NSA Releases MCP Security Design Considerations for AI-Driven Automation

AI relevance: The NSA's Artificial Intelligence Security Center published the first government-level security design guide specifically for Model Context Protocol deployments, addressing risks that enterprises face when connecting AI agents to MCP servers for tool access, data retrieval, and automated workflows.

Key details

• Document: Cybersecurity Information Sheet (CSI), identifier U/OO/6030316-26 (PP-26-1834), 17 pages, public release. Published May 20, 2026 by NSA AISC.
• Scope: Security design considerations for AI-driven automation leveraging MCP, aimed at organizations deploying agentic systems in production environments.
• Nine recommendations covering the full MCP deployment lifecycle, from authentication and authorization to runtime monitoring and incident response.
• Egress filtering: The CSI explicitly recommends a "filtering outgoing proxy" or enterprise DLP for external MCP connections, with resource URLs and access methods pinned to reduce unintended data leakage.
• Tool-poisoning awareness: Guidance covers tool name collision and drift detection — directly addressing the lookalike tool replacement attacks documented across the MCP ecosystem this year.
• Indirect prompt injection: The guide calls for detection of indirect prompt injection and toolchain pivot attempts within MCP traffic flows.
• MCP message signing: Recommends signing MCP messages with expiration timestamps and replay protection — a protocol-level control the MCP spec currently lacks.
• Sandboxing: Advises constraining and sandboxing tool execution, with OS-specific containment (Linux seccomp, Landlock, network namespaces called out).
• Local network scanning: Recommends scanning local networks for open MCP listeners — a reconnaissance gap many enterprise deployments have not addressed.
• Maturity assessment: The NSA acknowledges that MCP-aware security proxies "remain limited and are still maturing," an unusually frank admission from a government security body about the gap between deployment speed and security tooling.

Why it matters

This is the first authoritative security guide targeting the MCP protocol at scale. With over 200,000 vulnerable MCP instances identified by OX Security's April 2026 research, the NSA's intervention signals that MCP security gaps are no longer a theoretical concern but an operational risk for government and enterprise deployments. The explicit recommendation for MCP-aware egress filtering creates a new category of security controls that the current market is only beginning to fill.

What to do

• Read the full CSI (PDF linked below) if your organization runs MCP servers or connects agents to third-party MCP tool endpoints.
• Map your current MCP deployment against the nine recommendations — prioritize egress filtering, tool name pinning, and message signing.
• Deploy network-level controls to block raw MCP egress that bypasses proxy inspection (NetworkPolicy, container network rules).
• Scan your local network for unregistered MCP listeners — the NSA considers this a baseline hygiene step.
• Evaluate MCP-aware security proxies (agent firewalls, MCP gateways) for production deployments handling sensitive data.

Sources

• NSA Press Release — MCP Security Design Considerations
• PipeLab analysis of NSA MCP guidance and agent firewalls
• CSA research note on MCP security crisis (May 2026)