For over 35 years, the framework governing the National Security Systems (NSS) of the United States has been governed by National Security Directive (NSD) 42, a policy set by the Bush administration in 1990. This governance model has remained static alongside three decades of adversarial evolution of tactics and technologies. The framework of NSD-42 is ineffective in protecting modern systems against a constantly evolving threat landscape. It creates fragmented accountability across the Department of Defense (DoD), the Intelligence Community (IC), and civilian agencies, lacking binding enforcement mechanisms.
What Counts as a National Security System and Why It Matters
The umbrella of NSS covers systems that process classified information or directly enable military and intelligence missions. According to definitions from the National Institute of Standards and Technology (NIST), this includes a vast range of organizations’ systems, from those concerning military command and control and weapons systems to those carrying out intelligence and cryptologic activities.
The organizations that operate these systems include government and military agencies, but also contractors and other civilian agencies. Civilian agency NSS has historically been defended to a much lower standard than its counterparts in the DoD and IC, creating a significant gap in the security of these systems as compared to government agency NSS. A National Security Presidential Memorandum, NSPM-12, was released on June 12th, 2026, as a mandate to achieve defense parity across all NSS owners and operators.
The CNSS Reconstituted
One of the stated purposes of NSPM-12 is to lay out the governance structure of the Committee on National Security Systems (CNSS). The memorandum details the restructured membership of the Department of War (DoW), IC, and Federal Chief Information Officers (CIOs) and the Director of the National Security Agency (NSA) under the coordination of a National Security Council (NSC) staff member.
The NSPM also grants the CNSS the authority to issue binding directives and complementary NIST-aligned standards to all NSS operators. This is in line with the CNSS objectives stated in the memorandum, including establishing baseline NSS cybersecurity requirements and ensuring accountability for NSS owners and operators. There is an implementation timeline set forth in the NSPM, with 30-, 60-, and 90-day deadlines creating near-term compliance milestones to effectively enforce the terms of the directive.
The NSA Elevated
NSPM-12 also positions the NSA in a new position of power regarding NSS governance. The NSA Director is formally designated by the new memorandum as the National Manager for NSS, granting the authority to unilaterally issue emergency directives. The National Manager is also appointed as the cryptologic authority for NSS, empowering them to exercise oversight of key design, standards approval, and cross-domain solutions. They are given license to assess civilian NSS posture and assign NSA personnel to the Office of the Federal CIO to improve and orient oversight across Federal Civilian Executive Board (FCEB) agencies.
Experts underline the importance of continued consideration and ongoing effort to ensure the effective implementation of NSPM-12’s requirements. “Expanding NSA’s role as National Manager for National Security Systems raises important potential challenges around oversight, coordination, and how cybersecurity responsibilities will be operationalized across civilian agencies,” says Marcus Fowler, CEO of Darktrace Federal. “Defining which systems qualify as National Security Systems, assessing current compliance gaps, and ensuring agencies have the resources necessary to meet new requirements will be critical to the memorandum’s success.”
Incident Reporting, Cloud Security, and Interoperability Requirements
NSPM-12 establishes the need for mandatory incident reporting thresholds for all events that impact NSS, ordering the National Manager to submit recommendations to the CNSS on new or modified incident reporting standards within 60 days. The CNSS is then allowed an additional 60 days to update policies and integrate the recommendations.
Baseline requirements for cloud security are outlined to protect NSS on Secret and Top Secret/Sensitive Compartmented Information (TS/SCI) classification levels. The memorandum also mandates secure, interoperable voice and video communication standards for both mobile and fixed devices across the federal enterprise.
What NSPM-12 Demands of Agency Security Leaders
Moving forward, NSPM-12 mandates and informs decisions and actions for security leaders. It lays out requirements for annual NSS inventories with machine-readable reporting to the National Manager, as well as compliance obligations that affect a wide range of agencies and operations from CNSS directives to agency CIOs and CISOs. This memorandum represents a strategic inflection point for enterprise security teams to rethink the risk posture of their classified networks.