White House Centralizes Cyber Oversight of Nat Sec Systems

Federal agencies will need to modernize the technical foundations of their cybersecurity programs to comply with a new White House directive governing the nation’s most sensitive networks, according to former Department of Homeland Security CISO Hemant Baidwan.

The changes stem from National Security Presidential Memorandum 12 (NSPM-12), signed last week by President Donald Trump. The memo establishes a unified framework for securing National Security Systems across military, intelligence and civilian networks that handle classified data while introducing stricter cybersecurity governance, technical standards and oversight.

“Some agencies are ready, but many still have legacy systems, fragmented logging, manual reporting, incomplete asset inventories, and tools that do not talk to each other,” Baidwan, who served as vice chair of the Federal CISO Council from 2024 to 2026 and is now CISO at Knox, told GovCIO Media & Research. “The goal should not be to make every environment the same. The goal should be consistent standards, better visibility and clear accountability across the federal enterprise.”

Baidwan said the memo fills longstanding governance gaps by clarifying how national security cybersecurity responsibilities are coordinated across agencies.

“The old model had too many seams. NSS cyber sat across DOW, the IC, civilian agencies and specialized national security channels. That made coordination harder and sometimes slowed execution,” said Baidwan.

The memo restructures the governing bodies responsible for protecting sensitive networks. It modernizes the Committee on National Security Systems (CNSS) for the first time in more than 35 years to establish baseline cybersecurity requirements for all NSS while strengthening accountability and coordination across agencies.

NSPM-12 also makes baselines from the National Institute of Standards and Technology (NIST) the mandatory minimum technical standard for all NSS, unless CNSS establishes complementary standards for national security environments. The change raises the compliance requirements for federal contractors and vendors that support those networks.

Baidwan said the policy will impact how industry works with national security agencies.

“It will raise the floor, but I think that is the point. Vendors that already build around NIST, FedRAMP, [risk management], secure configuration, logging and continuous monitoring will be in a much better position,” Baidwan said. “The friction will come where CNSS adds mission-specific requirements on top, especially for classified environments, cryptography, cross-domain systems and sensitive mission data. I do not see that as bad friction; I see it as necessary friction.”

NSPM-12 also establishes a phased process for modernizing incident reporting across NSS. Within 60 days, the National Manager must recommend new or updated governmentwide incident reporting standards to CNSS. After CNSS updates its policies, agencies will have 60 days to incorporate the revised standards into their incident response policies.

Baidwan said agencies will need to overcome significant infrastructure challenges to meet those requirements.

“Moving from periodic compliance reviews to machine-readable oversight is not just a policy change. It is an architecture change. Agencies will need better telemetry, cleaner inventories, stronger [security information and event management] and [security orchestration, automation and response] integration, and reporting that can be produced from systems instead of spreadsheets,” he said.

The memorandum also directs CNSS, within 120 days, to request secure cloud configuration baselines and recommendations from cloud service providers accredited to host national security systems, excluding those supporting compartmented intelligence missions.

While NSPM-12 integrates the Office of Management and Budget and the federal CIO into the governance structure to better connect civilian networks with advanced intelligence defenses, agency heads retain ultimate responsibility for managing risk within their own systems.

Baidwan said the memorandum’s success will ultimately depend on how the administration responds when agencies fail to meet its deadlines.

“The real test will be whether missed deadlines are treated as paperwork delays or actual risk decisions,” Baidwan said. “If an agency misses a deadline, there should be a clear answer on why, what risk was accepted, who accepted it and what the recovery plan is. That is how this becomes more than policy. It becomes accountability.”