MCP SERVER SECURITY
Guidance for Responsible and Safe Usage
Maryland Department of Information Technology (DoIT)
-
An Intro to MCP Servers
-
Security Risk Landscape
-
DoIT's Vetting Criteria for MCP Servers
-
Safe Usage Guidelines for Maryland's State Staff
-
Special Guidance: BYOD, Desktop Clients & Browser Agents
-
Incident Response
-
Accountability
-
Responsible AI Governance
1. An Intro to MCP Servers
Model Context Protocol (MCP) servers are software bridges connecting AI assistants to external systems (email, calendars, databases, file systems, code repositories, and enterprise SaaS tools). When MCP is enabled, the AI can take actions on your behalf: reading files, sending messages, querying databases, or executing commands. MCP is an open source standard with a public registry. This document establishes DoIT’s guidance for evaluating, approving, and safely operating MCP servers, including desktop clients and browser-based agents.
Desktop MCP clients run servers locally on your machine with access to your file system, environment variables, and local tools. Browser-based MCP agents interact with web content and online services in real time and may access authenticated sessions already open in your browser.
2. Security Risk Landscape
The MCP ecosystem is growing rapidly but still maturing from a security standpoint. Key risks include:
|
Risk | Description |
|
Identity Boundary Collapse | When an AI agent operates through MCP servers, it acts with the full authority of the authenticated user. The system cannot distinguish between a human clicking and an AI agent acting on their behalf.
|
|
Prompt Injection | Malicious instructions hidden in documents, emails, or web pages can be executed by an MCP-connected AI agent with tool access, bypassing normal safeguards. The agent treats the tool access as trusted. |
|
Tool Poisoning | Attackers alter descriptions/behaviors of tools registered within an approved MCP server, causing the AI to perform unauthorized actions or exfiltrate data. |
|
Excessive Permissions | Analysis of 2,500+ MCP plugins found many had overly broad access (file system, shell, network) granted simultaneously without scoping.
|
|
Insecure Credentials | Of 5,200 open-source MCP servers analyzed, 53% rely on static API keys; only 8.5% use OAuth. Hardcoded credentials are easily leaked.
|
|
Supply Chain Attacks | Malicious packages mimicking trusted ones on npm/PyPI. A vulnerability in mcp-remote (CVE-2025-6514, CVSS 9.6) compromised 437,000+ environments. |
|
Desktop/Local Risks | Local MCP servers execute code directly on the user’s machine. If misconfigured, they may listen on all network interfaces (not just localhost), lack authentication, or execute OS commands with full user privileges. |
|
Browser Agent Risks | Browser-based MCP agents operate within your active browser session, which may already be authenticated to sensitive enterprise systems. This may enable man-in-the-browser attacks, unintended session access, and phishing-triggered actions. |
|
Confused Deputy | An MCP server may perform operations with broader privileges than the triggering user was meant to have. |
|
Inadequate Audit Logging | The ecosystem lacks standardized audit logging, making incident investigation and compliance reporting extremely difficult. |
3. DoIT's Vetting Criteria for MCP Servers
Approval Before Use: No MCP server may be connected to enterprise systems without prior review and approval by the Office of Security Management (OSM). Submit requests through the DoIT Intake Process (email [email protected], cc your agency’s portfolio officer). “Shadow” MCP servers—those installed without DoIT knowledge—are prohibited.
Server Vetting Criteria:
|
Criteria |
Requirement |
|
Source/Publisher | Known, reputable vendor or verified open-source project |
|
Authentication | Must support OAuth 2.1 or equivalent; static keys are disqualifying |
|
Code Signing | Server binaries/packages must be cryptographically signed |
|
Scope of Access | Minimum required permissions only |
|
Audit Logging | Tamper-resistant logs of all tool invocations |
|
Vulnerability History | Review CVE databases and recent disclosures |
|
Data Handling | Must comply with DoIT Data Classification Policy
|
Approved Server Registry: OSM will maintain a registry of approved MCP servers as part of the State's AI inventory. Users must only connect servers from this registry. If a server you want is not on the registry, submit a request for review.
4. Safe Usage Guidelines for All Staff
| |
Guideline |
|
Do | Only connect to DoIT-approved MCP servers |
|
Do | Apply least privilege—grant only permissions needed for your specific task |
|
Do | Read confirmation prompts carefully before MCP tools execute; decline if unclear |
| Do | Treat external content (documents, emails, web pages) with skepticism—they may contain hidden instructions |
|
Do | Report unusual agent behavior to the MD-SOC immediately |
|
Do | Keep client software and MCP server packages updated promptly |
|
Don't | Connect personal/third-party MCP servers to State systems without approval |
|
Don't | Share MCP configuration files (may contain credentials) via email, chat, or version control |
|
Don't | Grant shell/OS command access unless explicitly required and approved |
|
Don't | Allow MCP servers to bind to 0.0.0.0 (unrestricted network listening) |
|
Don't | Assume first-party servers are fully safe—even known vendors have had incidents |
|
Don't | Process Level 3-Confidential or Level 4-Restricted data without explicit authorization and approved configuration
|
5. Special Guidance: BYOD, Desktop Clients & Browser Agents
5.1 BYOD — Default Position: Prohibited
Connecting any MCP server to State systems from a personal, unmanaged device is prohibited altogether, see DoIT's IT Acceptable Use Policy, even if the MCP server itself is on the approved registry. Exceptions require explicit written OSM approval.
Minimum Device Requirements for OSM to Consider Exception:
|
Requirement |
Minimum Standard |
|
MDM Enrollment | Device enrolled in DoIT's MDM platform |
|
OS & Patches | Vendor-supported OS with current security patches |
|
Endpoint Protection | Approved antivirus/EDR installed and active |
|
Screen Lock | Auto-lock after ≤5 minutes of inactivity |
|
Disk Encryption | Full disk encryption enabled (BitLocker, FileVault) |
|
MCP Client | Only DoIT-approved AI client software |
|
No Jailbreak/Root | Device must not be jailbroken or rooted |
Key BYOD Rules: Never store State credentials in plaintext MCP config files on personal devices—use a secrets manager. Browser-based MCP agents on personal devices require a dedicated browser profile exclusively for State tasks with no personal accounts, extensions, or saved credentials. Shadow MCP installations on personal devices are policy violations subject to access revocation and disciplinary action.
BYOD Incident Response: (1) Disconnect the MCP server and revoke tokens immediately. (2) Do not wipe the device—preserve forensic evidence. (3) Contact the MD-SOC within 1 hour. (4) Device may be required for forensic review per DoIT's Acceptable Use Policy.
5.2 Desktop MCP Clients
Desktop clients run MCP servers as local processes with significant system access. Sandbox servers in containers or VMs where possible. Review each server’s directory, port, and service access at installation. Disable unused servers. Rotate API keys every 90 days (non-OAuth) and annually for other credentials.
5.3 Browser-Based MCP Agents
Browser agents operate in an especially sensitive context because they share your authenticated sessions—they can act on any site you are logged into, not just the one you directed them to. Do not use browser agents while authenticated to high-sensitivity systems (HR, financial, admin consoles) unless specifically approved. Use dedicated browser profiles for agent tasks. Avoid directing agents to process untrusted websites.6. Incident Response
If you suspect an MCP server has behaved maliciously, taken unauthorized actions, or exposed sensitive data:
- Disconnect the MCP server immediately from your AI client.
- Do not investigate or remediate independently. Preserve logs and configuration files.
- Contact the MD-SOC within 1 hour (24x7): Online: doitmaryland.service-now.com/cybersecurityincident/ | Email: [email protected] | Phone: 410-697-9700, option 5
- Document what happened: the task, the agent’s actions, and affected systems/data.
The MD-SOC will conduct forensic analysis, notify affected parties, and determine regulatory reporting obligations.
7. Accountability
Individual users: Use only approved MCP servers; follow Section 4 guidelines.
Team leads/managers: Ensure team awareness; report shadow MCP deployments to OSM.
DoIT OSM: Maintain approved registry within the State's AI inventory; conduct periodic audits; publish updated guidance.
8. Responsible AI Governance
All MCP deployments are subject to the
State of Maryland's Responsible AI Policy and its seven Guiding Principles, the
AI Implementation Guidance, and the
Data Classification Policy. Where this document and State policy conflict, State policy governs.
Guiding Principles Applied to MCP:
|
Principle |
MCP Obligation |
|
Human-Centered Design | Agents augment, not replace, human judgment. Autonomous public-facing actions require human review. |
|
Security & Safety | All servers must pass vetting criteria in Section 3. |
|
Privacy | Agents must not process PII beyond what is necessary for the approved use case. |
|
Transparency | Staff/constituents informed when AI is involved; tool invocations logged. |
|
Equity | Agents affecting constituents evaluated for bias; high-risk cases need formal AI Risk Assessment. |
|
Accountability | Each deployment has a named AI lead responsible for compliance. |
|
Effectiveness | Servers must deliver reliable, accurate outputs with periodic review.
|
AI Risk Classification:
|
Tier |
Requirements |
|
Unacceptable | Prohibited. No fully automated decision-making violating fundamental rights, covert biometric ID, social scoring, emotion analysis, or cognitive manipulation. |
|
High-Risk | Enhanced controls: AI Risk Assessment, documented mitigation, ongoing monitoring, named human oversight, agency AI lead approval + DoIT notification. Applies to health, safety, law enforcement, eligibility, financial/legal rights, Level 3–4 data. |
|
Limited Risk | Standard DoIT intake + server vetting. Internal efficiency tools on Level 1–2 data without autonomous constituent-affecting decisions. |
|
Minimal Risk | Standard DoIT intake; no additional AI-specific controls beyond this document.
|
Data Classification & MCP Access:
|
Data Level |
MCP Access Guidance |
|
Level 1 – Public | Permitted with standard intake and approved server |
|
Level 2 – Protected | Permitted with standard intake, approved server, and audit logging enabled |
|
Level 3 – Confidential | High-risk controls; AI Risk Assessment mandatory; human oversight for any agent action
|
|
Level 4 – Restricted | High-risk controls; explicit written authorization from agency head; no BYOD access
|
Human Oversight: Irreversible actions (deletions, official communications, form submissions, DB modifications) require explicit human confirmation. Constituent-facing decisions need human review. Chained/multi-step workflows require scrutiny at each step. Staff must be able to explain what an agent did and why.
Human Oversight: Irreversible actions (deletions, official communications, form submissions, DB modifications) require explicit human confirmation. Constituent-facing decisions need human review. Chained/multi-step workflows require scrutiny at each step. Staff must be able to explain what an agent did and why.
Prohibited Uses: Real-time/covert biometric identification, emotion analysis, social scoring, cognitive behavioral manipulation, and fully automated agentic decisions in Unacceptable Risk categories with no human in the loop.
Sunset & Retirement: Deployments that no longer meet their purpose, produce biased/harmful outputs, or are reclassified to a higher risk tier must be halted (unless excepted by the agency head), reported to DoIT/AI Subcabinet for high-risk cases, remediated if cessation would disrupt services, and removed from the active AI Inventory.