NSA Issues MCP Security Guidance for AI Agent Protocol

AI relevance: The Model Context Protocol is now the de facto standard for connecting AI assistants to business tools and code repositories, and the NSA's new guidance is the first official US national security warning specifically targeting MCP's security gaps in enterprise deployments.

What happened

• The NSA's Artificial Intelligence Security Center published a Cybersecurity Information Sheet warning that MCP adoption has "outpaced the protocol's security model."
• The guidance targets weak access controls, open-ended serialization, poor approval workflows, token lifecycle gaps, misconfigurations, inconsistent implementation behavior, limited audit logging, and denial-of-service patterns.
• MCP reverses a familiar interaction pattern by allowing servers to query or execute actions for connected clients, creating attack paths that are harder to trace.
• The MCP specification itself acknowledges that the protocol "cannot enforce consent, privacy and tool-safety principles at the protocol level" — leaving these decisions entirely to hosts, clients, and servers.
• Authorization is optional under the MCP spec, meaning security posture remains uneven and implementation-dependent across the ecosystem.
• Real-world abuse has already been demonstrated: Invariant Labs showed a GitHub MCP scenario where a malicious public issue could steer an agent into leaking private repo data via a public PR.
• The same researchers demonstrated a WhatsApp MCP attack where a malicious MCP server manipulated tool descriptions and exfiltrated message history from a trusted WhatsApp MCP server running alongside it.
• CVE-2025-49596 (CVSS 9.4) in MCP Inspector disclosed in June 2025 allowed remote code execution due to missing authentication between the Inspector client and proxy.
• The NSA recommends: code-audit MCP servers, define trust boundaries, validate parameters, sandbox tool execution, sign and verify messages, filter chained outputs, log all tool and model invocations, and scan networks for unauthorized MCP servers.
• Google Cloud's remote MCP servers now include IAM controls, fine-grained authorization, audit logging, and Model Armor for prompt injection and tool poisoning mitigation.

Why it matters

MCP has been adopted across ChatGPT, Cursor, Gemini, Microsoft Copilot, and Visual Studio Code. The protocol's design pushes all security burden to implementation, and authorization is optional. Every organization connecting AI agents to internal tools via MCP is effectively building its own access-control layer from scratch — without a safety net at the protocol level.

What to do

• Inventory all MCP servers in your environment — agents create connections that bypass traditional SaaS discovery tools.
• Apply code audits to every MCP server before connecting it to production agents.
• Enable logging for all tool and model invocations; without it, you cannot trace what an agent did through MCP.
• Sandbox tool execution and validate all serialized parameters crossing trust boundaries.

Sources

• NSA Press Release
• NSA Cybersecurity Information Sheet (PDF)
• TechInformed — NSA coverage
• Invariant Labs — GitHub MCP vulnerability