Last week, the White House released NSPM-12, a significant update to how the federal government governs cybersecurity across National Security Systems. Much of the discussion will focus on organizational changes, including the enhanced role of NSA and the re-establishment of the Committee on National Security Systems (CNSS). Those are important developments.
But from where I sit, the most important aspect of the memorandum is much simpler:
The government is not creating an entirely new cybersecurity framework. It is reaffirming that NIST remains the foundation.
That is exactly the right decision.
Security Standards Are Not the Problem
For years, government and industry have invested heavily in building security programs around NIST standards. FedRAMP, DoD programs, agency-specific requirements, and countless commercial cybersecurity initiatives all trace back to the same core body of work.
The challenge facing government cybersecurity has never been a lack of standards.
The challenge has been the cost, complexity, and speed of demonstrating compliance with those standards.
Too often, organizations spend more time collecting screenshots, assembling spreadsheets, and preparing evidence packages than they do actually improving security.
Creating a new framework would only increase fragmentation and confusion. By reaffirming NIST as the baseline, NSPM-12 preserves the common language that agencies, assessors, cloud providers, and software companies already understand.
Convergence Matters
One of the most encouraging aspects of NSPM-12 is what it does not do.
It does not create a separate cybersecurity universe for National Security Systems. Instead, it explicitly reinforces the role of NIST standards while allowing CNSS to build upon them where mission requirements demand it.
That approach should continue across government.
For too long, technology vendors have faced a patchwork of overlapping requirements across civilian agencies, defense organizations, and national security environments. While each mission has unique needs, the vast majority of cybersecurity controls are fundamentally the same.
Identity management is identity management. Logging is logging. Encryption is encryption. Vulnerability management is vulnerability management.
When organizations are forced to comply with multiple versions of essentially the same requirement, everyone loses. Agencies wait longer for technology. Vendors spend more money on compliance. Security teams devote resources to documentation rather than risk reduction.
The federal government should continue moving toward a model where FedRAMP, DoD, and National Security System requirements share a common NIST-based foundation with only a limited set of mission-specific overlays.
The more we can converge on shared controls, shared evidence, and shared assessment methodologies, the faster we can deliver secure technology to government users.
The Future Is Continuous Assessment
What stands out in NSPM-12 is not a new set of controls. It is the emphasis on accountability, visibility, inventory management, incident reporting, and centralized oversight.
Those are all signals that the federal government is moving toward a more continuous model of cybersecurity assurance.
The reality is that modern cloud environments change constantly. Infrastructure is deployed daily. Containers are rebuilt hourly. Vulnerabilities emerge continuously.
A security assessment conducted once per year can no longer provide an accurate picture of risk.
The answer is not more paperwork.
The answer is continuous validation.
Organizations should be able to demonstrate at any point in time:
- What assets exist
- How they are configured
- Whether controls are functioning as intended
- What vulnerabilities are present
- What remediation actions are underway
That information should be available in machine-readable form, generated automatically, and validated continuously.
Standards Should Stay Stable. Validation Should Evolve.
At Knox, we believe the federal government should maintain stable security requirements while aggressively modernizing how compliance is measured.
NIST 800-53 remains the world’s most comprehensive cybersecurity framework. The controls themselves are not the bottleneck.
The bottleneck is that most compliance programs still rely on manual evidence collection and periodic reviews.
The emergence of cloud-native architectures, infrastructure as code, and AI-driven assessment capabilities gives us an opportunity to fundamentally improve that process.
Instead of asking organizations to prove compliance once a year, we should enable systems to demonstrate compliance continuously.
Instead of reviewing samples, we should evaluate entire environments.
Instead of static reports, we should produce machine-readable evidence that can be consumed automatically.
Instead of spending weeks gathering screenshots, organizations should be able to generate authoritative compliance evidence directly from the systems themselves.
Those approaches improve both security and efficiency.
Why This Matters for National Security
NSPM-12 arrives at a critical moment.
The federal government is rapidly adopting cloud computing, artificial intelligence, and advanced software capabilities across both civilian and national security missions.
Those technologies require faster authorization processes, stronger visibility into risk, and greater consistency across agencies.
The government cannot afford to wait months for security assessments while adversaries move at machine speed.
Maintaining NIST as the common foundation while modernizing validation and oversight provides a path forward that balances innovation with security.
That balance is essential.
The Right Direction
NSPM-12 recognizes an important reality: cybersecurity success does not come from creating new standards every few years.
It comes from applying proven standards consistently, measuring them continuously, and making security data available in real time to decision makers.
The federal government already has a world-class framework in NIST.
The next chapter is making compliance as automated, continuous, and measurable as the systems we are trying to secure.
If we can maintain a common NIST-based foundation across FedRAMP, DoD, and National Security Systems while embracing automated assessment and machine-readable evidence, we can dramatically improve both the speed and quality of cybersecurity across government.
That is good for agencies.
It is good for industry.
And most importantly, it is good for national security.
_Horizontal_RGB.png)
