MCP Protocol¶
Planning Stage
The MCP Protocol component is in planning. This page describes the intended design. Implementation details will be added as the spec matures.
Overview¶
The ACES MCP Protocol defines how AI systems interact with compliance evidence via the Model Context Protocol (MCP).
This enables AI assistants to: - Query real-time compliance scores - Identify gaps and remediation priorities - Generate evidence summaries for auditors - Answer natural language compliance questions
Intended MCP Tools¶
| Tool | Description |
|---|---|
aces/get_score | Get current compliance score for a framework |
aces/list_gaps | List controls with insufficient evidence |
aces/get_evidence | Retrieve evidence for a specific control |
aces/query_package | Query an evidence package with filters |
aces/validate_evidence | Validate an evidence object against the schema |
Example Interaction¶
User: What is our current CMMC Level 2 score?
AI (via MCP): [calls aces/get_score with framework=cmmc-level2]
Returns: 78/100 — 12 controls with gaps
Top gaps: AC.2.006, IA.3.083, SI.1.210
Design Goals¶
- Read-first — MCP tools are read-only by default; writes require explicit authorization
- Tenant-scoped — all queries are scoped to a specific tenant/organization
- Auditable — every MCP query is logged with timestamp and caller identity
- Cacheable — responses include cache headers to prevent excessive re-querying
Contributing to the MCP Design¶
The MCP Protocol component is the most open area for community input. Share your ideas in GitHub Discussions.