CISA to Issue AI Security Directive for Federal Agencies

The Cybersecurity and Infrastructure Security Agency plans to issue binding operational directives as soon as this week requiring federal agencies to secure artificial intelligence systems, particularly large language models used across government.

Nick Andersen, CISA's acting director, announced the forthcoming guidance during remarks at the TechNet Cyber conference in Baltimore. The directives will address vulnerability remediation and management for AI platforms deployed in federal civilian systems.

Why it matters

This represents the first concrete implementation step from President Donald Trump's AI executive order signed earlier this week. The directives will establish mandatory security requirements for AI systems across federal agencies at a time when both cyber defenses and attacks increasingly rely on artificial intelligence capabilities.

What the directives will cover

While Andersen declined to provide specific details, the executive order outlines several requirements CISA must address within 30 days. The agency must expedite cyber defense of civilian federal systems, establish or expand programs for AI-enabled defensive tools, and facilitate access to cybersecurity tools for federal agencies, state and local authorities, and critical infrastructure operators including rural hospitals and community banks.

CISA also plans to launch a governmentwide platform that will provide civilian agencies with access to secure AI capabilities. Andersen said the platform will focus initially on vulnerability management, giving agencies actionable information about their attack surfaces.

"The biggest focus for us right now is going to be, how do we take that information about the attack surface and how do we take that information about vulnerability management and put that in the hands of folks can actually remediate that," Andersen said.

Broader AI security framework

The executive order assigns CISA multiple responsibilities beyond the immediate directives. Within 60 days, CISA must work with the National Institute of Standards and Technology and the National Security Agency to establish a voluntary evaluation system for advanced frontier AI models. Under this framework, AI developers would provide the federal government access to leading-edge models 30 days before public release.

CISA will also participate in an "AI cybersecurity clearinghouse" led by the Treasury Department to coordinate with industry on software vulnerabilities and prioritize patching efforts.

Staffing challenges

The expanded mission comes as CISA faces significant staffing constraints. Department of Homeland Security Secretary Markwayne Mullin acknowledged at a House Homeland Security Committee hearing that the agency needs hundreds of additional employees. CISA's workforce has declined from approximately 3,400 to 2,200 under the current administration, while Mullin estimates 2,800 staff are needed to fulfill the agency's responsibilities.

These details were first reported by Federal News Network.