The order gives CISA 30 days to issue binding cybersecurity directives across all civilian federal agencies and creates a government review process for the most powerful AI models before they ship.

On June 2, President Trump signed an executive order that requires the Cybersecurity and Infrastructure Security Agency (CISA) to issue binding cybersecurity directives to federal agencies within 30 days and directs prosecutors to treat AI-assisted crimes as enforcement priorities.

Companies that build the most powerful AI models now face a new pre-release review process. There is no legal requirement to participate, but government pressure to do so.

What federal agencies must do in 30 days

CISA, the federal cybersecurity agency within the Department of Homeland Security, must issue binding operational directives specifying which cybersecurity measures all civilian federal agencies must implement. CISA must also “establish or expand Federal programs and cybersecurity services that enhance AI-enabled defensive tools” for federal agencies and extend access to the most capable AI models to state, local, and private-sector critical infrastructure operators, such as rural hospitals and utilities. 

The Treasury, NSA, and CISA must jointly establish a “vulnerability clearinghouse” within 30 days. The clearinghouse coordinates scanning for software vulnerabilities across federal agency and private-sector systems, validates its findings, and determines which vulnerabilities get patched first. The Defense Department runs the same process for its own systems under the same deadline.

The order also establishes a new government classification, “covered frontier model,” that determines which AI models are sufficiently powerful to warrant special handling before public release.

What a “covered frontier model” is, and why the designation matters

A “covered frontier model” is an AI model that the NSA deems to pose significant cyber risk. NSA determines, in consultation with the National Cyber Director and CISA, using a classified benchmarking process that the Treasury, NSA, and CISA must build within 60 days.

Once a model gets that designation, its developer can enter a voluntary government review process. The developer grants the government access to the model for up to 30 days before the public release, with confidentiality and IP protections in place. The government then helps determine which partners receive early access. Developers who go through the process get earlier visibility into how the government reads their model’s risk profile.

The government cannot use this process to block or require approval before an AI model ships. Participation is voluntary. However, developers who decline, will release their most powerful models without a government read on their cyber risk. 

Prioritizing AI-assisted crime

The Attorney General must prioritize prosecuting AI-enabled crimes. Three statutes apply: identity fraud (18 U.S.C. § 1028), unauthorized computer access (18 U.S.C. § 1030), and wire fraud (18 U.S.C. § 1343).

The 30-day agency deadlines run through early July. The frontier model benchmarking deadlines run through early August.

The executive order comes eight days after the President rejected a planned executive order to create a federal review process for advanced “frontier” AI models before release.