NSPM-12: Why secure systems start with data visibility

Recently, a National Security Presidential Memorandum (NSPM-12) was signed that overhauls how the federal government secures its most sensitive military, intelligence and classified systems. It re-establishes the Committee on National Security Systems for the first time in over 35 years, names the director of the NSA as the national manager for those systems and sets what one former agency security chief called "aggressive" timelines for getting the work done. Strip away the federal language and the message lands close to home. The work starts with knowing exactly what data you hold and where it sits, and the clock is running faster than it used to.

The memo, reported in detail by Federal News Network, gives the reconstituted committee power to set baseline cybersecurity requirements for every national security system and to issue emergency directives when threats emerge. It mandates that those systems meet or exceed NIST standards. It also rescinds two foundational directives from 1990 and 2022 and folds their authority into a single accountable structure.

The deadlines are the part worth noticing. Agencies have 60 days to produce a roadmap and 90 days to review and update their policies. Another 90-day clock covers guidance on secure hosting of sensitive systems in the cloud, and a separate 60-day clock covers new incident reporting standards. Agencies also have to make an inventory of their information systems available to the NSA. That last requirement reads like housekeeping. It's actually the foundation everything else rests on.

The urgency isn't abstract. The memo follows an AI security executive order signed June 2 and NSPM-11 on June 5, both aimed at how artificial intelligence is reshaping national security. Bob Ackerman of DataTribe framed the new memo as a direct response to foreign adversaries using AI to speed up and scale their cyber campaigns against sensitive U.S. systems.

That pattern is familiar to anyone defending a private network. Attackers now move at machine speed. They probe and adapt faster than human review can keep up with, and they go looking for the data that's easiest to reach. The federal answer is to shorten its own timelines to match the threat. Security leaders outside government face the same acceleration, just without a presidential memo telling them when to act.

Notice what the memo asks for first. Before new standards, before cloud guidance, before incident reporting, it asks agencies to inventory their systems. Hemant Baidwan, the former DHS security chief quoted by Federal News Network, said the point is to stop agencies from approaching national security systems through separate, disconnected channels.

That instinct is right, and it scales down to every organization. Most data risk doesn't come from the systems you're already watching. It comes from the sensitive data you've lost track of, copied into a SaaS app or sitting in a cloud bucket nobody owns anymore. A baseline requirement only covers the data you've actually located and classified. Without that groundwork, a new policy is just words with nothing underneath them.

This is where the work gets practical. You can't put sensitive data under policy until you know what it is and where it sits. MIND starts there. The platform discovers and classifies sensitive data wherever it moves, across SaaS, cloud and GenAI tools, and reads both the content and the context around it. So a security number flagged in a finance system looks different from the same string buried in a public share, and your team can tell which one matters.

MIND isn't just scanning for matches. It's minding where your most sensitive data lives and how it's moving, so your people can spend their attention on real exposure instead of false positives. When a mandate arrives with a 60-day clock, the teams that already have that visibility don't scramble. They already know what they're protecting, and they can prove it.

The federal memo is a deadline for agencies. For everyone else, it's a preview. AI is compressing the time you have to find and protect sensitive data, with or without a directive forcing the issue. The first move is the same one Washington made. Know what you have.

See what MIND surfaces in your own environment.

• National Security Presidential Memorandum/NSPM-12, The White House
• Trump memo sets 'aggressive' timelines to secure sensitive systems, Federal News Network
• Promoting Advanced Artificial Intelligence Innovation and Security, The White House
• National Security Presidential Memorandum/NSPM-11, The White House