NSPM-12: The NSS cyber memo agencies cannot ignore

Staff Editor 2026-06-15
NSPM-12: The NSS cyber memo agencies cannot ignore

NSPM-12: The NSS cyber memo agencies cannot ignore

https://www.nextgov.com/ideas/2026/06/nspm-12-nss-cyber-memo-agencies-cannot-ignore/414190/

Publish Date: 2026-06-15 14:46:00

Source Domain: www.nextgov.com

Spend enough time in government and reading policy documents becomes second nature. You learn fast where the wiggle room usually lives. The vague timelines. The “consistent with applicable law” language that gives everyone room to slow walk implementation. NSPM-12 has less of that than most.

There are named officials. Hard deadlines. A governance body with actual authority to issue binding directives. That is different than what we usually see. For agencies that have been waiting for someone to force the issue on National Security System cybersecurity, this is that moment.

Here are three things agencies need to understand right now.

The 90-day cloud security policy deadline 

The 90-day window to update cloud security policy for National Security Systems is tight. For some agencies it will be manageable. For others it will not. Getting the right technology authorized for use inside a federal agency has historically taken years not months. Not because people weren’t working hard. Because the process was not built for the pace this moment requires. Part of it is bureaucratic friction. Part of it is that the compliance frameworks themselves assumed timelines that no longer match the threat environment. The memo creates the urgency. Agencies need partners who can actually help them move in that window.

The inventory requirement 

Every agency must now maintain an annual inventory of every National Security System it owns or operates. That sounds simple. It is not.

Ask that question inside most large federal agencies, and the honest answer is some version of “we think we have a handle on it.” Shadow IT is real. Systems inherited through reorganizations are real. Legacy infrastructure that predates modern classification frameworks is real. Getting a clean picture of a full agency footprint is hard, even with strong leadership commitment behind it. An accurate inventory is the foundation of every other security decision an agency makes. You cannot defend what you cannot…

Source

More Stories

Cyber Attack on Oracle Exposes Data of Higher-Ed Clients

Cyber Attack on Oracle Exposes Data of Higher-Ed Clients

Staff Editor 2026-06-15
CrowdStrike is up 80% since April. Terranova says it’s still a buy.

CrowdStrike is up 80% since April. Terranova says it’s still a buy.

Staff Editor 2026-06-15
Cutting cyber risk in an AI era – and data privacy’s role

Cutting cyber risk in an AI era – and data privacy’s role

Staff Editor 2026-06-15

Terms and Conditions - Privacy Policy