External MCP servers are compromised, receive poisoned updates, are sabotaged by insiders, or have their protocol and transport manipulated through man-in-the-middle or downgrade attacks, or have connections redirected via DNS and infrastructure attacks, injecting malicious data or logic into services agents consume.
AI/ML / Multi Agent Refarch / Threats / DEV
MCP supply-chain compromise
CCC.MARefArc.TH29
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.CP17 | Approved MCP server registry and lifecycle | Catalog of approved MCP servers with metadata, capabilities, configuration, and usage constraints, ensuring agents connect only to servers meeting organizational, security, and compliance requirements. |
| CCC.MARefArc.CP19 | MCP-interaction zero-trust guardrails | Enforces authentication and authorization for every MCP request and governs which agents may use which tools, applying rate limits and validating tool-call parameters. |
| CCC.MARefArc.CP08 | Built-in trusted tools | A collection of bundled, trusted tools providing fundamental capabilities: the MCP client bridge to the external MCP layer, a sandboxed shell, workspace I/O, and web search. |
Related Controls
| ID | Title | Description |
|---|---|---|
| CCC.MARefArc.CN13 | MCP Server Security Governance | Govern the onboarding, verification, and ongoing monitoring of MCP servers so that only approved, integrity-verified servers are reachable, and supply-chain compromise is detected. |
| CCC.MARefArc.CN15 | Agentic System Credential Protection Framework | Prevent agents from discovering, extracting, or misusing credentials by brokering secrets outside agent-accessible surfaces and constraining tool access to credential stores. |
External Mappings
| Framework | ID | Remarks |
|---|---|---|
| air-vec | AIR-SEC-026-01 | |
| air-vec | AIR-SEC-026-02 | |
| air-vec | AIR-SEC-026-03 | |
| air-vec | AIR-SEC-026-04 | |
| air-vec | AIR-SEC-026-05 |