The NSA Just Published MCP Security Guidance: What the Five-Layer Threat Model Means for Your Agents

When a national security agency publishes formal guidance on a developer protocol, the protocol has crossed a threshold. It is no longer just a standard — it is critical infrastructure.

In early 2026, the NSA released a Cybersecurity Information Sheet titled Model Context Protocol (MCP): Security Design Considerations — an official assessment of MCP's attack surface, threat categories, and mitigation framework. The Coalition for Secure AI followed with its own technical analysis. SOC Prime and Aembit published comprehensive vulnerability catalogs. The security community has converged on a consistent finding: MCP's value is also its risk surface, and traditional API security controls do not cover it.

This post breaks down the five-layer MCP threat model, explains why each layer demands different defenses, and outlines what enterprise teams deploying MCP-based agents must do now.

Why MCP Changes the Security Equation

Before Model Context Protocol, every tool integration was a custom connector — different authentication, different transport, different error handling. Security teams could assess each integration individually because each one was different.

MCP standardizes that integration surface. One protocol connects agents to code repositories, ticketing platforms, SaaS tools, databases, and internal services. This standardization is MCP's superpower — it accelerates development, reduces maintenance, and enables tool reuse across models and frameworks. But it also means that one vulnerability class can affect every integration simultaneously.

Gartner expects worldwide AI spending to reach $2.52 trillion in 2026 — a 44% year-over-year increase. AI cybersecurity spending is projected to grow by more than 90% in the same period. The budget curve tells the story: the deeper AI is embedded into business operations, the larger the attack surface becomes. MCP is the connective tissue, and connective tissue is where security failures cascade.

The Five-Layer MCP Threat Model

The vulnerability catalog that has emerged from NSA, Coalition for Secure AI, Aembit, and SOC Prime analysis organizes MCP threats into five layers. Each layer has distinct attack patterns, distinct impacts, and distinct mitigations.

Layer 1: Transport and Communication

The most basic exposure. When communication between an agent and an MCP server — or between an MCP server and a tool — lacks TLS or mutual TLS, interceptors can read sensitive context data, observe authentication tokens, and map the entire workflow topology.

Beyond encryption gaps, improperly scoped endpoints allow unauthorized access. DNS rebinding and localhost bypass techniques let external parties reach internal services. Replay exploits compound the issue: without proper nonce validation or expiration checks, captured requests can be replayed later to trigger unauthorized actions.

Impact: Adversaries intercept or tamper with context in transit, gaining visibility into agent decisions and the ability to manipulate workflows. The transport layer is where confidentiality and integrity either hold or fail.

Layer 2: Authentication and Identity

Weak authentication is pervasive in MCP deployments. Agents and servers often rely on static API keys or long-lived tokens that live in configuration files or CI/CD pipelines. When these are exposed — and 24,008 unique secrets were found in MCP configuration files on public GitHub in the protocol's first year — they grant persistent access until someone manually rotates them.

Improper token delegation creates a credential reuse spiral. A system passes a token issued for one agent to another without validating the scope. The receiving entity gains unintended privileges, and the entire access control chain breaks down. The MCP specification explicitly flags token passthrough as a high-risk anti-pattern because it makes authorization ambiguous and unauditable.

Zero-authentication endpoints — services that accept requests without validating the caller's identity — let attackers inject malicious contexts or extract data with no credential barrier.

Impact: Spoofed agents impersonate legitimate services, stolen credentials get replayed across the ecosystem, and the identity layer collapses under pressure it was never designed to withstand.

Layer 3: Context Integrity and Confidentiality

Context poisoning is arguably the most dangerous MCP-specific threat. Attackers inject malicious data into the context that agents use for decision-making. That poisoned context propagates through the workflow. Downstream agents make decisions based on corrupted inputs. The entire chain of reasoning becomes untrustworthy.

Context leakage is equally damaging: sensitive data passes into unrelated workflows. An agent processing customer data inadvertently shares context with a tool that should not access it — breaking privacy boundaries and compliance requirements.

Context hijacking allows adversaries to manipulate context mid-flow, modifying data in transit and gaining control over the agent's decisions. Dynamic output poisoning exploits the trust between tools and agents: a rogue tool returns manipulated results, which the agent accepts as legitimate and uses to drive downstream actions.

Impact: AI agents make unsafe decisions based on corrupted data, sensitive information is exfiltrated through context leakage, and the chain of trust breaks across the entire workflow. In autonomous agent systems, the corruption propagates before any human notices.

Layer 4: Authorization and Privilege

Overbroad permissions plague MCP implementations. Agents and tools receive more access than they require because teams optimize for workflow completion rather than least privilege. Once one overprivileged identity is breached, it becomes a powerful launchpad for deeper intrusion.

Privilege escalation happens when a compromised tool leverages its initial access to gain higher-level permissions — moving from limited tool access to system-wide control. Lateral movement is trivial in loosely secured environments because MCP workflows create natural, trusted pathways between services.

Session hijacking and fixation exploit weak session management. Stolen or predicted session identifiers let attackers take over authenticated sessions and perform actions as legitimate agents. The confused deputy problem — where an MCP server acts with its own broad privileges rather than user-scoped permissions — turns every server into a potential privilege escalation vector.

Impact: A single breach spreads rapidly across interconnected MCP workflows, turning one exploited vulnerability into a system-wide incident.

Layer 5: Supply Chain and Ecosystem

Malicious tool descriptors are a supply chain threat specific to MCP. Attackers create trojanized tools that masquerade as legitimate ones. When deployed, these tools grant access to the MCP infrastructure — often with broad permissions and no behavioral monitoring.

Repository pollution uses familiar patterns in a new context: typosquatting, fake updates that inject malicious code, and manipulated schemas that change tool behavior in subtle, hard-to-detect ways. Configuration poisoning exploits insecure defaults or tampered configuration files that MCP servers accept on startup.

Shadow services — rogue MCP servers deployed by individual teams to speed up development — bypass monitoring and policy enforcement entirely. They appear in multi-cloud and hybrid environments where centralized discovery is incomplete or nonexistent.

Impact: Trust in the ecosystem collapses, adversaries embed themselves in the toolchain, and every workflow becomes potentially tainted.

Why Traditional API Security Doesn't Apply

The five-layer threat model makes visible what makes MCP security qualitatively different from API security:

• API gateways can validate requests against schemas, but they cannot validate context authenticity. Is this context legitimate or has it been poisoned upstream? The gateway has no way to know.

• Web Application Firewalls can detect injection patterns in HTTP requests, but they cannot detect tool poisoning — where the attack is embedded in tool metadata that the agent reads at discovery time, not in the runtime request stream.

• Static API keys are bad practice everywhere, but for MCP they are catastrophic because the same key can authorize requests across every tool in a workflow. Revoking a compromised key means breaking every integration simultaneously.

The operational reality: security controls designed for deterministic API traffic are not sufficient for autonomous agent workflows that chain across multiple tools with context propagation at each step.

The Defensive Framework: Five Layers, Five Strategies

The NSA guidance and community consensus converge on layered defenses:

1. Mandatory Mutual TLS Everywhere

Every MCP connection — agent-to-server and server-to-tool — must use mTLS with certificate validation. No plaintext transports. No self-signed certificates in production. Transport security is the foundation; every other defense assumes it.

2. Identity-First, Secretless Access

Replace static API keys with workload identity based on cryptographic attestation. Where legacy systems still require a credential, manage and inject it centrally with least-privilege, time-bounded policies. The MCP authorization specification defines OAuth-based flows; use them. Token passthrough must be forbidden as an architectural rule, not a configuration preference.

3. Context Validation at Every Boundary

Before an agent accepts context: validate its source and structure. Before passing context to a tool: verify contents against expected schemas. Runtime validation prevents poisoned contexts from propagating downstream. Input validation should strip control characters, enforce type checking, and reject oversized payloads. Context integrity is a runtime function, not a deployment-time configuration.

4. Runtime Authorization with Policy Enforcement

RBAC for the outer boundary. ABAC for per-operation enforcement. Every tool invocation must pass through policy evaluation at runtime — not at deployment, not at configuration time, but in the execution path. This is where Facio (the HITL-first agent runtime) provides the enforcement layer: every MCP tool call passes through policy evaluation before execution, and every decision — permitted or denied — is captured in the tamper-evident audit trail.

5. Supply Chain Governance

Verify every MCP component before deployment. Validate tool descriptors against trusted sources. Check repository authenticity using signed artifacts and integrity hashes. Audit MCP server registries the same way you audit package managers. Treat tool metadata as untrusted input — because it is.

Where Facio and Placet.io Fit

MCP security is not a configuration problem. It is a runtime governance problem. The five-layer threat model requires defenses in the execution path — not after the fact.

Facio (the HITL-first agent runtime) enforces MCP security at runtime:

• Every tool invocation is intercepted before execution, with policy evaluation at the call boundary
• The audit trail captures every MCP interaction — transport metadata, authentication context, tool parameters, authorization decisions — in an immutable, attributable log
• Context poisoning is made visible: anomalous tool responses, unexpected context flows, and privilege escalation attempts generate audit events, not silent failures

Placet.io (the HITL inbox and messenger) provides the human review layer for MCP authorization boundaries:

• When an agent attempts a tool invocation outside its normal authorization scope, the request triggers a structured human approval workflow
• When a new MCP server or tool is introduced, a governance review is queued to the appropriate team

The Bottom Line

MCP is becoming the backbone of agentic AI infrastructure. The NSA's formal guidance confirms that the security community recognizes this — and recognizes that current defenses are insufficient.

The organizations that will operate MCP-based agents securely are not the ones with the best API gateways. They are the ones that implement layered defenses across all five threat surfaces, enforce policy in the execution path, and maintain audit trails that make every context flow, every authorization decision, and every tool invocation visible and attributable.

The protocol is the connective tissue. The security architecture is what keeps that tissue from becoming a systemic vulnerability.

---

Further reading:

• NSA CSI: MCP Security Design Considerations
• Coalition for Secure AI: MCP Security Technical Analysis (March 2026)
• Aembit: MCP Security Vulnerabilities — Complete Guide for 2026
• SOC Prime: MCP Security Risks & Mitigations
• MCP Supply Chain Security: Why Your Agent's Tool Ecosystem Is the Next Attack Surface