In May 2026 the NSA Artificial Intelligence Security Center published the Cybersecurity Information Sheet "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation" (U/OO/6030316-26). It names concrete security gaps in MCP deployments. This free checklist maps any MCP server to those controls.
Check a server:
Or call the API directly: GET /api/nsa-checklist?url={server_url} → JSON
| Control | NSA category | Requirement | How we check |
|---|---|---|---|
auth-required |
Authentication | Authentication must be required, not optional. MCP servers should reject unauthenticated tool invocation. | Behaviorally evidenced |
rbac-authz |
Authorization | Enforce role-based, least-privilege authorization per tool. MCP does not define RBAC in-protocol. | Self-attestation required |
session-integrity |
Session management | Bind sessions to a verifiable identity and protect against session hijacking and message replay. | Self-attestation required |
tool-manifest-integrity |
Tool poisoning / manifest integrity | Sign and verify tool manifests so tool definitions cannot be poisoned or silently altered. | Self-attestation required |
input-validation |
Unsafe code execution | Validate and sanitize tool-call arguments to prevent host command/code execution. | Self-attestation required |
context-injection |
Context serialization | Validate context/serialized data to prevent injection of malicious payloads via context. | Self-attestation required |
human-in-the-loop |
Approval workflows | Require human-in-the-loop approval for high-impact or irreversible actions. | Self-attestation required |
audit-logging |
Audit logging | Maintain comprehensive audit logging to detect, investigate, and attribute agent behavior. | Behaviorally evidenced |
transport-security |
Transport security | Use secure transport (TLS) for all MCP traffic. | Behaviorally evidenced |
rate-limiting |
Secure defaults / rate limiting | Apply rate limiting and avoid overly permissive default configurations. | Behaviorally evidenced |
supply-chain-provenance |
Supply chain | Establish verifiable provenance for the MCP server and its packages. | Behaviorally evidenced |
Controls observable from outside the server (transport/TLS, unauthenticated access, rate-limit headers, external audit trail, supply-chain provenance) get an evidenced PASS/FAIL from a single bounded probe by the Dominion Observatory. Controls that are protocol- or implementation-internal (RBAC, session integrity, manifest signing, input validation, context handling, human-in-the-loop) are marked self-attestation required — we will never fake a verdict we cannot evidence.
Independent mapping to the public NSA Cybersecurity Information Sheet U/OO/6030316-26 (2026-05). Not affiliated with, authorized by, or endorsed by the NSA or the U.S. Government.