From Legacy Documentation to OSCAL: An MCP-Based Agent Pipeline for Threat-Informed Continuous Compliance in Critical Infrastructure

arXiv:2607.08288v1 Announce Type: cross Abstract: In critical infrastructure, operational technology environments often cannot be actively scanned, and yet active system feedback is needed for risk assessment and compliance. This paper presents a non-invasive, MCP-grounded multi-agent pipeline that converts natural-language system descriptions into source-verified knowledge graph and audit-ready artifacts in the NIST OSCAL format for continuous automated compliance management. The architecture decouples LLM-based reasoning from deterministic knowledge retrieval against authoritative threat-int
The increasing complexity of critical infrastructure, coupled with the rapid advancements in AI agents, is driving the need for automated and threat-informed compliance solutions.
This development offers a method to enhance cybersecurity and regulatory adherence in vital sectors without disrupting sensitive operational technology environments, mitigating significant national security and economic risks.
The process of auditing and maintaining compliance in critical infrastructure can become significantly more automated, continuous, and integrated with threat intelligence, moving away from manual, intermittent assessments.
- · Critical infrastructure operators
- · Cybersecurity firms
- · AI/ML developers
- · Government regulators
- · Legacy compliance consultancies
- · Manual audit providers
Critical infrastructure will see improved security posture and reduced compliance costs through automated processes.
The adoption of such systems could lead to new regulatory frameworks that mandate continuous, AI-driven compliance checks.
This could establish a new standard for 'secure by design' in OT environments, influencing international cybersecurity norms and competitive advantage for nations adopting these practices.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at arXiv cs.AI