> It is instead about "if you're going to use pure ML-kem (and we explicitly recommend not doing so), here is how to do it in a standardized way".

This makes the push for the standard far more suspicious. Why is it so important for this to be a standard if it is explicitly not recommended to implement at the time of standardization? The typical benefits of a standard would be to avoid disparate implementations, which seems fine for something that isn't recommended to implement.

On the other hand, lots of folks from the NSA coming out (covertly, in this hypothetical context) in support of a weak standard with dubious arguments is... the NSA's modus operandi. Additionally, the fact that the standard is being proposed so US government contractors can checks notes meet the NSA's recommendations(!!) is another reason to suspect the NSA's involvement (it seems weird I even have to write that). Especially given the "not recommended to implement" part of it; something (CNSA2) tells me that this "not recommended" will be widely disregarded in favor of "but it's a standard" to the point that an explicitly-known-to-be-weaker implementation becomes one of the, if not the, most deployed implementation in practice. Which is also the NSA's MO.

Edit:

Now that I think about it, recommendations like CNSA2 also support the NSA's spying capabilities. A single standard (or small set of standards) is easier to crack and exploit than many bespoke implementations. Granted, that's a bit of a weak argument since many bespoke implementations are likely to have their own vulnerabilities. The reason the NSA might still prefer standards be used is that a bespoke implementation will more likely have a bespoke exploit, meaning they can't use already-developed exploits and will have to spend time making one.

> Why is it so important for this to be a standard if it is explicitly not recommended to implement at the time of standardization?

This isn't a standard.

It's not on the standards track! Words mean things!

But to answer your question: some industries need an RFC. FIPS 203 also doesn't specify how to use ML-KEM in TLS.

Think phone companies.