mjEdit

Target groups and use cases

Who benefits from mjEdit – and what does the typical workflow look like?

mjEdit is not a tool for a single role, but a common OSCAL work environment for all people who work with compliance content - from strategic control to technical implementation. On this page we show per role: typical daily tasks, the concrete pain without mjEdit, the answer from mjEdit and a practical example.

Three AI pillars used consistently:

  • 🧠 AI Agent (Claude Desktop, Cursor, VS Code Copilot or AnythingLLM) as a voice front end - the person dictates, the AI acts.
  • 🔌 MCP protocol (154 tools, 22 resources, 15 prompts): the bridge with which the AI ​​serves mjEdit - create files, change JSON, validate, control GUI.
  • 📚 AnythingLLM-RAG: local knowledge base for ISMS documents, BSI compendium, operating manuals - the AI ​​answers from your documents instead of half-knowledge.

For each role, which of these three columns provides the greatest leverage is marked below.

1. Information Security Officer (ISB / CISO)

Daily work: Maintain ISMS documentation, implement controls, prepare audits, report to management, assess risks.

Pain without mjEdit

  • ISMS documentation distributed in Word/Excel – every change must be made in 5 places.
  • With a new system (e.g. cloud migration) the SSP is completely rewritten.
  • Before each audit, search for three days to see which controls are up-to-date and which are not.
  • BSI-Grundschutz Compendium as an 800-page PDF; Mapping your own measures happens in your head.

How mjEdit helps

  • Pre-installed catalogs: BSI IT-Grundschutz++ (2,128 controls), NIST SP 800-53 (468 controls), C5, BSI 200-x Compendium 2023 as a starting point - no typing.
  • Profile tailoring with include-controls, add/alter modifications and Resolved Profile export - the scope selection is OSCAL standard and not an Excel column.
  • SSP generation directly from the resolved profile (oscal_generate_tailored_chain for 1 system, oscal_generate_batch_tailored_chain for n systems).
  • Assessment planning with EXAMINE/INTERVIEW/TEST methods per control.
  • POA&M tracking with deadlines, responsible persons, status and risk assessment.
  • Mapping tab between two frameworks (e.g. C5 ↔ ISO 27001) – Auto-suggest with local AI.
  • Markdown export for management; Cross-reference report for audits.

🧠 With AI + MCP + AnythingLLM

  • AI agent (e.g. Claude Desktop): “Create an SSP for our new cloud project based on BSI Grundschutz++ and C5.” - the AI calls oscal_generate_tailored_chain, the Resolved Profile, the SSP and the AP via MCP.
  • AnythingLLM-RAG: The descriptions of the implemented-requirement entries are filled with quotes from your ISMS corpus (security guidelines, operations manual, risk analysis) - each statement has a evidence-source property.
  • MCP prompts like oscal_compliance_check_prompt guide you through a compliance check in a structured manner - without having to remember tool names.

Example: “We are migrating to the hybrid cloud”

They say about the AI in Claude Desktop: “Clone our existing SSP according to ssp-cloud.json, add the components ‘Azure App Service’ and ‘Azure SQL’, tailor the profile to include C5 controls and create a mapping collection BSI ↔ C5 including gap analysis.” The AI calls via MCP file_copy, oscal_add_component (2×), oscal_profile_tailoring, oscal_create_mapping, oscal_mapping_auto_suggest and oscal_export_gap_report. Effort: one morning instead of two weeks.

2. Compliance auditors and reviewers

Daily work: Check controls, collect evidence, document findings, create reports, conduct follow-up discussions.

Pain without mjEdit

  • Findings in an Excel table, evidence in a SharePoint, action plan in Word - nothing is connected.
  • At the next re-certification, the old database will no longer be traceable.
  • Schema conformity (OSCAL, ISO, BSI) can only be checked by manual review.

How mjEdit helps

  • Assessment Results directly in the editor with Findings, Observations and Risks - all as a linked OSCAL object.
  • Findings link: Each finding knows its associated control, severity and evidence artifact.
  • Schema validation at three levels: JSON schema, OSCAL Pydantic model, semantic cross-refs (UUIDs).
  • Markdown export with embedded statements for auditable reports.
  • Reverse lookup: Navigate from a component to all associated controls and inventory items.- Diff function between two AR versions for re-certification.
  • Evidence Source Properties back up every statement with document reference.

🧠 With AI + MCP + AnythingLLM

  • AI agent: “Find all open findings from the last audit and prioritize them according to severity.” – the AI calls oscal_query and oscal_search via MCP, formats the result as a table.
  • AnythingLLM-RAG: The AI ​​compares current findings with historical audit reports in the knowledge base and highlights recurring vulnerabilities.
  • MCP tool validate_oscal_document plus validate_oscal_references check schema and UUID consistency - the AI ​​repairs breaks independently upon request.

Example: “Re-audit after 12 months”

You say to the AI in Cursor: “Clone the ar-2025.json to ar-2026.json, find all findings with status ‘open’, search our knowledge base for the current status of measures and update status + evidence.” The AI calls file_copy, oscal_query via MCP, questions AnythingLLM about each finding and writes with oscal_update_implementation_status and oscal_add_property (evidence-source). Previously: three hours of full-text search.

3. IT architects and system administrators

Daily work: Documenting systems, maintaining network topologies, keeping inventories up to date, patch management, hardening.

Pain without mjEdit

  • IP lists in Excel, hostnames in DNS, MAC addresses in DHCP - nothing correlates with the compliance documentation.
  • For every new server: update 5 Excel sheets and check for consistency.
  • Network plans as a Visio file that no one trusts anymore.

How mjEdit helps

  • Inventory items in the SSP with hostname, fqdn, ipv4/ipv6, mac-address as OSCAL-compliant properties.
  • Component library: Software, hardware, services as reusable building blocks (component-definition).
  • CSV import/export for connection to asset management systems (CMDB, Active Directory, cloud APIs).
  • NWDiag generation automatically from inventory data - the diagram is the documentation, not an image next to it.
  • Reverse lookup: Which controls access this component? Which measures are affected if I shut down this server?
  • Batch updates via editor_replace and oscal_update_metadata for patch levels.

🧠 With AI + MCP + AnythingLLM

  • AI Agent: “Here is a CSV with 8 new web servers - generate the complete OSCAL document chain per server.”
  • MCP tool oscal_generate_batch_tailored_chain turns one set into 48 schema-validated documents.
  • AnythingLLM-RAG: Hardening guidelines, patch management guidelines and network segmentation concepts from the knowledge base flow into the description fields per component - with source cited.
  • MCP GUI tools like gui_show_tab show the finished NWDiag immediately in the SSP tab.

Example: “Server roll-out for 8 new web servers”

You dictate to the AI: “Here is the CSV with system_id, hostname, IP, OS. Generate the document chain per server, obtain the hardening measures from our knowledge base ‘Linux Hardening 2025’.” The AI calls oscal_generate_batch_tailored_chain via MCP, gets the reasons for each control AnythingLLM and creates 48 validated OSCAL documents (8 servers × 6 documents: profile → component definition → SSP → AP → AR → POA&M).

4. DevSecOps teams and AI developers

Daily work: Security-as-Code, automated compliance pipelines, AI workflows with Claude/Cursor/Copilot, RAG integrations.

Pain without mjEdit

  • Compliance documents are not code - they cannot be validated in CI/CD.
  • AI assistants are not allowed to use any editor tools, but only suggest texts.
  • ISMS knowledge is distributed in documents, without an AI-accessible interface.

How mjEdit helps

  • 154 MCP tools for programmatic OSCAL control - file, JSON, OSCAL, qFORM, Markdown, editor and GUI operations.
  • execute_steps: up to 20 tool calls in a single request, including transactional rollback option.
  • 22 MCP resources and 15 MCP prompts for guided workflows.
  • Direct integration into Claude Desktop (STDIO), Cursor, VS Code Copilot, AnythingLLM (SSE/HTTP).
  • AnythingLLM-RAG: local knowledge base for ISMS documents; AI calls mjEdit tools based on these documents.
  • Pydantic validation for OSCAL models in CI/CD pipelines (pytest capable).
  • JSON schema export for your own validation tools.

🧠 With AI + MCP + AnythingLLM

For DevSecOps, mjEdit is the AI control center par excellence:- MCP is the programmatic interface - each AI agent (Claude, Cursor, Copilot, AnythingLLM) becomes a full-fledged co-editor for OSCAL.

  • execute_steps bundles up to 20 tool calls transactionally in one request.
  • AnythingLLM delivers compliance knowledge from your own repositories over SSE/HTTP - ideal for non-desktop CI/CD servers.
  • MCP testing tools can be integrated headless into pipelines (validate_oscal_document, validate_oscal_references).

Example: “GitLab pipeline with OSCAL validation + AI review”

A pipeline step starts mjEdit headless as a MCP server, a second job stage connects to an AI agent (e.g. AnythingLLM SSE), the AI calls via MCP validate_oscal_document over all *.json and oscal_diff between feature branch and main. If you find schema breaks, post them as a pull request comment with specific suggestions for correction - evidenced from the AnythingLLM knowledge base.

5. Data protection officers (DPOs) and data protection coordinators

Daily work: Maintain processing directory, document TOMs, carry out DPIAs, process requests for information.

Pain without mjEdit

  • Processing directory in Excel, TOMs in Word, DPIAs as PDF – no machine-readable connection.
  • Cloud services in the USA: List and evaluate data flows manually.
  • Audit of the supervisory authority: days of preparation.

How mjEdit helps

  • Data sovereignty by design: mjEdit + AnythingLLM run locally/on-premise - no data leakage to cloud AIs.
  • No API key, no token leaves the computer - the AI ​​embedding model runs locally.
  • OSCAL component definitions for processors with proof of implementation.
  • Mapping between GDPR requirements and technical-organizational measures (TOMs).
  • Markdown export for the regulator with sources.

🧠 With AI + MCP + AnythingLLM – data protection friendly

  • AnythingLLM runs on-premise - your AVV contracts, DPIAs and TOM documents remain in-house.
  • Embedding model (paraphrase-multilingual-MiniLM-L12-v2) runs locally - no token leaves the computer, no API key for third parties.
  • AI agent + MCP: “Extract the TOMs according to GDPR Art. 32 from the AVV with provider X and map them to BSI-Grundschutz measures.”

Example: “DPIA for a new HR system”

You dictate to the AI: “Create a component definition stub for our new HR tool, extract the TOMs from the AVV document in our knowledge base and map them to BSI-Grundschutz Art. 32 relevant practices.” The AI uses AnythingLLM to extract the contractual clauses and calls oscal_create_component_definition, oscal_add_property via MCP (evidence-source) and oscal_create_mapping. Result: an audit-proof processing SSP with source information for each statement – ​​created entirely on-premise.

6. Contractor for BSI/KRITIS authorities

Daily work: Proof of compliance for German authorities, BSI IT-Grundschutz certification, KRITIS checks, on-premise requirements.

Pain without mjEdit

  • US cloud tools cannot be used for legal reasons.
  • BSI compendium only as PDF; Machine processing built manually.
  • Multilingual audits (DE/EN) require double maintenance.

How mjEdit helps

  • 100% On-Premise: Editor + AI model + RAG without cloud connection – BSI minimum standard compatible.
  • AGPL-3.0: Open source and auditable.
  • Multilingual embedding model (DE/EN/FR/IT) for cross-language mapping between BSI (DE) and ISO 27001 (EN).
  • BSI-IT-Grundschutz++ catalog preinstalled (2,128 controls).
  • Markdown/PDF export with German-language templates.

🧠 With AI + MCP + AnythingLLM – without cloud requirements

  • Completely air-gapped: mjEdit + AnythingLLM + local LLM (e.g. Ollama, LM Studio) - not a single byte leaves the authority infrastructure.
  • MCP as an open protocol: no vendor lock-in, every AI can be exchanged.
  • AnythingLLM-RAG ​​with the BSI-Grundschutz compendium as a knowledge base: the AI ​​answers with exact quote from the official BSI material.
  • AI agent via MCP: “Question the compendium about the mandatory requirements for protection needs ‘high’ and add them to the current SSP.”

Example: “IT-Grundschutz certificate audit”They dictate in an air-gapped network: “Map our security concepts against Grundschutz++ practices, explain each mapping with sources from the compendium and export a Markdown audit bundle.” The local AI uses the mapping editor with auto-suggest via MCP, AnythingLLM provides citation-proof BSI sources, MCP markdown_export_to_pdf creates the bundle. Even highly sensitive classified content can be processed without any risk of data leakage.

7. Trainers, students and researchers

Daily work: Getting to know OSCAL as a standard, creating teaching materials, building compliance-related research prototypes.

Pain without mjEdit

  • OSCAL specification is abstract; Examples in the wild are rare.
  • Student work on compliance topics fails due to a lack of tools.

How mjEdit helps

  • 8 OSCAL document types in one tool – the entire specification at your fingertips.
  • Pre-installed sample projects to explore.
  • AGPL-3.0: can be used free of charge in teaching and research.
  • Pydantic models as a learning basis for OSCAL data modeling.
  • Plugin architecture: Dock your own research tools as a mjEdit plugin.

🧠 With AI + MCP + AnythingLLM – as a teaching object

  • MCP protocol as a real use case for lectures on AI agents and tool use.
  • AnythingLLM-RAG ​​as an example of local knowledge bases – without a cloud vendor.
  • 154 MCP tools can be viewed open source - ideal study basis for research work on AI-supported compliance.

Example: “Bachelor’s thesis on OSCAL-to-ISO mapping”

A student connects AnythingLLM to the mjEdit MCP server and lets the AI generate suggestions between NIST SP 800-53 and ISO 27001 via oscal_mapping_auto_suggest. In the evaluation, she quantitatively compares the three methods syntactic, semantic and functional. Data basis: pre-installed catalogs; Tool: mjEdit + MCP + local AI; Evaluation: Markdown export → LaTeX.

Table overview: Which functions for which role?

Function / Feature ISB/CISO Auditor IT architect DevSecOps DPO CRITICISM Teaching
Pre-installed catalogs (BSI/NIST/C5)
Profile Tailoring + Resolution
SSP generation (single/batch)
Assessment Plan / Results / POA&M
Mapping tab with local AI
Inventory (Hostname/IP/MAC)
Component definition library
154 MCP tools + AnythingLLM-RAG
Schema validation 3-step
Markdown/PDF export
Pydantic API for CI/CD
100% on-premise / no cloud requirement

Are you unsure whether mjEdit is a good fit for your role?

Write to us using the contact form - we will show you in a short demo how mjEdit meets your specific workflow.