On June 12, 2026, President Trump signed National Security Presidential Memorandum 12 (NSPM-12), establishing a comprehensive new governance framework for the cybersecurity of National Security Systems (NSS). The memorandum rescinds two prior directives, National Security Directive 42 (1990) and National Security Memorandum 8 (2022) and imposes a series of mandatory compliance actions with deadlines beginning immediately.
For defense contractors, intelligence community support contractors, and federal agencies that own or operate NSS, this memorandum creates significant and immediate legal obligations.
What NSPM-12 Does
NSPM-12 re-establishes the Committee on National Security Systems (CNSS) as the principal governance body for NSS cybersecurity, with members drawn from the Department of Defense (now the Department of War), the Office of the Director of National Intelligence, and the Office of Management and Budget. It re-designates the Director of the National Security Agency as the National Manager for NSS, empowering that office to issue binding emergency directives to any federal agency including directives requiring immediate operational changes to covered systems. The memorandum harmonizes NSS requirements with Executive Order 14306 (June 6, 2025), establishing NIST cybersecurity standards as a mandatory baseline for all NSS unless the CNSS provides otherwise.
NSS is defined broadly under 44 U.S.C. § 3552 to include systems that process classified information, involve intelligence activities, involve command and control of military forces, or are critical to the direct fulfillment of military or intelligence missions. Contractors operating such systems, including cloud service providers, managed security service providers, and systems integrators, fall squarely within the memorandum's compliance universe.
Key Compliance Deadlines
NSPM-12 establishes an aggressive implementation timeline that will generate new regulatory requirements in rapid succession:
Within 30 days (by July 12, 2026), the CNSS must revise CNSS Directive 900, updating the governing and operating procedures for the committee. Contractors should monitor these revisions closely, as they will define the procedural framework for all subsequent CNSS activity.
Within 60 days (by August 11, 2026), agencies must update their incident response policies to incorporate new NSS-specific reporting standards, once the National Manager publishes recommended thresholds. Cloud service providers accredited to host NSS must prepare to submit configuration baselines to the CNSS within 120 days. Critically, agencies and their contractors operating NSS on their behalf must maintain and annually update a formal inventory of all NSS owned or operated and make those inventories available to the National Manager.
Within 90 days (by September 10, 2026), the CNSS will complete a comprehensive review of all existing CNSS policies, directives, and instructions, with rescissions and harmonization to follow. The CNSS will also issue guidance on cloud security requirements for NSS at the Secret, Top Secret, TS/SCI, and SAP classification levels directly affecting any contractor providing cloud-based services to the intelligence community or Department of Defense.
What This Means for Defense Contractors
Any company that owns, operates, or provides services to a system meeting the NSS definition must review its existing cybersecurity posture now. The most immediate obligations are contractual and operational: existing government contracts will need to be reviewed for cybersecurity clauses that may require updating to reflect new CNSS directives; incident response plans must be revised to align with forthcoming reporting thresholds; and NSS inventory requirements must be satisfied as an ongoing compliance matter.
The National Manager's emergency directive authority is particularly significant. Under NSPM-12, NSA can issue a directive to any agency including civilian agencies requiring immediate action with respect to an NSS, including systems "used or operated by another entity on behalf of an agency." This means a directive can flow directly to a contractor operating an NSS under a government contract, requiring operational changes on short notice with no requirement for the contractor's consent.
The memorandum also strengthens accountability mechanisms. The CNSS may request government-wide assessments of NSS cybersecurity posture, including performance metrics and compliance results, and CNSS findings may be reported to Congress and the Council of Inspectors General on Integrity and Efficiency. Contractors with deficient cybersecurity postures risk contract non-compliance findings, adverse past performance assessments, and potential False Claims Act exposure where cybersecurity certifications are incorporated into contract representations.
Cloud Providers and Cross-Domain Solutions
Companies providing cloud services to the federal government at classified levels face discrete obligations under NSPM-12. Within 120 days, cloud service providers accredited to host NSS must submit configuration baselines and security specifications to the CNSS, which will evaluate them against NSS requirements. Providers operating at TS/SCI and SAP classification levels should begin preparing those baseline submissions now and should expect the CNSS cloud security report due within 90 days, to define new accreditation standards that could affect existing FedRAMP authorizations.
The memorandum also establishes NSA as the principal advisor to NSS owners and operators on cross-domain solutions, the hardware and software products that allow data to move between systems operating at different classification levels. Contractors providing or integrating cross-domain solutions should anticipate updated standards and a revised CNSS-approved products list.
How WBD Can Help
Womble Bond Dickinson's International Trade and National Security Practice attorneys advise defense contractors, intelligence community support companies, and federal agencies on the full spectrum of NSS compliance obligations. Our team has deep experience with CNSS policy frameworks, NSA technical security requirements, contracting structures, and the intersection of cybersecurity obligations with government contracts law.
Specific services include: NSS inventory audits and classification assessments; contract clause review and modification for CNSS directive compliance; incident response policy drafting and updating; cloud accreditation and FedRAMP-to-NSS gap analysis; and counsel on National Manager emergency directive response. We also advise clients on the False Claims Act and government contracts enforcement risk that flows from cybersecurity certification failures in an environment of heightened government oversight.
Also, click here to learn more about Womble Bond Dickinson's Government Contracting and Procurement Team.
For questions about NSPM-12 and its implications for your organization, please contact the authors of this alert or the Womble Bond Dickinson attorneys with whom you normally work.
/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-06-11-17-26-50-450-6a2aefdad4773a5fc74747b7.jpg)
/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-06-10-19-31-27-805-6a29bb8fdb6e3a10f1eb5ff4.jpg)
/Passle/6878183c1547331efeed13be/SearchServiceImages/2026-06-02-17-05-04-650-6a1f0d40b90cabdc57f72d65.jpg)