Guidance for Responsible and Safe Usage
MCP SERVER SECURITY
Guidance for Responsible and Safe Usage
Maryland Department of Information Technology (DoIT)
- An Intro to MCP Servers
- Security Risk Landscape
- DoIT's Vetting Criteria for MCP Servers
- Safe Usage Guidelines for Maryland's State Staff
- Special Guidance: BYOD, Desktop Clients & Browser Agents
- Incident Response
- Accountability
- Responsible AI Governance
1. An Intro to MCP Servers
Model Context Protocol (MCP) servers are software bridges connecting AI assistants to external systems (email, calendars, databases, file systems, code repositories, and enterprise SaaS tools). When MCP is enabled, the AI can take actions on your behalf: reading files, sending messages, querying databases, or executing commands. MCP is an open source standard with a public registry. This document establishes DoIT’s guidance for evaluating, approving, and safely operating MCP servers, including desktop clients and browser-based agents.
Desktop MCP clients run servers locally on your machine with access to your file system, environment variables, and local tools. Browser-based MCP agents interact with web content and online services in real time and may access authenticated sessions already open in your browser.
2. Security Risk Landscape
The MCP ecosystem is growing rapidly but still maturing from a security standpoint. Key risks include:
| Risk | Description |
|---|---|
| Identity Boundary Collapse | When an AI agent operates through MCP servers, it acts with the full authority of the authenticated user. The system cannot distinguish between a human clicking and an AI agent acting on their behalf. |
| Prompt Injection | Malicious instructions hidden in documents, emails, or web pages can be executed by an MCP-connected AI agent with tool access, bypassing normal safeguards. The agent treats the tool access as trusted. Tool Poisoning |
| Tool Poisoning Attackers | Attackers alter descriptions/behaviors of tools registered within an approved MCP server, causing the AI to perform unauthorized actions or exfiltrate data. |
| Excessive Permissions | Analysis of 2,500+ MCP plugins found many had overly broad access (file system, shell, network) granted simultaneously without scoping. |
| Insecure Credentials | Of 5,200 open-source MCP servers analyzed, 53% rely on static API keys; only 8.5% use OAuth. Hardcoded credentials are easily leaked. |
| Supply Chain Attacks | Malicious packages mimicking trusted ones on npm/PyPI. A vulnerability in mcp-remote (CVE-2025-6514, CVSS 9.6) compromised 437,000+ environments. |
| Desktop/Local Risks | Local MCP servers execute code directly on the user’s machine. If misconfigured, they may listen on all network interfaces (not just localhost), lack authentication, or execute OS commands with full user privileges. |
| Browser Agent Risks | Browser-based MCP agents operate within your active browser session, which may already be authenticated to sensitive enterprise systems. This may enable man-in-the-browser attacks, unintended session access, and phishing-triggered actions. |
| Confused Deputy | An MCP server may perform operations with broader privileges than the triggering user was meant to have. |
| Inadequate Audit Logging | The ecosystem lacks standardized audit logging, making incident investigation and compliance reporting extremely difficult. |
3. DoIT's Vetting Criteria for MCP Servers
Approval Before Use: No MCP server may be connected to enterprise systems without prior review and approval by the Office of Security Management (OSM). Submit requests through the DoIT Intake Process (email [email protected], cc your agency’s portfolio officer). “Shadow” MCP servers—those installed without DoIT knowledge—are prohibited.
Server Vetting Criteria:
| Criteria | Requirement |
|---|---|
| Source/Publisher | Known, reputable vendor or verified open-source project |
| Authentication | Must support OAuth 2.1 or equivalent; static keys are disqualifying |
| Code Signing | Server binaries/packages must be cryptographically signed |
| Scope of Access | Minimum required permissions only |
| Audit Logging | Tamper-resistant logs of all tool invocations |
| Vulnerability History | Review CVE databases and recent disclosures |
| Data Handling | Must comply with DoIT Data Classification Policy |
Approved Server Registry: OSM will maintain a registry of approved MCP servers as part of the State's AI inventory. Users must only connect servers from this registry. If a server you want is not on the registry, submit a request for review.
4. Safe Usage Guidelines for All Staff
| Guideline | |
|---|---|
| Do | Only connect to DoIT-approved MCP servers |
| Do | Apply least privilege—grant only permissions needed for your specific task |
| Do | Read confirmation prompts carefully before MCP tools execute; decline if unclear |
| Do | Treat external content (documents, emails, web pages) with skepticism—they may contain hidden instructions |
| Do | Report unusual agent behavior to the MD-SOC immediately |
| Do | Keep client software and MCP server packages updated promptly |
| Don't | Connect personal/third-party MCP servers to State systems without approval |
| Don't | Share MCP configuration files (may contain credentials) via email, chat, or version control |
| Don't | Grant shell/OS command access unless explicitly required and approved |
| Don't | Allow MCP servers to bind to 0.0.0.0 (unrestricted network listening) |
| Don't | Assume first-party servers are fully safe—even known vendors have had incidents |
| Don't | Process Level 3-Confidential or Level 4-Restricted data without explicit authorization and approved configuration |
5. Special Guidance: BYOD, Desktop Clients & Browser Agents
- 5.1 BYOD — Default Position: Prohibited
- 5.2 Desktop MCP Clients
- 5.3 Browser-Based MCP Agents
6. Incident Response
If you suspect an MCP server has behaved maliciously, taken unauthorized actions, or exposed sensitive data:
- Disconnect the MCP server immediately from your AI client.
- Do not investigate or remediate independently. Preserve logs and configuration files.
- Contact the MD-SOC within 1 hour (24x7): Online: For cybersecurity incident report | Email: [email protected] | Phone: 410-697-9700, option 5
- Document what happened: the task, the agent’s actions, and affected systems/data.
The MD-SOC will conduct forensic analysis, notify affected parties, and determine regulatory reporting obligations.
7. Accountability
Individual users: Use only approved MCP servers; follow Section 4 guidelines.
Team leads/managers: Ensure team awareness; report shadow MCP deployments to OSM.
DoIT OSM: Maintain approved registry within the State's AI inventory; conduct periodic audits; publish updated guidance.
8. Responsible AI Governance
All MCP deployments are subject to the State of Maryland's Responsible AI Policy and its seven Guiding Principles, the AI Implementation Guidance, and the Data Classification Policy. Where this document and State policy conflict, State policy governs.
Guiding Principles Applied to MCP:
| Principle | MCP Obligation |
|---|---|
| Human-Centered Design | Agents augment, not replace, human judgment. Autonomous public-facing actions require human review. |
| Security & Safety | All servers must pass vetting criteria in Section 3. |
| Privacy | Agents must not process PII beyond what is necessary for the approved use case. |
| Transparency | Staff/constituents informed when AI is involved; tool invocations logged. |
| Equity | Agents affecting constituents evaluated for bias; high-risk cases need formal AI Risk Assessment. |
| Accountability | Each deployment has a named AI lead responsible for compliance. |
| Effectiveness | Servers must deliver reliable, accurate outputs with periodic review. |
AI Risk Classification:
| Tier | Requirements |
|---|---|
| Unacceptable | Prohibited. No fully automated decision-making violating fundamental rights, covert biometric ID, social scoring, emotion analysis, or cognitive manipulation. |
| High-Risk | Enhanced controls: AI Risk Assessment, documented mitigation, ongoing monitoring, named human oversight, agency AI lead approval + DoIT notification. Applies to health, safety, law enforcement, eligibility, financial/legal rights, Level 3–4 data. |
| Limited Risk | Standard DoIT intake + server vetting. Internal efficiency tools on Level 1–2 data without autonomous constituent-affecting decisions. |
| Minimal Risk | Standard DoIT intake; no additional AI-specific controls beyond this document. |
Data Classification & MCP Access:
| Data Level | MCP Access Guidance |
|---|---|
| Level 1 – Public | Permitted with standard intake and approved server |
| Level 2 – Protected | Permitted with standard intake, approved server, and audit logging enabled |
| Level 3 – Confidential | High-risk controls; AI Risk Assessment mandatory; human oversight for any agent action |
| Level 4 – Restricted | High-risk controls; explicit written authorization from agency head; no BYOD access |
Human Oversight: Irreversible actions (deletions, official communications, form submissions, DB modifications) require explicit human confirmation. Constituent-facing decisions need human review. Chained/multi-step workflows require scrutiny at each step. Staff must be able to explain what an agent did and why.
Prohibited Uses: Real-time/covert biometric identification, emotion analysis, social scoring, cognitive behavioral manipulation, and fully automated agentic decisions in Unacceptable Risk categories with no human in the loop.
Sunset & Retirement: Deployments that no longer meet their purpose, produce biased/harmful outputs, or are reclassified to a higher risk tier must be halted (unless excepted by the agency head), reported to DoIT/AI Subcabinet for high-risk cases, remediated if cessation would disrupt services, and removed from the active AI Inventory.