booklets
• NYDFS 500 — regulatory text from dfs.ny.gov
• SOX — statute and SEC implementing regulations

Seed data sources include official source attribution and verification dates. Users should check official sources for updates.

Control Framework Mappings: HIPAA-to-NIST and CCPA-to-NIST mappings are interpretive guidance to assist compliance research. They are NOT official agency crosswalks. Consult NIST SP 800-66 and official agency guidance for authoritative mappings.

Token Usage

⚠️ Context Window Warning

Some regulation sections can be large (e.g., HIPAA Privacy Rule sections with extensive commentary). The MCP server:

• Search tool: Returns smart snippets (safe for context)
• Get section tool: Returns full text (may consume significant tokens)
• Recommendation: Use search first, then fetch specific sections as needed

Claude Desktop has a 200k token context window. Monitor your usage when retrieving multiple large sections.

Release Status

📦 v2.0.0 — 50 regulations, 2,079 sections, 16 tools

Production release. The database covers 32 federal regulations and 18 state privacy laws, built from live adapters against eCFR, govinfo.gov, fedramp.gov, SEC.gov, FDA CDRH, and state legislature portals (plus Wayback / Justia / Fastcase mirrors for sources with restricted egress).

Data Ingestion: Automated adapters run in CI on every release; content drift is caught by 23 golden contract tests and a pinned fixtures/golden-hashes.json. Per-regulation provenance is declared in data/seed/sources.yml and queryable via the list_sources and check_data_freshness tools.

NIST Standards

No copyrighted NIST standards are included. Control mappings reference NIST 800-53 control IDs only (e.g., "AC-1", "SI-4"). While NIST standards are freely available from NIST, this tool helps map regulations to controls but doesn't replace reading the standards themselves.

---

Available Tools

The server provides 16 MCP tools (13 free-tier + 3 premium version-tracking):

Tool	Tier	Description
search_regulations	free	Full-text BM25 search across all regulations with highlighted snippets
get_section	free	Retrieve full text of a specific regulation section
list_regulations	free	List regulations or get one regulation's table of contents
compare_requirements	free	Cross-regulation comparison on a topic
map_controls	free	NIST 800-53 / CSF → regulation crosswalk
check_applicability	free	Which regulations apply to an industry sector
get_evidence_requirements	free	Extract audit evidence requirements from a section
get_compliance_action_items	free	Prioritised action items with shall/must/should parsing
get_breach_notification_timeline	free	Federal + state breach notification rules (27 jurisdictions)
get_definitions	free	Look up legally defined terms (135 definitions)
list_sources	free	Provenance and source URLs for every regulation
check_data_freshness	free	Per-regulation staleness report
about	free	Server metadata, dataset stats, freshness, provenance
get_section_history	premium	Full version timeline for a section
diff_section	premium	Diff a section between two dates
get_recent_changes	premium	All section changes since a date

Detailed tool reference: TOOLS.md — canonical, always in sync with src/tools/registry.ts

---

Development

Branching Strategy

This repository uses a dev integration branch. Do not push directly to main.

feature-branch → PR to dev → verify on dev → PR to main → deploy

• main is production-ready. Only receives merges from dev via PR.
• dev is the integration branch. All changes land here first.
• Feature branches are created from dev.

Prerequisites

• Node.js 18 or higher
• npm or yarn

Setup

# Clone the repository
git clone https://github.com/Ansvar-Systems/US_compliance_MCP.git
cd US_compliance_MCP

# Install dependencies
npm install

# Build the database schema
npm run build:db

# Load seed data
npm run load-seed

# Build the TypeScript code
npm run build

# Run in development mode
npm run dev

Available Scripts

npm run build        # Compile TypeScript to dist/
npm run dev          # Run server in development mode with tsx
npm run build:db     # Initialize database schema
npm run load-seed    # Load seed data for testing
npm test             # Run test suite with vitest (100% coverage)
npm run test:mcp     # Test MCP tool integration

Project Structure

us-regulations-mcp/
├── src/
│   ├── index.ts              # MCP server entry point
│   ├── tools/                # MCP tool implementations
│   │   ├── registry.ts       # Central tool registry
│   │   ├── search.ts         # Full-text search
│   │   ├── section.ts        # Section retrieval
│   │   ├── list.ts           # List regulations
│   │   ├── compare.ts        # Compare requirements
│   │   ├── map.ts            # Control mappings
│   │   ├── applicability.ts  # Applicability checker
│   │   ├── definitions.ts    # Term definitions
│   │   ├── evidence.ts       # Evidence requirements
│   │   └── action-items.ts   # Compliance action items
│   └── ingest/               # Ingestion framework
│       ├── framework.ts      # Base interfaces
│       └── adapters/         # Source-specific adapters
├── scripts/
│   ├── build-db.ts           # Database schema builder
│   ├── load-seed-data.ts     # Seed data loader
│   └── ingest.ts             # Data ingestion orchestrator
├── data/
│   └── regulations.db        # SQLite database
└── docs/                     # Documentation

---

Architecture Overview

Database

The server uses SQLite with FTS5 (full-text search) for efficient querying:

• regulations - Metadata for each regulation
• sections - Regulation sections with full text
• sections_fts - FTS5 index for fast full-text search
• definitions - Official term definitions
• control_mappings - NIST control to regulation mappings
• applicability_rules - Sector applicability rules
• source_registry - Data source tracking for updates

Ingestion Framework

The ingestion framework uses an adapter pattern to normalize data from multiple US regulatory sources:

• eCFR.gov API - Electronic Code of Federal Regulations (HIPAA, SOX)
• California LegInfo API - State legislation (CCPA/CPRA)
• regulations.gov API - Federal regulatory documents
• Agency-specific sources - HHS, SEC, FTC guidance

Each adapter handles source-specific pagination, authentication, and data normalization.

MCP Protocol

The server implements the Model Context Protocol specification:

• stdio transport for Claude Desktop integration
• Centralized tool registry for consistent tool definitions
• Structured error handling with informative messages
• Token-efficient responses with snippet highlighting

---

Related Projects: Complete Compliance Suite

This server is part of Ansvar's Compliance Suite - three MCP servers that work together for end-to-end compliance coverage:

🇪🇺 EU Regulations MCP

Query 47 EU regulations directly from Claude

• GDPR, AI Act, DORA, NIS2, MiFID II, PSD2, eIDAS, MDR, and 39 more
• Full regulatory text with article-level search
• Cross-regulation reference and comparison
• Install: npx @ansvar/eu-regulations-mcp

🇺🇸 US Regulations MCP (This Project)

Query US federal and state compliance laws directly from Claude

• 50 regulations across 32 federal rules/statutes and 18 state privacy laws
• HIPAA, HITECH, SOX, GLBA, FFIEC, NYDFS, FISMA, Dodd-Frank, SEC Cyber, FedRAMP, CMMC, BSA/AML, ITAR, EAR, CFPB, FAR/DFARS, CIRCIA, CISA BODs, FDA medical device cyber stack, and the full California/Virginia/Colorado/Connecticut/Utah/Texas/Oregon/Montana/Delaware/Iowa/Nebraska/New Hampshire/New Jersey/Tennessee/Minnesota/Maryland/Rhode Island/Indiana privacy sweep
• Federal and state privacy law comparison via compare_requirements
• Breach notification timeline across 27 federal + state jurisdictions
• Premium tier: get_section_history, diff_section, get_recent_changes for section-level version tracking
• Install: npm install @ansvar/us-regulations-mcp

🔐 Security Controls MCP

Query 1,451 security controls across 28 frameworks

• ISO 27001, NIST CSF, DORA, PCI DSS, SOC 2, CMMC, FedRAMP, and 21 more
• Bidirectional framework mapping and gap analysis
• Import your purchased standards for official text
• Install: pipx install security-controls-mcp

How They Work Together

Regulations → Controls Implementation Workflow:

1. "What are HIPAA's security safeguard requirements?"
   → US Regulations MCP returns 45 CFR § 164.306 full text

2. "What security controls satisfy HIPAA §164.306?"
   → Security Controls MCP maps to NIST 800-53, ISO 27001, and SCF controls

3. "Show me NIST 800-53 AC-1 implementation details"
   → Security Controls MCP returns control requirements and framework mappings

Complete compliance in one chat:

• EU/US Regulations MCPs tell you WHAT compliance requirements you must meet
• Security Controls MCP tells you HOW to implement controls that satisfy those requirements

---

About Ansvar Systems

We build AI-accelerated threat modeling and compliance tools for automotive, financial services, and healthcare. This MCP server started as our internal reference tool for US regulations — turns out everyone building for US markets has the same compliance research frustrations.

So we're open-sourcing it. Navigating federal and state regulations shouldn't require a legal team.

ansvar.eu — Stockholm, Sweden

---

More Open Source from Ansvar

We maintain a family of MCP servers for compliance and security professionals:

Server	Description	Install
EU Regulations	47 EU regulations (GDPR, AI Act, DORA, NIS2, MiFID II, eIDAS, MDR...)	npx @ansvar/eu-regulations-mcp
Security Controls	1,451 controls across 28 frameworks (ISO 27001, NIST CSF, PCI DSS, CMMC...)	pipx install security-controls-mcp
OT Security	IEC 62443, NIST 800-82, MITRE ATT&CK for ICS	npx @ansvar/ot-security-mcp
Automotive	UNECE R155/R156, ISO 21434 for automotive cybersecurity	npx @ansvar/automotive-cybersecurity-mcp
Sanctions	Offline sanctions screening with OpenSanctions (30+ lists)	pip install ansvar-sanctions-mcp

Browse all projects: ansvar.eu/open-source

---

Documentation

• Coverage Details — All regulations with section counts
• Available Tools — Detailed tool descriptions with examples
• Development Status — Current implementation status
• Privacy Policy — Data handling and retention notes

---

Directory Review Notes

Testing Account and Sample Data

This server is read-only and does not require a login account for functional review. For directory review, use the bundled dataset and these sample prompts:

• "What are HIPAA access control requirements?"
• "Compare HIPAA and CCPA breach notification timelines."
• "List regulations applicable to healthcare providers."

Remote Authentication (OAuth 2.0)

The default server runtime is read-only and can be deployed without authentication. If you deploy a remote authenticated endpoint, use OAuth 2.0 over TLS with certificates from recognized authorities.

Troubleshooting

• If startup fails, verify US_COMPLIANCE_DB_PATH points to a readable SQLite file.
• If HTTP tool calls fail, confirm /mcp POST routing and mcp-session-id header forwarding.
• If results are empty, call list_regulations first to verify dataset initialization.

---

Contributing

Contributions are welcome! Please read our Contributing Guide for details on:

• Development setup
• Pull request process
• Commit message conventions
• Code style guidelines

By participating in this project, you agree to abide by our Code of Conduct.

---

Support

For issues, questions, or feature requests:

• Open a GitHub issue
• Email: hello@ansvar.eu

---

Acknowledgments

• Regulatory data from official US government sources (eCFR.gov, California LegInfo)
• Uses the Model Context Protocol by Anthropic
• Inspired by the EU Regulations MCP architecture

---

License

Apache License 2.0. See LICENSE for details.

---

_{Built with care in Stockholm, Sweden}