The NSA just published an MCP security playbook. Here's the IETF spec, the OpenAPI extension, and the OWASP guidance that already implement it.

In May 2026, the U.S. National Security Agency (NSA) published a 15-page cybersecurity notice outlining minimum security requirements for production deployments of the Model Context Protocol (MCP), including cryptographic payload signing, replay protection, verifiable agent identity, and tamper-evident audit logging. The article notes that all four of these requirements are already addressed by existing open standards and implementations that predate the NSA's guidance, such as the MCPS cryptographic signing layer (IETF draft), the ATTP trust transport protocol, the AgentPass identity and RBAC system, and the x-agent-trust OpenAPI extension.

In May 2026 the United States National Security Agency published a Cybersecurity Information notice titled Model Context Protocol MCP : Security Design Considerations for AI-Driven Automation document ID U/OO/6030316-26 / PP-26-1834 . It is fifteen pages on what the NSA considers the minimum security baseline for any production MCP deployment. If you are building anything on MCP, server, client, gateway, orchestrator, framework, or agent runtime, read it. Then read this, because the standards work the NSA describes already exists, and you can integrate it today. What the NSA called out Four operational requirements run through the document. Quoting the NSA directly page 12 : "the standard can be extended with cryptographic signatures directly within the JSON payload ... MCP messages should include expiration timestamps and replay protection metadata ... cryptographically bind requests to time and context to prevent tampering, intentional replay techniques, and unintended re-execution." Translation: TLS is not enough. The MCP payload itself needs an envelope with a signature, a nonce, a timestamp, and a freshness window. Page 4: MCP "lacks support for exchanging Role Based Access Control permissions at instantiation." Bearer tokens can be lifted, replayed, and impersonated. Agents need verifiable cryptographic identity, bound to scope, trust level, and issuer. Page 12 to 13: log every tool invocation, every parameter, every result, with cryptographic hashes, so an XDR or SIEM can reconstruct exactly what happened and prove it has not been altered. Page 13: build a vulnerability-monitoring process around your MCP package surface, the same as you would for any other production dependency. What already exists, today Here is the awkward bit, depending on where you sit: every single one of these four requirements has an open specification, a reference implementation, and at least one production integration. They predate the NSA notice. MCPS, the cryptographic signing layer for MCP draft-sharif-mcps-secure-mcp on the IETF Datatracker since March 2026. Four primitives: The wire format is JSON-on-the-wire, signing-string-canonical, and stays inside the MCP message body. No transport changes, no protocol fork. ATTP, agent-trust transport above MCPS draft-sharif-attp, live since 1 May 2026. Where MCPS does message-level signing for MCP, ATTP defines a protocol-agnostic trust transport above it: five hierarchical trust levels L0 to L4 , action-limit enforcement, compliance gating, and tamper-evident audit. It maps onto MCP, REST, Google A2A, gRPC, and GraphQL. Live demo with real ECDSA P-256 in the browser, including tamper and strip-ATTP buttons: 👉 https://attp.cybersecai.co.uk AgentPass, the identity / RBAC layer the NSA describes L0 to L4 trust grades, OFAC and HMT sanctions screening 75,784 entries baked in , graduated spend limits, hash-chained audit trails, agent-to-agent payment authorisation, optional Mastercard risk integration. The Go SDK agentpass-go verifies agent identity certificates with zero network calls. Pure local crypto, standard library only, no CGo. Trust anchors load like TLS root CAs. x-agent-trust, agent trust as a first-class OpenAPI declaration Merged into the official OpenAPI Initiative Extension Registry on 11 April 2026, approved by Henry Andrews and Mike Kistler Microsoft : 👉 https://spec.openapis.org/registry/extension/x-agent-trust.html components: securitySchemes: AgentTrust: type: apiKey description: Uses agent trust information in lieu of a traditional API key. Requires the x-agent-trust extension. in: header name: Agent-Signature x-agent-trust: algorithm: ES256 trustLevels: L0, L1, L2, L3, L4 issuerKeysUrl: /.well-known/agent-trust-keys security: - AgentTrust: L3 Any OpenAPI-described service can now declare which agent trust level is required to call which operation. Tooling that understands the extension can verify the Agent-Signature header before the request even reaches application code. OWASP MCP Security Cheat Sheet, Section 7 Section 7, Message-Level Integrity and Replay Protection contributed via PR 2065, merged 26 March 2026. The cheat sheet now documents the patterns the NSA later described, including signing JSON-RPC messages with asymmetric keys, including nonces and timestamps, and pinning tool definitions using hashes. OWASP AISVS 1.0, Chapter C10 An entire chapter on MCP Security, with verifiable requirements at L1 to L3. Two requirements map directly to the MCPS spec: CVE-2026-39313, and five more on the clock CVE-2026-39313. Unbounded-memory-allocation vulnerability in mcp-framework CWE-770, High , assigned and published 16 April 2026. Five further CVE submissions, across ~57M weekly downloads of MCP packages including the official MCP TypeScript and Python SDKs , are under coordinated-disclosure clock. This is the NSA's recommendation 4 in action. The package surface is being audited, and the gaps are being closed. In production, today moov-io / watchman Apache 2.0, ~460 stars . Sanctions screening used by SEC-registered transfer agents and BaaS platforms. MCPS and AgentPass are merged into main. The production deployment guide ships an AgentPass configuration block: AgentPass: TrustAnchorPath: /etc/watchman/agentpass-ca.pem MinTrustLevel: 2 RequiredScopes: - sanctions:search 👉 https://github.com/moov-io/watchman/blob/master/docs/mcp.md Cisco AI Defense. Cisco's commercial agent-security product ships our MCPS protocol as part of its agent-defence stack. 👉 https://www.cisco.com/site/us/en/products/security/ai-defense/index.html Kong API Gateway. A plugin that turns every API behind Kong into an MCPS-signed endpoint with zero developer effort. Available to design partners under NDA. AEBA-XDR, runtime behaviour analysis for every agent. Anomaly detection in milliseconds. Eight behavioural dimensions, every agent cryptographically identified, hash-chained tamper-evident audit, native forwarders for major XDR and SIEM platforms via CEF, LEEF and syslog RFC 5424. Free evaluation tier for up to three agents. 👉 https://aeba.co.uk What to do this week If you ship MCP in production: The standard exists. The reference code exists. The integrations exist. The CVE feed exists. The protocol can be secured. Now there is no reason not to. Raza Sharif FBCS, CISSP, CSSLP Founder, CyberSecAI Ltd