CISA to Issue Binding AI Directive This Week, Acting Director Says

The Cybersecurity and Infrastructure Security Agency (CISA) will release a binding operational directive (BOD) to federal agencies by the end of the week, directing them on how to implement the Trump administration's scaled-back artificial intelligence executive order, Acting CISA Director Nick Andersen announced Wednesday at the TechNet Cyber conference in Baltimore. The directive will center on vulnerability alleviation and vulnerability management, according to Andersen's remarks, with CISA also preparing to roll out "specific artificial intelligence access" for partner organizations in the coming days.

The executive order, released Tuesday, marks a significant departure from an earlier draft that was shelved following internal administration disagreements and pushback from former AI and crypto czar David Sacks. The current version asks AI developers to voluntarily submit models for government testing 30 days before public release—a notable reduction from the original 90-day window. CISA has been designated to help establish the "cyber clearinghouse" the order envisions, and the agency will also be granted access to models for independent vetting purposes.

Andersen struck a balanced tone on AI's dual role in cybersecurity, acknowledging model risks while emphasizing defensive applications. "How can we actually use it as a good defensive tool and how is it going to help us reduce our attack surface exposure?" he asked the audience. His comments underscore how AI is increasingly being positioned as both a threat vector and a force multiplier for security operations. Federal defenders face mounting pressure to audit aging infrastructure, including end-of-life devices still operating in government environments—a problem Andersen described bluntly: "We kick the can down the road in a fairly significant way with our IT infrastructure… Our adversaries can reach in and touch us."

For organizations tracking the federal cybersecurity posture, the directive signals tighter integration of AI oversight into existing vulnerability management workflows. Security teams managing hybrid or cloud-hosted assets can begin assessing their own exposure with a port scanner to identify externally reachable services, while a SSL/TLS checker helps verify encryption integrity across public-facing endpoints. A broader privacy checkup remains a baseline step for any environment handling sensitive government or contractor data as the regulatory landscape around AI continues to evolve.