In general the NSA functions more like 2 agencies, one focused on the "red" side (hacking, breaking crypto, sigint stuff) and one focused on the "blue" side (protecting US assets from being hacked, developing better/new crypto, providing guidance on security).
Both sides are good at their jobs and for what it's worth, my understanding is that the blue side really does want to keep your shit from being hacked.
> Not sure I’ve ever read the NSA providing hardening guidance on anything before.
The NSA made SELinux, SHA-1, and SHA-256.
SHA-1 was specifically a slight change to SHA-0 that was unjustified at the time but over the next 3-5 years some attacks on SHA-0 that SHA-1 was not vulnerable to surfaced.
I used them back at lockheed as early as ~2005? Although they were mostly around hardening BSD IIRC... (which became SElinux? I can't recall) and at the time, they were really "best practices" (things that you want to make sure you have done if you expect to pass any sort of audit (SOX, SAS70, etc).
Sarcastically, we would say "they already have back doors in everything, they just don't want any other Bad Actors getting in their yard"
Both sides are good at their jobs and for what it's worth, my understanding is that the blue side really does want to keep your shit from being hacked.