NSM-22 and the New Duty of Resilience
National Security Memorandum 22, sometimes mistyped as NSN 22, reinforces a national emphasis on critical infrastructure security and resilience. The implication for the built world is simple: owners can no longer treat resilience as a policy slogan.
National Security Memorandum 22, often referenced as NSM-22 and sometimes mistyped as NSN 22, is not a building code. It does not tell an engineer how thick a wall should be or where to place a control room. But it does send a clear signal: critical infrastructure security and resilience are national priorities, not optional corporate preferences.
NSM-22 replaced the prior national policy structure for critical infrastructure security and resilience and reinforced the role of federal coordination, Sector Risk Management Agencies and owners and operators. For the built world, the practical message is that resilience has to become more concrete, literally and administratively.
Policy pressure becomes design pressure
Public policy rarely changes construction practice overnight. It changes expectations first. Boards ask better questions. Insurers ask for more documentation. Regulators refine guidance. Owners update capital plans. Eventually, design criteria change.
Security professionals should see NSM-22 as part of that expectation shift. Infrastructure owners will be expected to understand their dependencies, document their risk posture and show that physical and cyber-physical vulnerabilities have been considered.
The weak point is often physical
Cybersecurity receives much of the attention in critical infrastructure policy, but cyber systems live in physical places. Control rooms, network closets, substations, backup generators, communications equipment, cable pathways and access points can become the easy path of attack.
A facility that has sophisticated network monitoring but exposed equipment yards, fragile walls, ordinary doors on critical rooms and no forced-entry delay strategy is not resilient. It is merely digitally supervised.
What owners should do now
Owners should convert policy language into a practical facility resilience register. At a minimum, the register should identify mission-critical assets, credible physical threats, cyber-physical dependencies, electromagnetic dependencies, single points of failure, existing countermeasures, residual risk and planned upgrades.
This is where policy becomes useful. NSM-22 should not be treated as another document to cite. It should become a prompt for owners to ask whether the building itself is helping the mission survive or quietly increasing the likelihood of failure.
Recommended citation
Certanet, “NSM-22 and the New Duty of Resilience,” 2026.