The White House is directing new federal cyber guidance and the establishment of an artificial intelligence cybersecurity “clearinghouse” under a highly anticipated AI executive order.
In the Tuesday executive order on AI innovation and security, President Donald Trump directed agencies to work with the private sector to both modernize systems and “harden them against external threats.”
The EO notably directs several agencies to establish a voluntary system for the government to evaluate advanced frontier AI models for cybersecurity risks before they’re released publicly.
The executive order has been in the works for weeks. It comes in response to advancements in new AI models, particularly the Anthropic Claude Mythos model preview, that showed their ability to far outpace humans in identifying and exploiting new cyber vulnerabilities.
While the EO represents a shift from his administration’s hands-off approach to AI development, Trump’s final executive order backed down from explicitly establishing a more regulatory approach to the fast-evolving technology.
“Advanced AI capabilities make our nation stronger, but also introduce new national security considerations that require coordinated action across executive departments and agencies (agencies), and components,” the EO states.
Voluntary framework
The order directs agencies to develop the “voluntary framework” for securing frontier AI models within 60 days.
Under the framework, AI developers will provide the federal government with access to leading edge frontier models 30 days before they release the models to any other organizations.
The framework will also allow AI developers to work with the government to “select trusted partners that will have early access to covered frontier models to promote secure innovation and strengthen the cybersecurity of critical infrastructure.”
Trump’s order specifically bars the EO language from being used to create mandatory requirements for AI developers to pre-clear their models with the government.
Leaders at the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the National Institute of Standards and Technology, among others, are part of the group tasked with developing the voluntary framework. The agencies are also tasked with creating a classified “benchmarking process” to determine when an AI model meets the threshold for voluntary review.
In a post on X, venture capitalist and former White House advisor David Sacks wrote that the voluntary framework is intended apply “only to models that represent a meaningful step-change in cyber capabilities” rather than “incremental version numbers of existing models.”
Sacks also confirmed the final EO scrapped the previous language that would have instituted a 90-day voluntary review, rather than 30 days.
“The change in the EO from a 90 day to 30 day period is a game changer because it allows our AI labs to comply with the voluntary framework without delaying new model releases,” Sacks wrote. “They can synchronize their efforts under the EO with other pre-release activities. Furthermore, I’ve been advised by the lawyers who draft EOs that 30 days means calendar days, not business days. In the AI race, every day counts.”
Cyber guidance and ‘clearinghouse’
Meanwhile, federal agencies can expect new cyber guidance in the coming weeks. Within 30 days, the EO directs CISA and White House officials to release binding operational directives and other guidance to protect critical systems, including by establishing or expanding programs and services that “enhance AI-enabled defensive tools.”
The order directs that AI cybersecurity tools and services should be made available to state and local governments, as well as critical infrastructure operators. It additionally directs the Office of Management and Budget to identify grant opportunities for advanced AI cybersecurity capabilities. The Office of Personnel Management, meanwhile, is directed to expand federal cybersecurity hiring and placement pathways as part of the Tech Force initiative.
The EO also directs the Treasury Department, working with the NSA, CISA and other agencies, to form an “AI cybersecurity clearinghouse.” The group will work with the AI industry and critical infrastructure operators to coordinate on new software vulnerabilities, as well as prioritize patching and remediation of those vulnerabilities.
Tonya Ugoretz, a former FBI cybersecurity executive and leader of PwC’s Cyber & Risk Innovation Institute, said the executive order makes the case that “America’s leadership in AI innovation can strengthen prosperity by strengthening national and cyber security.”
“Most companies will be outside the core processes envisioned by the EO, but they stand to benefit if they can build the operational capacity to absorb what the clearinghouse shares,” Ugoretz told Federal News Network in an email. “An important question is how the clearinghouse becomes an effective distribution mechanism at scale. The concept is sound: use the insights generated through government-industry collaboration to push vulnerability information, remediation guidance, and defensive measures to a much larger population of organizations. If organizations are flooded with technical findings but lack the context, staffing, or resources to respond, the clearinghouse risks becoming less effective than intended. The success of the clearinghouse will be measured by whether it measurably improves cyber resilience across organizations that otherwise would not have direct access to frontier AI capabilities.”
Reaction to EO
Tech industry leaders largely praised the executive order and the voluntary nature of the framework.
“The executive order appropriately constructs a voluntary and phased approach to introducing and evaluating frontier AI security models that would prioritize strengthening critical infrastructure and proactively remediating vulnerabilities,” Business Software Alliance chief executive Victoria Espinel said in a statement. “It additionally takes the welcome step of initiating a structured and transparent process by which industry, government, and security experts can collaborate on future breakthroughs in AI security.”
Meanwhile, Samir Jain, vice president of policy at the Center for Democracy and Technology, said the EO addresses AI cybersecurity threats and “further attempts to avoid the deeply concerning implications of a mandatory licensing regime for release of new models.”
“Testing and benchmarking programs are important to promote cybersecurity and address other risks,” Jain said. “However, the EO should not become a mechanism for the administration to punish companies for political or other arbitrary reasons, and so we will be closely monitoring the details of its implementation as they emerge.”
Cybersecurity leaders and others were critical of the closed-door nature of the voluntary framework.
“The path to stronger cybersecurity is more information sharing, not less,” Doc McConnell, a former CISA official who now works as head of policy and compliance at Finite State, said in a statement. “Classified benchmarking, nondisclosure requirements, and early access pilots will delay getting these models into the hands of the cyber defenders who can put them to use today. I encourage the federal government and the frontier labs to expand their outreach to the broader community. Better cybersecurity requires more transparency, more information-sharing, and more robust partnerships.”
Gary Barlet, a former federal chief information security officer and public sector chief technology officer at Illumio, said federal agencies and critical infrastructure operators should prioritize “ensuring a single compromise doesn’t turn into mission-wide disruption.”
“That means limiting lateral movement, containing breaches quickly, and protecting critical systems even after attackers gain an initial foothold,” Barlet said. “AI can help improve analysis and response, but it doesn’t fix underlying gaps. Without strong controls and segmentation, faster attacks will simply scale the impact of failures. Resilience has to be built into the architecture from the start, otherwise organizations risk amplifying the consequences of every breach.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
