Us Compliance MCP

🚀 US Regulations MCP Server

Navigate US compliance from the AI age.

Query HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA 21 CFR Part 11, FDA 21 CFR 820 (QSR/QMSR), FDA Premarket & Postmarket Cybersecurity Guidance, FD&C Act Section 524B (PATCH Act), CIRCIA, EPA RMP, FFIEC, NYDFS 500, and 4 state privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA) directly from Claude, Cursor, or any MCP-compatible client.

If you're building healthcare tech, consumer apps, or financial services for the US market, this is your compliance reference.

Built by Ansvar Systems — Stockholm, Sweden

🚀 Quick Start

Use Remotely (No Install Needed)

Connect directly to the hosted version — zero dependencies, nothing to install.

Endpoint: https://us-regulations-mcp.vercel.app/mcp

Claude Desktop — add to claude_desktop_config.json:

{
  "mcpServers": {
    "us-regulations": {
      "type": "url",
      "url": "https://us-regulations-mcp.vercel.app/mcp"
    }
  }
}

GitHub Copilot — add to VS Code settings.json:

{
  "github.copilot.chat.mcp.servers": {
    "us-regulations": {
      "type": "http",
      "url": "https://us-regulations-mcp.vercel.app/mcp"
    }
  }
}

Use Locally (npm)

npx @ansvar/us-regulations-mcp

Claude Desktop — add to claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "us-regulations": {
      "command": "npx",
      "args": ["-y", "@ansvar/us-regulations-mcp"]
    }
  }
}

Cursor / VS Code:

{
  "mcp.servers": {
    "us-regulations": {
      "command": "npx",
      "args": ["-y", "@ansvar/us-regulations-mcp"]
    }
  }
}

✨ Features

• Regulatory Query: Query multiple US regulations directly from Claude, Cursor, or any MCP-compatible client.
• Cross - referenceable: Make US regulations searchable, cross - referenceable, and AI - readable.
• Automated Security: Follow OpenSSF Best Practices for secure open - source development, including automated security scanning, daily freshness monitoring, secure publishing, and security metrics.
• Rich Query Examples: Provide a large number of example queries for different regulatory areas.
• Comprehensive Coverage: Cover a wide range of regulations in healthcare, privacy, finance, education, and other fields.
• Control Framework Mappings: Map regulations to control frameworks such as NIST 800 - 53 and NIST CSF 2.0.
• Multiple Tools: Offer 9 MCP tools for full - text search, section retrieval, comparison, and more.

📦 Installation

Remote Use

No installation is required. Just connect to the hosted version using the provided endpoint https://us-regulations-mcp.vercel.app/mcp.

Local Use

npx @ansvar/us-regulations-mcp

💻 Usage Examples

Healthcare & HIPAA

• "What are the HIPAA security rule requirements for access controls?"
• "Does my telemedicine app need to comply with HIPAA?"
• "What audit logs does HIPAA require for ePHI access?"
• "How long do I have to report a HIPAA breach?"

Privacy & CCPA

• "Compare breach notification timelines between HIPAA and CCPA"
• "What consumer rights does CCPA provide for data deletion?"
• "Do I need to comply with CCPA if I have 10,000 California customers?"
• "What is a 'sale' of personal information under CCPA?"

Financial & SOX

• "What IT controls does SOX Section 404 require?"
• "Which NIST 800 - 53 controls satisfy SOX audit requirements?"
• "How long must I retain financial records under SOX?"
• "What are the requirements for SOX internal control assessments?"

Financial Services & GLBA

• "What are the GLBA safeguards rule requirements for customer data protection?"
• "Compare encryption requirements across HIPAA, GLBA, and SOX"

Banking & FFIEC

• "What are the FFIEC guidelines for information security governance?"
• "What does FFIEC require for business continuity planning?"
• "Compare FFIEC cybersecurity requirements with NYDFS 500"

New York Financial Services & NYDFS

• "What are the NYDFS 500 requirements for multi - factor authentication?"
• "When must I notify NYDFS of a cybersecurity event?"
• "What are the penetration testing requirements under NYDFS 500?"
• "What information security program elements does GLBA require?"

State Privacy Laws - Virginia CDPA

• "What consumer rights does Virginia CDPA provide?"
• "What are the data protection assessment requirements under Virginia CDPA?"
• "Compare opt - out mechanisms between CCPA and Virginia CDPA"

State Privacy Laws - Colorado CPA

• "What is the universal opt - out mechanism under Colorado CPA?"
• "What data subject rights does Colorado CPA grant?"
• "Colorado CPA requirements for data controllers vs processors"

State Privacy Laws - Connecticut CTDPA

• "What are Connecticut CTDPA data protection assessment requirements?"
• "Compare consumer rights between CCPA and Connecticut CTDPA"
• "What sensitive data processing restrictions apply under Connecticut law?"

State Privacy Laws - Utah UCPA

• "What are Utah UCPA consumer privacy rights?"
• "Utah UCPA data controller obligations and exemptions"
• "Compare Utah UCPA with other state privacy laws"

Education & FERPA

• "What are FERPA requirements for student record access?"
• "Can I share student data with third - party analytics tools under FERPA?"
• "What parental consent is needed to disclose student directory information?"

Children's Privacy & COPPA

• "What parental consent mechanisms are acceptable under COPPA?"
• "COPPA requirements for collecting personal information from children under 13"
• "Do I need COPPA compliance for a kids' mobile app?"

Pharmaceutical & FDA

• "What are FDA 21 CFR Part 11 requirements for electronic signatures?"
• "How must clinical trial data be validated under 21 CFR Part 11?"
• "What audit trail requirements apply to electronic records in pharma?"

Medical Device Cybersecurity

• "What is required in an SBOM for FDA premarket submissions?"
• "What is a 'cyber device' under Section 524B?"
• "What threat modeling approach does FDA require for medical devices?"

Environmental & EPA

• "Which chemical facilities must submit an EPA Risk Management Plan?"
• "What accident prevention requirements does EPA RMP mandate?"
• "How often must I update my facility's EPA RMP?"

Cross - Regulation Analysis

• "Compare incident response requirements across HIPAA, CCPA, and SOX"
• "Which regulations apply to a fintech company in California?"
• "Map NIST CSF to our HIPAA and SOX obligations"
• "What are my data retention requirements across all regulations?"

📚 Documentation

• Coverage Details — All regulations with section counts
• Available Tools — Detailed tool descriptions with examples
• Development Status — Current implementation status
• Privacy Policy — Data handling and retention notes

🔧 Technical Details

Database

The server uses SQLite with FTS5 (full - text search) for efficient querying:

• regulations - Metadata for each regulation
• sections - Regulation sections with full text
• sections_fts - FTS5 index for fast full - text search
• definitions - Official term definitions
• control_mappings - NIST control to regulation mappings
• applicability_rules - Sector applicability rules
• source_registry - Data source tracking for updates

Ingestion Framework

The ingestion framework uses an adapter pattern to normalize data from multiple US regulatory sources:

• eCFR.gov API - Electronic Code of Federal Regulations (HIPAA, SOX)
• California LegInfo API - State legislation (CCPA/CPRA)
• regulations.gov API - Federal regulatory documents
• Agency - specific sources - HHS, SEC, FTC guidance

Each adapter handles source - specific pagination, authentication, and data normalization.

MCP Protocol

The server implements the Model Context Protocol specification:

• stdio transport for Claude Desktop integration
• Centralized tool registry for consistent tool definitions
• Structured error handling with informative messages
• Token - efficient responses with snippet highlighting

📄 License

Apache License 2.0. See LICENSE for details.

⚠️ Important Note

🚨 THIS TOOL IS NOT LEGAL ADVICE 🚨

This tool provides regulatory text for research and educational purposes. However:

• Control mappings (NIST 800 - 53, NIST CSF) are interpretive guidance, NOT official HHS, NIST, or agency crosswalks
• Applicability rules are generalizations, not legal determinations
• Cross - references are research helpers, not compliance mandates

Always verify against official sources and consult qualified legal counsel for compliance decisions.

📋 Source Quality Disclosure

Tier 1 - Official API Sources (Authoritative):

• HIPAA, GLBA, FERPA, COPPA, FDA 21 CFR 11, EPA RMP — sourced from eCFR.gov official API
• CCPA/CPRA — sourced from California LegInfo official site

Tier 2 - Official State Sources (HTML Scraping):

• Virginia CDPA — sourced from law.lis.virginia.gov
• Connecticut CTDPA — sourced from cga.ct.gov
• Utah UCPA — sourced from le.utah.gov
• Colorado CPA — seed data verified against leg.colorado.gov

Tier 3 - Seed Data (Verified but Static):

• FFIEC IT Handbook — examination guidance extracted from ffiec.gov booklets
• NYDFS 500 — regulatory text from dfs.ny.gov
• SOX — statute and SEC implementing regulations

Seed data sources include official source attribution and verification dates. Users should check official sources for updates.

Control Framework Mappings: HIPAA - to - NIST and CCPA - to - NIST mappings are interpretive guidance to assist compliance research. They are NOT official agency crosswalks. Consult NIST SP 800 - 66 and official agency guidance for authoritative mappings.

⚠️ Context Window Warning

Some regulation sections can be large (e.g., HIPAA Privacy Rule sections with extensive commentary). The MCP server:

• Search tool: Returns smart snippets (safe for context)
• Get section tool: Returns full text (may consume significant tokens)
• Recommendation: Use search first, then fetch specific sections as needed

Claude Desktop has a 200k token context window. Monitor your usage when retrieving multiple large sections.

📋 Initial Release

This is a production - ready MVP with three foundational regulations (HIPAA, CCPA, SOX). The database schema and all 9 MCP tools are fully functional and thoroughly tested (100% test coverage).

Data Ingestion: Automated ingestion from official API sources (eCFR.gov, California LegInfo) is operational. Additional regulations are being added to the database.

Coming Soon: Additional federal regulations (GLBA, FERPA, FISMA) and state breach notification laws.

No copyrighted NIST standards are included. Control mappings reference NIST 800 - 53 control IDs only (e.g., "AC - 1", "SI - 4"). While NIST standards are freely available from NIST, this tool helps map regulations to controls but doesn't replace reading the standards themselves.

Available Tools

The server provides 9 MCP tools:

Detailed tool reference: docs/tools.md

Development

Branching Strategy

This repository uses a dev integration branch. Do not push directly to main.

feature - branch → PR to dev → verify on dev → PR to main → deploy

• main is production - ready. Only receives merges from dev via PR.
• dev is the integration branch. All changes land here first.
• Feature branches are created from dev.

Prerequisites

• Node.js 18 or higher
• npm or yarn

Setup

# Clone the repository
git clone https://github.com/Ansvar-Systems/US_compliance_MCP.git
cd US_compliance_MCP

# Install dependencies
npm install

# Build the database schema
npm run build:db

# Load seed data
npm run load-seed

# Build the TypeScript code
npm run build

# Run in development mode
npm run dev

Available Scripts

npm run build        # Compile TypeScript to dist/
npm run dev          # Run server in development mode with tsx
npm run build:db     # Initialize database schema
npm run load-seed    # Load seed data for testing
npm test             # Run test suite with vitest (100% coverage)
npm run test:mcp     # Test MCP tool integration

Project Structure

us - regulations - mcp/
├── src/
│   ├── index.ts              # MCP server entry point
│   ├── tools/                # MCP tool implementations
│   │   ├── registry.ts       # Central tool registry
│   │   ├── search.ts         # Full - text search
│   │   ├── section.ts        # Section retrieval
│   │   ├── list.ts           # List regulations
│   │   ├── compare.ts        # Compare requirements
│   │   ├── map.ts            # Control mappings
│   │   ├── applicability.ts  # Applicability checker
│   │   ├── definitions.ts    # Term definitions
│   │   ├── evidence.ts       # Evidence requirements
│   │   └── action - items.ts   # Compliance action items
│   └── ingest/               # Ingestion framework
│       ├── framework.ts      # Base interfaces
│       └── adapters/         # Source - specific adapters
├── scripts/
│   ├── build - db.ts           # Database schema builder
│   ├── load - seed - data.ts     # Seed data loader
│   └── ingest.ts             # Data ingestion orchestrator
├── data/
│   └── regulations.db        # SQLite database
└── docs/                     # Documentation

Architecture Overview

Database

The server uses SQLite with FTS5 (full - text search) for efficient querying:

• regulations - Metadata for each regulation
• sections - Regulation sections with full text
• sections_fts - FTS5 index for fast full - text search
• definitions - Official term definitions
• control_mappings - NIST control to regulation mappings
• applicability_rules - Sector applicability rules
• source_registry - Data source tracking for updates

Ingestion Framework

The ingestion framework uses an adapter pattern to normalize data from multiple US regulatory sources:

• eCFR.gov API - Electronic Code of Federal Regulations (HIPAA, SOX)
• California LegInfo API - State legislation (CCPA/CPRA)
• regulations.gov API - Federal regulatory documents
• Agency - specific sources - HHS, SEC, FTC guidance

Each adapter handles source - specific pagination, authentication, and data normalization.

MCP Protocol

The server implements the Model Context Protocol specification:

• stdio transport for Claude Desktop integration
• Centralized tool registry for consistent tool definitions
• Structured error handling with informative messages
• Token - efficient responses with snippet highlighting

Related Projects: Complete Compliance Suite

This server is part of Ansvar's Compliance Suite - three MCP servers that work together for end - to - end compliance coverage:

🇪🇺 EU Regulations MCP

Query 47 EU regulations directly from Claude

• GDPR, AI Act, DORA, NIS2, MiFID II, PSD2, eIDAS, MDR, and 39 more
• Full regulatory text with article - level search
• Cross - regulation reference and comparison
• Install: npx @ansvar/eu - regulations - mcp

🇺🇸 US Regulations MCP (This Project)

Query US federal and state compliance laws directly from Claude

• HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA QSR, CIRCIA, and 12 more
• Federal and state privacy law comparison
• Breach notification timeline mapping
• Install: npm install @ansvar/us - regulations - mcp

🔐 [Security Controls MCP](https://github.com/Ansvar-Systems/security - controls - mcp)

Query 1,451 security controls across 28 frameworks

• ISO 27001, NIST CSF, DORA, PCI DSS, SOC 2, CMMC, FedRAMP, and 21 more
• Bidirectional framework mapping and gap analysis
• Import your purchased standards for official text
• Install: pipx install security - controls - mcp

How They Work Together

Regulations → Controls Implementation Workflow:

1. "What are HIPAA's security safeguard requirements?"
   → US Regulations MCP returns 45 CFR § 164.306 full text

2. "What security controls satisfy HIPAA §164.306?"
   → Security Controls MCP maps to NIST 800 - 53, ISO 27001, and SCF controls

3. "Show me NIST 800 - 53 AC - 1 implementation details"
   → Security Controls MCP returns control requirements and framework mappings

Complete compliance in one chat:

• EU/US Regulations MCPs tell you WHAT compliance requirements you must meet
• Security Controls MCP tells you HOW to implement controls that satisfy those requirements

About Ansvar Systems

We build AI - accelerated threat modeling and compliance tools for automotive, financial services, and healthcare. This MCP server started as our internal reference tool for US regulations — turns out everyone building for US markets has the same compliance research frustrations.

So we're open - sourcing it. Navigating federal and state regulations shouldn't require a legal team.

ansvar.eu — Stockholm, Sweden

More Open Source from Ansvar

We maintain a family of MCP servers for compliance and security professionals:

Browse all projects: [ansvar.eu/open - source](https://ansvar.eu/open - source)

Directory Review Notes

Testing Account and Sample Data

This server is read - only and does not require a login account for functional review. For directory review, use the bundled dataset and these sample prompts:

• "What are HIPAA access control requirements?"
• "Compare HIPAA and CCPA breach notification timelines."
• "List regulations applicable to healthcare providers."

Remote Authentication (OAuth 2.0)

The default server runtime is read - only and can be deployed without authentication. If you deploy a remote authenticated endpoint, use OAuth 2.0 over TLS with certificates from recognized authorities.

Troubleshooting

• If startup fails, verify US_COMPLIANCE_DB_PATH points to a readable SQLite file.
• If HTTP tool calls fail, confirm /mcp POST routing and mcp - session - id header forwarding.
• If results are empty, call list_regulations first to verify dataset initialization.

Contributing

Contributions are welcome! Please read our Contributing Guide for details on:

• Development setup
• Pull request process
• Commit message conventions
• Code style guidelines

By participating in this project, you agree to abide by our Code of Conduct.

Support

For issues, questions, or feature requests:

• Open a GitHub issue
• Email: hello@ansvar.eu

Acknowledgments

• Regulatory data from official US government sources (eCFR.gov, California LegInfo)
• Uses the Model Context Protocol by Anthropic
• Inspired by the EU Regulations MCP architecture