Trump rewires NSS cyber governance under NSA-led CNSS

President Trump’s June 12 National Security Memorandum is not a tweak to a control catalog. It is a governance transfer. The memo revokes Biden-era NSM-8, which extended Executive Order 14028’s cybersecurity requirements to National Security Systems, and rescinds National Security Directive 42, the 1990 Bush-era directive that had governed telecommunications and information systems policy for more than three decades. In its place, the White House is putting a modernized Committee on National Security Systems, with the Director of the National Security Agency serving as National Manager for NSS.

That matters because NSS cybersecurity has always lived in a different room from ordinary Federal Civilian Executive Branch compliance. The Biden approach pulled classified and national-security systems closer to the EO 14028 playbook: zero trust, software security, logging, cloud security and the other machinery built for federal enterprise modernization after 2021. Trump’s memo reverses that center of gravity. CNSS will oversee NSS cybersecurity across the government and issue binding security directives to NSS owners and operators. The NSA Director gets the explicit role as national manager and cryptologic authority.

For defense contractors, the operational answer is simple and annoying: nothing changes Monday morning, but the thing that will change later is likely to matter. Primes, defense-industrial-base suppliers and C3PAOs working around classified systems should expect successor CNSS requirements to become the relevant compliance object for NSS work. The outline problem is obvious enough: a contractor can be aligned to CMMC, NIST SP 800-171 and civilian-agency security expectations and still need to satisfy a different CNSS baseline to stay eligible for classified work or NSS contracts.

The memo also points directly at cloud. CNSS has 90 days to report on provisioning cloud capabilities and recommended secure configuration baselines at Secret, Top Secret Collateral, TS/SCI, and Top Secret Controlled and Special Access Program levels for Federal Civilian Executive Branch agencies. It also has 90 days to review CNSSP-32, the May 2022 cloud security policy, and identify needed revisions. Separately, CNSS is directed to ask cloud service providers accredited to host NSS, excluding providers supporting compartmented intelligence missions, for baselines and agency configuration recommendations within 120 days.

The open question is the only one that matters to implementers: what does CNSS actually require? A governance memo can say “baseline cybersecurity requirements” all day. The engineer still needs to know whether the baseline tracks EO 14028’s five-pillar structure, diverges from prior NSD-42 practice, or creates a separate classified-cloud configuration regime with its own inheritance, assessment and authorization assumptions. Until CNSS writes the directives, this is a chain-of-command story. The compliance story is coming next.