NSA warns on Model Context Protocol

The National Security Agency on May 20 released a cybersecurity information sheet warning that organizations deploying Model Context Protocol, or MCP, should treat it as a new security boundary rather than a routine integration layer. The guidance came from the NSA’s Artificial Intelligence Security Center and was framed for AI-driven automation systems already using MCP in production as well as experimental settings. The agency said MCP is now used across business, finance, legal and software development workflows, including in systems that can touch sensitive data. ExecutiveGov reported the release on May 21 as federal and commercial users expand adoption. MCP is an application-level protocol used to manage interactions between AI-enabled services. The NSA said the protocol has become a “de facto standard” for communication across a growing ecosystem of AI-driven services, with uses that include model evaluation, enrichment, pre-processing and task automation. The MCP project’s own 2026 roadmap, published March 9, said production deployments had moved beyond early local-tool experiments and were surfacing enterprise-scale needs around governance and transport. (nsa.gov) ### Why did the NSA single out MCP now? The NSA said real-world adoption of MCP has accelerated faster than its security model has matured. In its press release, the agency said gaps in MCP design, implementation and operational posture had created “significant and evolving security concerns,” including serialization risks, trust boundaries and agent misuse. It added that traditional controls such as authentication, authorization and input validation remain necessary but do not fully address the risks created by dynamic tool invocation, implicit trust relationships and context sharing in agentic systems. (nsa.gov) May 20 was also not the agency’s first AI warning this spring. On April 30, the NSA joined CISA, the U.K. National Cyber Security Centre, Canada’s Cyber Centre, New Zealand’s NCSC and Australia’s ACSC in issuing separate guidance on “Careful Adoption of Agentic AI Services,” citing privilege, behavior, structural and accountability risks. (nsa.gov) ### What risks does the advisory describe in practice? The NSA said MCP can invert a familiar computing pattern by having servers query or execute actions for connected clients rather than simply respond to requests. That design, the agency said, creates new attack paths that are not yet well traced. The information sheet said some implementations allow malicious actor-controlled inputs to reach execution environments without adequate constraints, creating vulnerabilities that can rise to arbitrary code execution. (nsa.gov) Public labs and security researchers have already published vulnerable MCP server implementations to show how weak deployments can be exploited, according to the NSA document. The agency said those examples showed the risks were demonstrable rather than hypothetical. ### What is the NSA telling adopters to do differently? The NSA said organizations should secure MCP systems as a continuum rather than trying to patch isolated endpoints. (nsa.gov) The press release said “misaligned assumptions or subtle inconsistencies at any stage can propagate and compound into exploitable conditions,” and the information sheet called for secure-by-default behavior through implementation rigor, proper coding practices, clearer protocol specifications and robust validation tools. The agency did not present the document as a one-off warning. The press release said continued work among implementers, security researchers and standards organizations would be needed to build “more robust and trustworthy foundations” for AI infrastructure, especially in national security and other high-assurance environments. (nsa.gov) ### Who is the guidance aimed at? The NSA said the document was written for organizations adopting MCP in “high-stakes or production environments.” The agency’s examples of current MCP use included products such as AutoGen Studio, Harvey AI, Agentverse and Copilot, and sectors including finance, legal and software development. ExecutiveGov’s May 21 report said the warning was directed at federal and commercial MCP adopters. (nsa.gov) The NSA’s cybersecurity guidance page now lists the MCP document among its latest advisories. The full information sheet, dated May 2026, is posted through the agency’s cybersecurity publications, and the earlier April 30 agentic AI guidance remains available through the same press archive. (nsa.gov 1) (nsa.gov 2)