{"slug": "the-nsa-just-published-an-mcp-security-playbook-here-s-the-ietf-spec-the-openapi", "title": "The NSA just published an MCP security playbook. Here's the IETF spec, the OpenAPI extension, and the OWASP guidance that already implement it.", "summary": "In May 2026, the U.S. National Security Agency (NSA) published a 15-page cybersecurity notice outlining minimum security requirements for production deployments of the Model Context Protocol (MCP), including cryptographic payload signing, replay protection, verifiable agent identity, and tamper-evident audit logging. The article notes that all four of these requirements are already addressed by existing open standards and implementations that predate the NSA's guidance, such as the MCPS cryptographic signing layer (IETF draft), the ATTP trust transport protocol, the AgentPass identity and RBAC system, and the x-agent-trust OpenAPI extension.", "body_md": "In May 2026 the United States National Security Agency published a Cybersecurity Information notice titled Model Context Protocol (MCP): Security Design Considerations\nfor AI-Driven Automation (document ID U/OO/6030316-26 / PP-26-1834). It is fifteen pages on what the NSA considers the minimum security baseline for any production MCP\ndeployment.\nIf you are building anything on MCP, server, client, gateway, orchestrator, framework, or agent runtime, read it. Then read this, because the standards work the NSA\ndescribes already exists, and you can integrate it today.\nWhat the NSA called out\nFour operational requirements run through the document.\nQuoting the NSA directly (page 12): \"the standard can be extended with cryptographic signatures directly within the JSON payload ... MCP messages should include\nexpiration timestamps and replay protection metadata ... cryptographically bind requests to time and context to prevent tampering, intentional replay techniques, and\nunintended re-execution.\"\nTranslation: TLS is not enough. The MCP payload itself needs an envelope with a signature, a nonce, a timestamp, and a freshness window.\nPage 4: MCP \"lacks support for exchanging Role Based Access Control permissions at instantiation.\" Bearer tokens can be lifted, replayed, and impersonated. Agents need\nverifiable cryptographic identity, bound to scope, trust level, and issuer.\nPage 12 to 13: log every tool invocation, every parameter, every result, with cryptographic hashes, so an XDR or SIEM can reconstruct exactly what happened and prove it\nhas not been altered.\nPage 13: build a vulnerability-monitoring process around your MCP package surface, the same as you would for any other production dependency.\nWhat already exists, today\nHere is the awkward bit, depending on where you sit: every single one of these four requirements has an open specification, a reference implementation, and at least one\nproduction integration. They predate the NSA notice.\nMCPS, the cryptographic signing layer for MCP\ndraft-sharif-mcps-secure-mcp on the IETF Datatracker since March 2026. Four primitives:\nThe wire format is JSON-on-the-wire, signing-string-canonical, and stays inside the MCP message body. No transport changes, no protocol fork.\nATTP, agent-trust transport above MCPS\ndraft-sharif-attp, live since 1 May 2026. Where MCPS does message-level signing for MCP, ATTP defines a protocol-agnostic trust transport above it: five hierarchical\ntrust levels (L0 to L4), action-limit enforcement, compliance gating, and tamper-evident audit. It maps onto MCP, REST, Google A2A, gRPC, and GraphQL.\nLive demo with real ECDSA P-256 in the browser, including tamper and strip-ATTP buttons:\n👉 https://attp.cybersecai.co.uk\nAgentPass, the identity / RBAC layer the NSA describes\nL0 to L4 trust grades, OFAC and HMT sanctions screening (75,784 entries baked in), graduated spend limits, hash-chained audit trails, agent-to-agent payment\nauthorisation, optional Mastercard risk integration.\nThe Go SDK (agentpass-go) verifies agent identity certificates with zero network calls. Pure local crypto, standard library only, no CGo. Trust anchors load like TLS\nroot CAs.\nx-agent-trust, agent trust as a first-class OpenAPI declaration\nMerged into the official OpenAPI Initiative Extension Registry on 11 April 2026, approved by Henry Andrews and Mike Kistler (Microsoft):\n👉 https://spec.openapis.org/registry/extension/x-agent-trust.html\ncomponents:\nsecuritySchemes:\nAgentTrust:\ntype: apiKey\ndescription: Uses agent trust information in lieu of a traditional API key. Requires the x-agent-trust\nextension.\nin: header\nname: Agent-Signature\nx-agent-trust:\nalgorithm: ES256\ntrustLevels: [L0, L1, L2, L3, L4]\nissuerKeysUrl: /.well-known/agent-trust-keys\nsecurity:\n- AgentTrust: [L3]\nAny OpenAPI-described service can now declare which agent trust level is required to call which operation. Tooling that understands the extension can verify the\nAgent-Signature header before the request even reaches application code.\nOWASP MCP Security Cheat Sheet, Section 7\nSection 7, Message-Level Integrity and Replay Protection contributed via PR #2065, merged 26 March 2026. The cheat sheet now documents the patterns the NSA later\ndescribed, including signing JSON-RPC messages with asymmetric keys, including nonces and timestamps, and pinning tool definitions using hashes.\nOWASP AISVS 1.0, Chapter C10\nAn entire chapter on MCP Security, with verifiable requirements at L1 to L3. Two requirements map directly to the MCPS spec:\nCVE-2026-39313, and five more on the clock\nCVE-2026-39313. Unbounded-memory-allocation vulnerability in mcp-framework (CWE-770, High), assigned and published 16 April 2026.\nFive further CVE submissions, across ~57M weekly downloads of MCP packages (including the official MCP TypeScript and Python SDKs), are under coordinated-disclosure clock.\nThis is the NSA's recommendation #4 in action. The package surface is being audited, and the gaps are being closed.\nIn production, today\nmoov-io / watchman (Apache 2.0, ~460 stars). Sanctions screening used by SEC-registered transfer agents and BaaS platforms. MCPS and AgentPass are merged into main. The production deployment guide ships an AgentPass configuration block:\nAgentPass:\nTrustAnchorPath: /etc/watchman/agentpass-ca.pem\nMinTrustLevel: 2\nRequiredScopes:\n- sanctions:search\n👉 https://github.com/moov-io/watchman/blob/master/docs/mcp.md\nCisco AI Defense. Cisco's commercial agent-security product ships our MCPS protocol as part of its agent-defence stack.\n👉 https://www.cisco.com/site/us/en/products/security/ai-defense/index.html\nKong API Gateway. A plugin that turns every API behind Kong into an MCPS-signed endpoint with zero developer effort. Available to design partners under NDA.\nAEBA-XDR, runtime behaviour analysis for every agent. Anomaly detection in milliseconds. Eight behavioural dimensions, every agent cryptographically identified,\nhash-chained tamper-evident audit, native forwarders for major XDR and SIEM platforms via CEF, LEEF and syslog RFC 5424. Free evaluation tier for up to three agents.\n👉 https://aeba.co.uk\nWhat to do this week\nIf you ship MCP in production:\nThe standard exists. The reference code exists. The integrations exist. The CVE feed exists.\nThe protocol can be secured. Now there is no reason not to.\nRaza Sharif (FBCS, CISSP, CSSLP)\nFounder, CyberSecAI Ltd", "url": "https://wpnews.pro/news/the-nsa-just-published-an-mcp-security-playbook-here-s-the-ietf-spec-the-openapi", "canonical_source": "https://dev.to/razashariff/the-nsa-just-published-an-mcp-security-playbook-heres-the-ietf-spec-the-openapi-extension-and-28pa", "published_at": "2026-05-23 18:26:54+00:00", "updated_at": "2026-05-23 18:31:28.009062+00:00", "lang": "en", "topics": ["cybersecurity", "artificial-intelligence", "large-language-models", "policy-regulation", "enterprise-software"], "entities": ["National Security Agency", "Model Context Protocol", "NSA", "IETF", "OpenAPI", "OWASP", "XDR", "SI"], "alternates": {"html": "https://wpnews.pro/news/the-nsa-just-published-an-mcp-security-playbook-here-s-the-ietf-spec-the-openapi", "markdown": "https://wpnews.pro/news/the-nsa-just-published-an-mcp-security-playbook-here-s-the-ietf-spec-the-openapi.md", "text": "https://wpnews.pro/news/the-nsa-just-published-an-mcp-security-playbook-here-s-the-ietf-spec-the-openapi.txt", "jsonld": "https://wpnews.pro/news/the-nsa-just-published-an-mcp-security-playbook-here-s-the-ietf-spec-the-openapi.jsonld"}}