The White House issued National Security Presidential Memorandum 12 (NSPM-12), establishing a new cybersecurity governance framework for National Security Systems (NSS), including military, intelligence, and other federal systems that process classified information. The memorandum re-establishes the Committee on National Security Systems (CNSS), a decades-old interagency body, designates the National Security Agency as the National Manager for NSS cybersecurity with expanded authority to assess security posture, issue emergency directives, and coordinate government-wide cyber defense activities.
The policy seeks to create what the administration describes as a ‘proactive, adaptive, and resilient cybersecurity ecosystem’ to defend sensitive NSS against increasingly sophisticated cyber threats while strengthening accountability among agencies that own and operate those systems. NSPM-12 also sets aggressive implementation deadlines to modernize cyber oversight and incident response across the federal national security enterprise.
Within 60 days, the NSA must propose updated incident reporting standards and thresholds for cyber incidents affecting NSS, while the CNSS is tasked with issuing a cybersecurity roadmap and harmonizing existing policies. The memorandum further requires developing baseline cybersecurity requirements that meet or exceed federal standards, reviews of cloud security configurations for classified environments, and new government-wide performance metrics to measure cyber resilience. The move signals tighter governance and centralized oversight of defense and intelligence cyber operations as the administration seeks to improve visibility, coordination, and preparedness across the nation’s most sensitive systems.
The NSPM-12 memorandum seeks to enhance national cyber defense governance and accountability by re-establishing the CNSS and defining its governance responsibilities and scope of authority. It also re-establishes and empowers a National Manager for NSS with the authority to identify emerging threats, advise the CNSS, issue emergency directives, establish authoritative minimum requirements for cryptology and cryptographic systems, and, through the CNSS, direct technical solutions for separating classification levels across systems or within the same system.
In addition, the policy aims to foster collaboration, standardization, and efficient resource management by promoting coordination and information sharing among government agencies, public-private partnerships, and international partners. It also emphasizes the efficient use of taxpayer funds in securing NSS.
The CNSS is re-established to strengthen accountability and coordination across the Department of War (DOW), the Intelligence Community (IC), and Federal Civilian Executive Branch (FCEB) agencies in implementing cybersecurity protections for NSS. The committee will operate under the coordination of a member of the National Security Council (NSC) staff, who will serve as chair.
CNSS membership will include the Secretary of War, acting through the DOW Chief Information Officer (CIO); the Director of National Intelligence (DNI), acting through the IC CIO; the Director of the Office of Management and Budget (OMB), acting through the Federal CIO; and the Director of the National Security Agency (NSA), serving as National Manager through the Deputy National Manager. Additional officials, including the Attorney General, the Secretary of Commerce, the Director of the Central Intelligence Agency (CIA), the Assistant to the President for National Security Affairs, the Assistant to the President for Science and Technology, the National Cyber Director, the Chairman of the Joint Chiefs of Staff, the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and other advisors deemed necessary, may recommend representatives to serve as advisors to the committee.
The CNSS is tasked with establishing baseline cybersecurity requirements for NSS and, through the statutory and delegated authorities of its members, holding NSS owners and operators accountable for implementing required security measures. The committee will represent the interests and requirements of the NSS ecosystem in interagency forums, public discussions, Congress, and the Council of Inspectors General on Integrity and Efficiency. It will also coordinate with shared service providers to encourage the efficient use of secure shared services and maintain a common platform for distributing CNSS guidance, decisions, requirements, and policies that can be accessed by Intelligence Community, DOW, and FCEB agencies.
Acting through its members and consistent with federal law, the CNSS is authorized to issue directives and complementary standards that apply to NSS. Agencies that own or operate NSS are required to comply with these directives and standards. When responding to a known or reasonably suspected cybersecurity threat, vulnerability, or risk, the committee may direct agency leaders, through their CIOs, Chief Information Security Officers (CISOs), or other designated officials, to take lawful actions necessary to protect or mitigate risks to affected systems.
The NSPM-12 memorandum also requires NSS to meet or exceed cybersecurity standards issued by the National Institute of Standards and Technology (NIST), unless otherwise directed by the CNSS. The committee may issue complementary standards that adapt NIST baselines for national security environments when necessary. CNSS Policy 15, its successor, or interim guidance issued by the National Manager will serve as the commercial cryptographic standard for NSS. Unless specifically exempted or supplemented by CNSS guidance, relevant NIST standards will serve as the minimum cybersecurity baseline for securing NSS.
To support its operations, the CNSS will maintain a permanent Executive Secretariat staffed by personnel provided by the National Manager, who will also supply facilities and operational support. Other agencies may be required to provide additional support as requested and consistent with applicable law. Oversight of the Executive Secretariat will be shared by the Secretary of War, acting through the DOW CIO, and the Director of National Intelligence, acting through the IC CIO.
The Executive Secretariat will maintain an authoritative, machine-readable portal containing CNSS guidance applicable to NSS, and operate a collaborative environment accessible to NSS owners and operators across Unclassified, Secret, and Top Secret/Sensitive Compartmented Information (TS/SCI) networks.
The NSPM-12 memorandum significantly expands the role of the NSA, formally designating its director as the National Manager for NSS. In this role, the National Manager will serve as the principal technical advisor to the CNSS, providing government-wide incident response recommendations and gaining authority to issue emergency directives when significant cyber threats, vulnerabilities, or adversary targeting of NSS are identified.
The National Manager is also established as the government’s cryptologic authority for NSS, responsible for developing and protecting cryptographic capabilities, approving security standards, evaluating cybersecurity technologies, managing key security infrastructure, and establishing minimum requirements for safeguarding cryptographic systems and materials. The role also includes authority to procure and distribute technical security equipment and services to government agencies, contractors, and foreign partners where appropriate.
Beyond cryptography, the National Manager is tasked with assessing the cybersecurity posture of NSS across the federal government, developing performance metrics, identifying vulnerabilities, operating certification and testing centers, conducting cybersecurity research, and providing technical assistance to agencies. The office will also oversee cross-domain security solutions that enable secure information sharing across classification levels, while serving as the primary advisor on technologies that separate sensitive security domains.
The NSPM-12 memorandum further authorizes the National Manager to work closely with civilian agencies, the Office of Management and Budget, the CISA, the NIST, private-sector partners, academia, and international counterparts. Collectively, these responsibilities position the NSA as the central technical authority for cybersecurity governance, oversight, standards development, threat assessment, and operational resilience across the nation’s most sensitive government systems.
The document establishes an aggressive timeline for overhauling NSS cybersecurity governance. Within 30 days, the CNSS must update its governing procedures to reflect the new framework. Within 60 days, the committee is required to publish a cybersecurity roadmap and policy priorities for the coming year, while the National Manager must propose new incident reporting standards and thresholds to improve government-wide visibility into cyber incidents affecting NSS. Agencies will then be required to update their incident response policies to align with the revised reporting requirements.
The NSPM-12 policy also directs a broad review and consolidation of existing cybersecurity directives. Within 90 days, the CNSS must determine which existing National Manager directives and policies should be retained, integrated into CNSS directives, or rescinded, while reviewing current CNSS policies for harmonization or elimination. In addition, federal agencies must maintain and annually update inventories of their NSS, provide those inventories to the National Manager, and support new efforts to improve oversight and accountability across civilian, defense, and intelligence-sector systems.
Additionally, the NSPM-12 memorandum extends key cybersecurity requirements from Executive Order 14306 to NSS, with a strong focus on securing government cloud environments. Within 120 days, the CNSS must obtain cloud security configuration recommendations from accredited providers that host NSS and evaluate whether those recommendations should be adopted as government standards. The CNSS is also required, within 90 days, to issue a report on secure cloud capabilities and recommended configuration baselines for classified environments across federal agencies and review existing cloud security policies to identify updates needed for the secure hosting of NSS.
The policy also seeks to strengthen secure communications across the federal government. Recognizing the importance of secure and interoperable communications to national security missions, the memorandum directs the National Manager to develop recommendations within 90 days for government-wide voice and video communication capabilities that can be securely used across civilian agencies, the defense community, and the intelligence community. Together, these measures aim to modernize cloud security and improve trusted communications across the federal national security enterprise.
