TeNova Axiom

NSA MCP Security Guidance Mapping

How SWT3 AI Witness procedures address the NSA Artificial Intelligence Security Center's recommendations for securing Model Context Protocol deployments.

Axiom / Docs / NSA MCP Security Mapping

Audience: ISSMs, C3PAOs, security engineers, and compliance teams evaluating MCP deployments in national security, defense, or critical infrastructure environments. This mapping references NSA AISC CSI U/OO/6030316-26 (May 2026).

Contents

1. Overview 2. Coverage Summary 3. NSA-1: Filtering Outgoing Proxy and DLP 4. NSA-2: Sandboxing and Tool Execution Constraints 5. NSA-3: Message Integrity, Signing, and Replay Protection 6. NSA-4: Output Filtering 7. NSA-5: Tool Name Collision and Drift Detection 8. NSA-6: Detailed Audit Logging for SIEM 9. NSA-7: Local MCP Server Discovery Scanning 10. NSA-8: Content Validation, Rate Limiting, and Policy 11. NSA-9: Indirect Prompt Injection Detection 12. Configuration Example 13. References

1. Overview

On May 21, 2026, the NSA's Artificial Intelligence Security Center (AISC) published "Security Design Considerations for AI-Driven Automation Leveraging the Model Context Protocol" (CSI U/OO/6030316-26). This is the first formal U.S. government cybersecurity guidance addressing MCP deployment risks.

The guidance identifies three systemic risk areas:

The NSA notes that traditional safeguards (authentication, input validation) remain necessary but are insufficient for agentic AI systems, which introduce dynamic tool invocation and implicit trust relationships. The guidance concludes that "MCP-aware security proxies remain limited and are still maturing."

Key NSA finding: Security issues in MCP deployments "cannot be patched at isolated endpoints and must be addressed across the entire MCP environment." SWT3 operates at the SDK layer -- inside the agent runtime -- providing the evidence chain that network-layer proxies cannot.

2. Coverage Summary

7 / 9
NSA recommendations addressed by SWT3 at the SDK/runtime layer.
The remaining 2 are network infrastructure controls outside SDK scope.
NSA Recommendation Coverage SWT3 Procedures / Controls
NSA-1: Filtering Outgoing Proxy + DLP Network Layer Outside SDK scope. Network-level control.
NSA-2: Sandboxing + Tool Execution Constraints Full ChainEnforcer: blocklist, allowlist, velocity, depth, token budget
NSA-3: Message Integrity + Signing Full HMAC-SHA256 signing, epoch timestamps, Merkle accumulator
NSA-4: Output Filtering Full Clearing levels 0-3, surgical data purge
NSA-5: Tool Name Collision + Drift Detection Full AI-TOOL.1 witnessing, axiom drift
NSA-6: Detailed Audit Logging for SIEM Full Witness ledger, OTel exporter, regulatory webhooks
NSA-7: Local MCP Server Discovery Scanning Network Layer Outside SDK scope. Pre-deployment control.
NSA-8: Content Validation + Rate Limiting + Policy Full mcp_policy: max_velocity, max_chain_depth, max_tokens_per_session
NSA-9: Indirect Prompt Injection Detection Full AI-GRD.1/GRD.2 guardrail witnessing, violation anchors

3. NSA-1: Filtering Outgoing Proxy and DLP

NSA Recommendation 1

Deploy filtering outgoing proxies with DLP for external MCP connections

The NSA recommends tightly pinning resource URLs and access methods for outbound MCP traffic, with data loss prevention (DLP) inspection at the network boundary.

Outside SWT3 scope. This is a network infrastructure control. SWT3 operates at the SDK/runtime layer inside the agent process. Organizations should pair SWT3 with network-level DLP tools (Zscaler, Palo Alto Prisma, AWS PrivateLink) to address this recommendation. The SWT3 clearing engine complements DLP by ensuring sensitive data is purged from the witness record before it leaves the enclave boundary.

4. NSA-2: Sandboxing and Tool Execution Constraints

NSA Recommendation 2

Apply sandboxing and tool execution constraints to MCP tool invocations

The NSA cites OS-level containment (Linux: Landlock, seccomp, network namespaces) and recommends constraining which tools an agent can invoke, how frequently, and at what depth.

SWT3 Coverage: Full. The ChainEnforcer class enforces five layers of tool execution constraints, all evaluated in-memory with zero network calls:
Enforcement LayerConfig KeyDescription
Tool Blocklisttool_blocklistGlob patterns for forbidden tools (e.g., shell_*, exec_*)
Tool Allowlisttool_allowlistExplicit allowlist when defined; all unlisted tools rejected
Velocity Limitingmax_velocityRate limit (e.g., 10/60s) to prevent tool call flooding
Chain Depthmax_chain_depthMaximum sequential tool invocations per session
Token Budgetmax_tokens_per_sessionCumulative token ceiling per session; blocks on exceeded

When fail_secure: true is set, any policy violation blocks the tool call before execution and mints a violation anchor recording the attempted action, the rule that triggered, and the tool name.

Procedures: AI-TOOL.1 (tool call witnessing), AI-CHAIN.1 (exploit chain monitoring)

5. NSA-3: Message Integrity, Signing, and Replay Protection

NSA Recommendation 3

Implement per-message signing, expiration timestamps, and replay protection

The NSA notes that MCP does not natively support message signing and recommends that implementations add integrity mechanisms. The guidance calls for signed action receipts, expiration timestamps, and replay detection.

SWT3 Coverage: Full. Every SWT3 Witness Anchor is a signed action receipt with built-in replay protection:

Procedures: Every SWT3 procedure produces a signed anchor. AI-CHAIN.2 (chain integrity) provides cross-agent replay detection via cycle_id linking.

6. NSA-4: Output Filtering

NSA Recommendation 4

Filter tool output before results pass onward to downstream consumers

The NSA recommends sanitizing tool outputs to prevent data exfiltration and to control what information flows between MCP components.

SWT3 Coverage: Full. The clearing engine provides four levels of output filtering, applied to every witness record before it leaves the SDK:
LevelNameWhat Gets Purged
0AnalyticsNothing purged. Full telemetry retained.
1StandardRaw prompt/response text stripped. Factors and verdict retained.
2SensitiveAI context metadata stripped. Only procedure, verdict, and fingerprint remain.
3ClassifiedSurgical purge. Only the cryptographic proof survives. No operational data crosses the boundary.

The clearing engine is not optional decoration. It is a core protocol mechanism that controls exactly what evidence leaves the enclave boundary. Jurisdiction, legal basis, and purpose class (CJT fields) survive all clearing levels to maintain regulatory traceability even at Classified.

Configuration: clearing_level: 2 in .swt3.yaml or per-call via SDK parameter.

7. NSA-5: Tool Name Collision and Drift Detection

NSA Recommendation 5

Detect tool name collisions and behavioral drift across sessions

The NSA identifies tool inventory drift as a risk: a tool's name, description, or parameter schema may change between sessions without the operator's knowledge, potentially introducing malicious behavior under a trusted tool name.

SWT3 Coverage: Full. Every tool call is witnessed with its name and parameters recorded in the anchor:

Procedures: AI-TOOL.1 (tool call witnessing), AI-BASE.1 (behavioral baseline)

8. NSA-6: Detailed Audit Logging for SIEM

NSA Recommendation 6

Maintain structured audit records of MCP tool interactions feeding into SIEM

The NSA recommends comprehensive logging of all MCP interactions with signed action receipts, webhook integration, and bidirectional JSON-RPC scanning with audit trails.

SWT3 Coverage: Full. SWT3 provides three independent audit data paths:

Procedures: Every SWT3 procedure produces an audit record. AI-INF.1 (inference provenance) is the foundational audit anchor.

9. NSA-7: Local MCP Server Discovery Scanning

NSA Recommendation 7

Scan for MCP servers in the local environment before deployment

The NSA recommends pre-deployment discovery of MCP servers to identify unauthorized or rogue server instances.

Outside SWT3 scope. This is a pre-deployment network scanning control. SWT3 operates at runtime, not at the deployment scanning layer. Organizations should use existing asset discovery tools (Nmap, Tenable, CrowdStrike Falcon) for this recommendation. SWT3's swt3 doctor CLI validates the local configuration and connectivity of the intended MCP server.

10. NSA-8: Content Validation, Rate Limiting, and Policy

NSA Recommendation 8

Apply content validation, rate limiting, and application-specific policy enforcement

The NSA recommends length caps, keyword scanning, rate limiting, and application-specific policy enforcement as runtime controls for MCP interactions.

SWT3 Coverage: Full. The mcp_policy section of .swt3.yaml provides declarative policy enforcement: 
# .swt3.yaml
mcp_policy:
  witnessed_tools: ["*"]
  auto_witness: true
  block_on_failure: true
  max_velocity: "10/60s"       # Max 10 tool calls per 60 seconds
  max_chain_depth: 8           # Max 8 sequential invocations
  max_tokens_per_session: 25000
  tool_blocklist:
    - "shell_*"
    - "exec_*"
    - "delete_*"
  fail_secure: true

density_policy:
  min_anchors_per_1000_tokens: 2
  max_chain_gap_seconds: 300

Policy enforcement is evaluated entirely in-memory by the ChainEnforcer with zero network calls and zero added latency. Seven built-in profiles ship with the SDK, including owasp-agentic-top10 (aligned with OWASP Agentic Top 10) and cost-conscious (token budget governance).

Procedures: AI-GRD.3 (gatekeeper mode), AI-CHAIN.1 (chain monitoring)

11. NSA-9: Indirect Prompt Injection Detection

NSA Recommendation 9

Detect indirect prompt injection and toolchain pivot attempts

The NSA identifies indirect prompt injection as a systemic MCP risk: an attacker embeds instructions in tool output that cause the agent to invoke additional tools or exfiltrate data through unintended channels.

SWT3 Coverage: Full. SWT3 provides guardrail witnessing and violation detection:

SWT3 does not perform injection detection itself -- that is the role of the guardrail tooling (Lakera, Rebuff, custom filters). SWT3 witnesses whether the guardrails were present, active, and effective, creating the audit trail that proves the control was operational at the time of the interaction.

12. Configuration Example

A .swt3.yaml configuration addressing all 7 applicable NSA recommendations:

# .swt3.yaml -- NSA AISC MCP Security Alignment
clearing_level: 2              # NSA-4: Output filtering (Sensitive)

policy:
  require_signing: true        # NSA-3: Message integrity
  require_agent_id: true       # Agent identity for attribution
  min_clearing_level: 1        # Minimum clearing enforcement
  required_procedures:
    - AI-INF.1                 # NSA-6: Audit logging
    - AI-GRD.1                 # NSA-9: Guardrail presence
    - AI-TOOL.1                # NSA-5: Tool witnessing
    - AI-CHAIN.1               # NSA-2: Chain monitoring

trust_mesh:
  mode: strict                 # NSA-3: Trust verification
  require_signature: true
  freshness_window: 1800

mcp_policy:
  witnessed_tools: ["*"]       # NSA-5: Tool inventory
  auto_witness: true
  block_on_failure: true       # NSA-2: Fail-secure
  max_velocity: "10/60s"       # NSA-8: Rate limiting
  max_chain_depth: 8           # NSA-2: Depth constraint
  max_tokens_per_session: 50000
  tool_blocklist:              # NSA-2: Tool blocklist
    - "shell_*"
    - "exec_*"
    - "run_command"
    - "delete_*"
  fail_secure: true

density_policy:
  min_anchors_per_1000_tokens: 3
  max_chain_gap_seconds: 120
  require_signing_key: true    # NSA-3: Signed receipts

merkle:
  enabled: true                # NSA-3: Tamper evidence
  accumulator_interval: 30

13. References

SWT3 AI Witness Protocol. TeNova. Apache 2.0.
This mapping is provided for informational purposes. SWT3 is an independent witness protocol, not a security enforcement product. The final authority on compliance rests with the designated assessment body.