Trump EO gives Treasury, NSA, CISA 60 days for frontier AI testing
Voluntary pre-release testing buys cooperation, but it leaves unanswered who must trust, fund, or deploy government-tested tools.
TL;DR
Inside Cybersecurity reports that President Trump’s June 2 executive order gives Treasury, the National Security Agency and the Cybersecurity and Infrastructure Security Agency 60 days to build benchmarks for frontier artificial intelligence security models, with voluntary government testing 30 days before public release. Industry groups praised the voluntary framework. Primes, Cybersecurity Maturity Model Certification Third-Party Assessment Organizations and federal agencies should watch the missing piece: the order points CISA toward binding operational directives, but adoption authority remains undefined.
Inside Cybersecurity’s account has the familiar split: industry groups welcomed the word voluntary, and the operational work is still hiding in the next agency document. President Trump’s June 2 executive order gives the Treasury secretary, National Security Agency director and Cybersecurity and Infrastructure Security Agency director 60 days to create a benchmarking process for “advanced cyber capabilities” in frontier artificial intelligence (AI) models. It also gives the government a 30-day voluntary testing window before those models are made available to the public.
That is a real ask. Treasury, NSA and CISA have to define the testable thing: exploit generation, vulnerability discovery, remediation advice, defensive triage, or some combination. The order can promise first access for critical infrastructure operators and federal agencies. The benchmark has to tell a bank chief information security officer, a telecom security team, a contracting officer or a Cybersecurity Maturity Model Certification (CMMC) Third-Party Assessment Organization (C3PAO) what a passing model actually proved.
The support is unsurprising because the design is voluntary. Business Software Alliance, Information Technology Industry Council, Business Roundtable, Software & Information Industry Association, NCTA and banking groups framed the order as collaboration, access and critical infrastructure defense. CISA’s January Joint Cyber Defense Collaborative AI playbook used the same premise for AI incidents and vulnerabilities, guiding partners on voluntary information sharing.
The unresolved question is the binding operational directive language. Inside Cybersecurity says the order directs CISA to issue binding operational directives and other guidance to create or expand AI-cyber defense tools. The reporting does not say whether agencies will have to adopt tested models, whether they can write tested-model use into contracts, or whether CISA’s role stops at benchmarking. That is the governance gap hiding under the applause.
Federal primes and C3PAOs do not need a procurement scramble today. They need a watch file: the 60-day benchmarking method, the 30-day pre-release testing process, and any CISA directive that turns a government test result into an agency requirement. Until then, the praise is background noise; the clock is the operational fact.
Published ·Updated ·Deep Fathom