The National Security Council has been under sustained institutional stress throughout the current Administration. The sidelining of approximately 160 career officials detailed from CIA, FBI, State, DOJ, and other agencies in January, followed by the abrupt mass dismissal of numerous career officials in the spring and the removal of the National Security Adviser — with the post now held concurrently by the Secretary of State — has dispersed the institutional cadre on which the NSC’s coordination function depends. The Financial Times observed in August 2025 that the traditional foreign policy process led by the NSC has “largely broken down.”

The scale of what is at stake is considerable. The Committee on Foreign Investment in the United States (CFIUS) is building the Known Investor Program (KIP) to streamline reviews for low-risk investors. Treasury must issue COINS Act regulations by March 2027, expanding the Outbound Investment Security Program to cover new technologies and geographies. The Department of Justice’s Data Security Program (DSP), which functions as export controls for bulk sensitive personal data, entered full enforcement last July. Commerce’s Office of Information and Communications Technology and Services (OICTS) is extending its ICTS supply chain authorities into connected vehicles, drones, and cloud computing. Each initiative requires not just a legal foundation and significant agency focus, but sustained interagency policy coordination — the kind that only a functioning NSC is positioned to provide.

The consequences of the NSC’s diminished role will not be felt primarily through the review of any single transaction. They will be felt in the quality and clarity of the rules themselves, and ultimately in the loss of the predictability that policymakers, aligned governments, and repeat participants require to engage the system with confidence. That loss of predictability itself poses national security risks: fragmented and uncoordinated frameworks invite circumvention, produce uneven enforcement, and corrode the credibility of the overall regime in the eyes of governments whose cooperation the United States is simultaneously seeking.

Two Recent Rulemakings: The Value of an Effective Convener

Before assessing the consequences of NSC’s institutional weakening, it is worth examining what rulemaking looks like when it works. Two recently completed rulemakings — DOJ’s Data Security Program and Commerce’s connected vehicle rule — provide instructive models.

Department of Justice’s Data Security Program

The Data Security Program (DSP) began with Executive Order 14117. Signed in February 2024, DOJ’s National Security Division was directed to issue regulations restricting access to bulk U.S. sensitive personal data by enumerated countries of concern. Rather than proceeding directly to a proposed rule, DOJ published a detailed Advance Notice of Proposed Rulemaking in March 2024 — a comprehensive document that posed specific questions to the public and laid out the contemplated regulatory architecture in its entirety. The ANPRM was not a formality. DOJ received comments from an extraordinarily broad cross-section of stakeholders: the Business Roundtable, the Biotechnology Innovation Organization, the U.S.-China Business Council, the Pharmaceutical Research and Manufacturers of America, and dozens of others. Beyond written comments, DOJ — both independently and alongside other executive branch agencies — conducted what the final rule’s preamble describes as “dozens of large-group listening sessions, industry engagements, and one-on-one engagements with hundreds of participants.”

Critically, the rulemaking was not a DOJ effort alone. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency developed the technical security requirements for restricted transactions, adapted from NIST cybersecurity and privacy frameworks. Classified threat assessments from the intelligence community informed the designation of countries of concern. These and numerous other interagency inputs were coordinated by NSC. When DOJ published its Notice of Proposed Rulemaking in October 2024, it addressed earlier comments, refined key definitions — including the treatment of precise geolocation data and medical research exemptions — and invited a further round of public comment. The final rule, issued in December 2024, was accompanied by a compliance guide, FAQs, and a 90-day grace period.

Department of Commerce’s Connected Vehicle Rule

Commerce followed a similar path. It published an ANPRM in March 2024, receiving comments from OEMs, component suppliers, foreign governments, nonprofit organizations, and private citizens. The process pushed Commerce to refine the rule’s scope: where the ANPRM had identified six vehicle systems as potential targets, the NPRM narrowed focus to two — vehicle connectivity systems and automated driving systems. The final rule reflected both that deliberation and significant stakeholder feedback, including a legacy software exemption and scope narrowing to passenger vehicles, with commercial vehicles addressed in a separate rulemaking. As with the DSP, NSC coordinated the varied interagency inputs that shaped the final product.

Both rulemakings share a common pattern: a genuinely consultative ANPRM; structured interagency participation producing rules informed by perspectives no single agency could supply alone; and multiple rounds of public comment resulting in regulations that were targeted, better defined, and more administrable than their initial proposals. This is what the NSC’s coordination function is designed to produce — and what policymakers and the regulated community have a right to expect as new authorities come online.

Coming Rulemaking: The Absent Convener

Now consider the national security regulatory rulemakings that lie ahead, and the current institutional conditions under which they must be developed.

CFIUS’s Known Investor Program

The Known Investor Program (KIP) would create a standing database of pre-screened foreign investors from allied countries — entities that have demonstrated “verifiable distance” from adversary countries and that can provide detailed governance, compliance, and organizational information in advance of any specific CFIUS filing. The premise is sound: the vast majority of CFIUS-reviewed transactions have cleared, many during the initial review phase, and a pre-clearance mechanism for low-risk, repeat investors could meaningfully reduce overall review periods without compromising national security.

But moving KIP from concept to execution requires answering questions no single agency can or should resolve in isolation. What constitutes “verifiable distance” from an adversary — and how does that standard interact with Commerce’s Entity List, Treasury’s SDN list, and classified intelligence assessments? What happens when a KIP-cleared investor subsequently acquires a U.S. business covered by the DSP — does the KIP clearance address the data security dimension, or must the investor separately satisfy a parallel compliance regime administered by DOJ? These are design parameters, not implementation details, and they are precisely the kind of cross-cutting policy problems that the NSC’s working-level committee bodies — where subject-matter experts from across the executive branch have historically convened — are designed to address.

The COINS Act Implementing Regulations

The COINS Act gives Treasury approximately fifteen months to promulgate regulations expanding the Outbound Investment Security Program’s geographic scope, extending coverage to hypersonic and high-performance computing technologies, and creating a public database of covered foreign persons in coordination with Commerce. That database — a concept Treasury itself previously rejected during the original outbound investment security rulemaking — raises immediate questions about how entities on the Commerce Entity List, OFAC’s SDN list, and the Defense Department’s Section 1260H list of Chinese military companies should relate to the new outbound investment database. The COINS Act also mandates allied coordination on outbound investment frameworks — an obligation requiring not just bilateral diplomacy but an executive branch consensus on what the United States is actually asking its partners and allies to replicate.

The CFIUS Mitigation Overhaul and OICTS Expansion

The America First Investment Policy directs a fundamental shift away from complex, open-ended mitigation agreements with foreign adversaries toward “concrete actions that companies can complete within a specific time” — a directive that requires generalized interagency agreement on when mitigation is appropriate versus when a transaction should be blocked. Meanwhile, Commerce appears to be extending its ICTS authorities into drones and cloud computing, creating additional layers of supply chain regulation that must be reconciled with CFIUS mitigation terms and outbound investment restrictions. These are not self-executing policy directives; they are design problems that require a convener to coordinate the varied and at times competing priorities.

What Happens When the Convener Doesn’t Call

For the rulemaking pipeline, an absent or hobbled NSC presents predictable consequences. Each agency will likely develop its regulations in isolation, applying its own conception of national security risk without a mechanism for ensuring cross-regime consistency. Treasury will build KIP according to its understanding of “verifiable distance.” DOJ will enforce data security regulations without access to the broader interagency’s experience with analogous sanctions programs. Commerce will maintain its entity lists and OICTS prohibitions according to its own criteria. Without a convener, these efforts will drift apart — not because any agency is acting in bad faith, but because agencies without a mechanism to resolve policy tensions will default to their own institutional biases.

One might ask whether the Office of Information and Regulatory Affairs (OIRA) can fill the gap. OIRA coordinates interagency review of significant rules under Executive Order 12866, providing a centralized check before major regulations are finalized. But OIRA’s mandate is regulatory efficiency and cost-benefit analysis, not national security policy coherence. OIRA operates at the back end of the rulemaking process, checking the output of agency deliberation rather than shaping it. OIRA lacks routine access to the classified information that drive the most consequential design choices, and it certainly does not convene the working-level interagency committees where subject-matter experts from Treasury, Defense, Commerce, DOJ, and the intelligence community resolve substantive policy tensions. Although the current administration expanded OIRA’s mandate to cover independent regulatory agencies – as part of a broader deregulatory agenda – this expanded mandate compounds the problem: an OIRA oriented toward reducing regulatory burden is poorly positioned to adjudicate whether outbound investment restrictions should be calibrated broadly or narrowly, or whether a “verifiable distance” standard is being applied consistently across diverse foreign investment screening regimes. In its current form, OIRA is not a substitute for NSC coordination; it is an additional variable.

The quality of the rules will also suffer. The DSP and connected vehicle rulemakings succeeded in part because interagency deliberation preceded regulatory commitment. When that process is absent, rulemakings mature within a single agency’s policy silo, producing regulations that create unintended conflicts with other regimes or fail to account for equities that a different agency would have surfaced. And when career subject-matter experts are removed and interagency committees atrophy, the regulatory process becomes susceptible to ad hoc interventions untethered from an evidence-based analytically driven process — an unfortunate dynamic that the “politicization” commentary surrounding CFIUS’s review of the Nippon Steel transaction illustrates.

Consequences of an Absent Convener

The most direct consequence is regulatory fragmentation: overlapping screening regimes operating in parallel, each internally coherent but mutually inconsistent, with no mechanism for resolution at the executive branch level. Foreign governments seeking to understand U.S. investment screening policy — or to develop analogous frameworks the United States is asking them to adopt — confront a system whose component parts do not speak to each other. The “verifiable distance” standard articulated in the America First Investment Policy is a judgment call that implicates equities across Treasury, State, Defense, Commerce, and the intelligence community. Applied without interagency coordination, it will inevitably be inconsistently applied — producing the kind of unpredictability that functions more effectively as a deterrent to legitimate investment than any outright prohibition, and that undermines U.S. credibility in requesting coordination with foreign governments on the same frameworks.

Fragmentation also creates a second-order institutional problem. The DSP and connected vehicle rulemakings succeeded in part because the process structured a genuine accommodation of competing institutional perspectives before the rules were finalized. When that accommodation does not occur within the executive branch, the burden of cross-regime harmonization shifts to outside actors — regulated entities, foreign governments, and trade associations (among others) who are left to flag inconsistencies, identify conflicts across regimes, and propose resolution mechanisms that the interagency process should have worked through first. That is a poor substitute for NSC-led coordination because public comment is neither uniform in quality nor guaranteed to reach the right decision-makers, and it cannot replicate the classified equities that shape the most consequential design choices.

The cumulative effect is degradation of a foundational principle underlying the United States’ investment screening system. The DSP, KIP, COINS Act regulations, and OICTS expansion are each premised on the idea that national security screening can be calibrated — targeted enough to protect genuine interests, predictable enough to attract legitimate capital, and coherent enough to encourage allied participation. Without NSC-led coordination across these authorities, calibration gives way to unguided proliferation, and the regime becomes a collection of agency-specific instruments rather than a system.

The United States has built an investment security architecture of unprecedented breadth. Whether the implementing rules function as a coherent system — or as a collection of agency-specific instruments that policymakers, allied governments, and regulated parties must reconcile on their own — depends on whether the institution designed to hold the interagency together is permitted to do its job.