mjEdit

Audiences and use cases

Who benefits from mjEdit – and what their typical workflow looks like.

mjEdit is not a tool for a single role but a shared OSCAL workspace for everyone who works with compliance content – from strategic governance down to technical implementation. For each role this page shows: typical day-to-day tasks, the concrete pain without mjEdit, mjEdit’s answer and a hands-on example.

Three AI pillars used throughout:

  • 🧠 AI agent (Claude Desktop, Cursor, VS Code Copilot or AnythingLLM) as the natural-language front end – the user dictates, the AI acts.
  • 🔌 MCP protocol (88 tools, 22 resources, 15 prompts): the bridge that lets the AI operate mjEdit – create files, edit JSON, validate, drive the GUI.
  • 📚 AnythingLLM RAG: a local knowledge base for ISMS documents, the BSI compendium, operations manuals – the AI answers from your documents instead of half-knowledge.

Each role section below highlights which of these three pillars delivers the biggest leverage.

1. Information security officers (ISO / CISO)

Day-to-day work: maintain ISMS documentation, implement controls, prepare audits, report to the board, assess risks.

Pain without mjEdit

  • ISMS documentation scattered across Word and Excel – every change has to be tracked in five places.
  • A new system (e.g. cloud migration) means rewriting the SSP from scratch.
  • Three days of searching before every audit to find which controls are current.
  • The BSI Grundschutz compendium is an 800-page PDF; mapping to your own measures lives in people’s heads.

How mjEdit helps

  • Preinstalled catalogs: BSI IT-Grundschutz++ (2,128 controls), NIST SP 800-53 (468 controls), C5, BSI 200-x Compendium 2023 as a starting point – no retyping.
  • Profile tailoring with include-controls, add/alter modifications and resolved-profile export – the scope selection is OSCAL standard, not an Excel column.
  • SSP generation straight from the resolved profile (oscal_generate_tailored_chain for one system, oscal_generate_batch_tailored_chain for n systems).
  • Assessment planning with EXAMINE/INTERVIEW/TEST methods per control.
  • POA&M tracking with deadlines, owners, status and risk rating.
  • Mapping tab between two frameworks (e.g. C5 ↔ ISO 27001) – auto-suggest with local AI.
  • Markdown export for the board; cross-reference report for audits.

🧠 With AI + MCP + AnythingLLM

  • AI agent (e.g. Claude Desktop): “Create an SSP for our new cloud project based on BSI Grundschutz++ and C5.” – the AI calls oscal_generate_tailored_chain via MCP, the resolved profile, the SSP and the AP.
  • AnythingLLM RAG: descriptions of the implemented-requirement entries are filled from your ISMS corpus (security policy, operations manual, risk analysis) with citations – every statement carries an evidence-source property.
  • MCP prompts like oscal_compliance_check_prompt walk you through a compliance check in a structured way – you don’t have to remember tool names.

Example: “We are migrating to a hybrid cloud”

You tell the AI in Claude Desktop: “Clone our existing SSP to ssp-cloud.json, add the components ‘Azure App Service’ and ‘Azure SQL’, tailor the profile to include C5 controls and produce a mapping collection BSI ↔ C5 with a gap analysis.” The AI uses MCP to call file_copy, oscal_add_component (2×), oscal_profile_tailoring, oscal_create_mapping, oscal_mapping_auto_suggest and oscal_export_gap_report. Effort: a single morning instead of two weeks.

2. Compliance auditors and assessors

Day-to-day work: review controls, gather evidence, document findings, write reports, run follow-up meetings.

Pain without mjEdit

  • Findings live in Excel, evidence in SharePoint, the action plan in Word – nothing is linked.
  • For the next recertification the previous data basis is no longer traceable.
  • Schema conformance (OSCAL, ISO, BSI) can only be checked manually.

How mjEdit helps

  • Assessment Results directly in the editor with findings, observations and risks – everything as a linked OSCAL object.
  • Linked findings: every finding knows its control, its severity and its evidence artefact.
  • Schema validation on three levels: JSON schema, OSCAL Pydantic model, semantic cross-refs (UUIDs).
  • Markdown export with embedded statements for audit-ready reports.
  • Reverse lookup: navigate from a component to all related controls and inventory items.
  • Diff function between two AR versions for recertification.
  • Evidence-source properties back every statement with a document reference.

🧠 With AI + MCP + AnythingLLM

  • AI agent: “Find every open finding from last year’s audit and prioritise them by severity.” – the AI calls oscal_query and oscal_search via MCP and formats the result as a table.
  • AnythingLLM RAG: the AI compares current findings against historic audit reports in the knowledge base and flags recurring weaknesses.
  • MCP tools validate_oscal_document plus validate_oscal_references check schema and UUID integrity – the AI repairs breaks autonomously when prompted.

Example: “Re-audit after 12 months”

You tell the AI in Cursor: “Clone ar-2025.json to ar-2026.json, find every finding with status ‘open’, look up the current mitigation status in our knowledge base and update status + evidence.” Via MCP the AI calls file_copy, oscal_query, asks AnythingLLM about every finding and writes back through oscal_update_implementation_status and oscal_add_property (evidence-source). Previously: three hours of full-text searching.

3. IT architects and system administrators

Day-to-day work: document systems, maintain network topologies, keep inventories current, manage patches and hardening.

Pain without mjEdit

  • IP lists in Excel, hostnames in DNS, MAC addresses in DHCP – nothing correlates with the compliance docs.
  • Every new server: update five Excel sheets and check consistency.
  • Network diagrams as Visio files that no one trusts anymore.

How mjEdit helps

  • Inventory items in the SSP with hostname, fqdn, ipv4/ipv6, mac-address as OSCAL-compliant properties.
  • Component library: software, hardware and services as reusable building blocks (component-definition).
  • CSV import/export for connecting to asset management systems (CMDB, Active Directory, cloud APIs).
  • Automatic NWDiag generation from inventory data – the diagram is the documentation, not a picture next to it.
  • Reverse lookup: which controls touch this component? Which measures are affected if I shut this server down?
  • Bulk updates via editor_replace and oscal_update_metadata for patch levels.

🧠 With AI + MCP + AnythingLLM

  • AI agent: “Here is a CSV with 8 new web servers – generate the full OSCAL document chain per server.”
  • MCP tool oscal_generate_batch_tailored_chain turns one sentence into 48 schema-validated documents.
  • AnythingLLM RAG: hardening guidelines, patch policies and segmentation concepts from the knowledge base flow into the description fields per component – with citations.
  • MCP GUI tools like gui_show_tab show the resulting NWDiag immediately in the SSP tab.

Example: “Roll-out for 8 new web servers”

You dictate to the AI: “Here is the CSV with system_id, hostname, IP, OS. Generate the document chain per server and pull the hardening measures from our knowledge base ‘Linux hardening 2025’.” Via MCP the AI calls oscal_generate_batch_tailored_chain, fetches per-control rationale from AnythingLLM and produces 48 validated OSCAL documents (8 servers × 6 documents: profile → component definition → SSP → AP → AR → POA&M).

4. DevSecOps teams and AI engineers

Day-to-day work: security-as-code, automated compliance pipelines, AI workflows with Claude/Cursor/Copilot, RAG integrations.

Pain without mjEdit

  • Compliance documents are not code – they cannot be validated in CI/CD.
  • AI assistants are only allowed to suggest text, not to use editor tooling.
  • ISMS knowledge sits in scattered documents without an AI-accessible interface.

How mjEdit helps

  • 88 MCP tools for programmatic OSCAL control – file, JSON, OSCAL, qFORM, Markdown, editor and GUI operations.
  • execute_steps: up to 20 tool calls in a single request, including transactional rollback.
  • 22 MCP resources and 15 MCP prompts for guided workflows.
  • Direct integration with Claude Desktop (STDIO), Cursor, VS Code Copilot, AnythingLLM (SSE/HTTP).
  • AnythingLLM RAG: local knowledge base for ISMS documents; the AI calls mjEdit tools based on those documents.
  • Pydantic validation for OSCAL models in CI/CD pipelines (pytest-friendly).
  • JSON schema export for your own validation tooling.

🧠 With AI + MCP + AnythingLLM

For DevSecOps mjEdit is the AI control centre:

  • MCP is the programmatic interface – every AI agent (Claude, Cursor, Copilot, AnythingLLM) becomes a fully fledged co-editor for OSCAL.
  • execute_steps bundles up to 20 tool calls transactionally in one request.
  • AnythingLLM delivers compliance knowledge from your own repositories via SSE/HTTP – ideal for headless CI/CD servers.
  • MCP validation tools plug into pipelines (validate_oscal_document, validate_oscal_references).

Example: “GitLab pipeline with OSCAL validation + AI review”

A pipeline step starts mjEdit headless as an MCP server, a second job stage connects to an AI agent (e.g. AnythingLLM SSE). The AI calls validate_oscal_document over every *.json and oscal_diff between feature branch and main via MCP. If schema breaks are detected, it posts a pull-request comment with concrete correction suggestions – sourced from the AnythingLLM knowledge base.

5. Data protection officers (DPOs)

Day-to-day work: maintain the records-of-processing register, document TOMs, run DPIAs, handle data subject requests.

Pain without mjEdit

  • Records of processing in Excel, TOMs in Word, DPIAs as PDFs – no machine-readable connection.
  • US-based cloud services: data flows have to be listed and assessed by hand.
  • Supervisory authority audit: days of preparation.

How mjEdit helps

  • Data sovereignty by design: mjEdit + AnythingLLM run locally / on-premise – no data leaves to cloud AIs.
  • No API key, no token ever leaves the machine – the AI embedding model runs locally.
  • OSCAL component definitions for processors with implementation evidence.
  • Mapping between GDPR requirements and technical/organisational measures (TOMs).
  • Markdown export for the supervisory authority with citations.

🧠 With AI + MCP + AnythingLLM – privacy-friendly

  • AnythingLLM runs on-premise – your DPA contracts, DPIAs and TOM documents stay in-house.
  • Embedding model (paraphrase-multilingual-MiniLM-L12-v2) runs locally – no token leaves the machine, no API key for third parties.
  • AI agent + MCP: “Extract the TOMs from the DPA with provider X according to GDPR Art. 32 and map them onto BSI Grundschutz measures.”

Example: “DPIA for a new HR system”

You dictate to the AI: “Create a component-definition stub for our new HR tool, extract the TOMs from the DPA document in our knowledge base and map them onto BSI Grundschutz practices relevant to GDPR Art. 32.” The AI uses AnythingLLM to extract contract clauses and calls oscal_create_component_definition, oscal_add_property (evidence-source) and oscal_create_mapping via MCP. Result: an audit-ready processing-specific SSP with citations per statement – produced entirely on-premise.

6. Contractors for BSI / KRITIS authorities

Day-to-day work: compliance evidence for German authorities, BSI IT-Grundschutz certification, KRITIS audits, on-premise requirements.

Pain without mjEdit

  • US cloud tools cannot legally be used.
  • The BSI compendium is only available as a PDF; machine processing has to be built up manually.
  • Multilingual audits (DE/EN) require duplicate maintenance.

How mjEdit helps

  • 100% on-premise: editor + AI model + RAG without cloud dependency – BSI baseline-compliant.
  • AGPL-3.0: open source and auditable.
  • Multilingual embedding model (DE/EN/FR/IT) for cross-language mapping between BSI (DE) and ISO 27001 (EN).
  • BSI IT-Grundschutz++ catalog preinstalled (2,128 controls).
  • Markdown / PDF export with German-language templates.

🧠 With AI + MCP + AnythingLLM – no cloud lock-in

  • Air-gap capable: mjEdit + AnythingLLM + a local LLM (e.g. Ollama, LM Studio) – not a single byte leaves the authority’s network.
  • MCP as an open protocol: no vendor lock-in, every AI is interchangeable.
  • AnythingLLM RAG with the BSI Grundschutz compendium as the knowledge base: the AI answers verbatim from official BSI material.
  • AI agent via MCP: “Look up the mandatory requirements for protection level ‘high’ in the compendium and add them to the current SSP.”

Example: “IT-Grundschutz certification audit”

In an air-gapped environment you dictate: “Map our security concepts against Grundschutz++ practices, justify each mapping with citations from the compendium and export a Markdown audit bundle.” The local AI uses the mapping editor with auto-suggest via MCP, AnythingLLM delivers BSI citations, and markdown_export_to_pdf (MCP) builds the bundle. Even highly classified content can be processed without data leakage risk.

7. Educators, students and researchers

Day-to-day work: learn OSCAL as a standard, build teaching material, develop compliance-related research prototypes.

Pain without mjEdit

  • The OSCAL specification is abstract; real-world examples are scarce.
  • Student projects on compliance topics struggle with missing tooling.

How mjEdit helps

  • All 8 OSCAL document types in a single tool – the entire spec made tangible.
  • Preinstalled example projects to explore.
  • AGPL-3.0: free to use in teaching and research.
  • Pydantic models as a learning base for OSCAL data modelling.
  • Plugin architecture: dock your own research tools as a mjEdit plugin.

🧠 With AI + MCP + AnythingLLM – as a teaching object

  • MCP protocol as a real-world example for lectures on AI agents and tool use.
  • AnythingLLM RAG as a reference implementation for local knowledge bases without cloud vendors.
  • 88 MCP tools open-source for inspection – a perfect starting point for research projects on AI-supported compliance.

Example: “Bachelor thesis on OSCAL-to-ISO mapping”

A student connects AnythingLLM to mjEdit’s MCP server and lets the AI generate suggestions between NIST SP 800-53 and ISO 27001 via oscal_mapping_auto_suggest. The evaluation quantitatively compares the three methods syntactic, semantic and functional. Data: preinstalled catalogs; tooling: mjEdit + MCP + local AI; analysis: Markdown export → LaTeX.

Feature overview by role

Feature ISO/CISO Auditor IT architect DevSecOps DPO KRITIS Edu
Preinstalled catalogs (BSI/NIST/C5)
Profile tailoring + resolution
SSP generation (single/batch)
Assessment Plan / Results / POA&M
Mapping tab with local AI
Inventory (hostname/IP/MAC)
Component-definition library
88 MCP tools + AnythingLLM RAG
3-level schema validation
Markdown / PDF export
Pydantic API for CI/CD
100% on-premise / no cloud lock-in

Not sure whether mjEdit fits your role?

Get in touch via the contact form – we will show you in a short demo how mjEdit fits your specific workflow.