Key Points
- CISA is quickly moving to implement President Trump’s new executive order on AI, including expanding AI-enabled cyber defense tools, issuing directives to federal agencies, and providing government-wide access to AI platforms and frontier models.
- The effort is a test of the agency’s capacity, as staffing cuts and loss of expertise raise concerns about whether CISA can deliver meaningful, operationally effective programs.
- IANS Faculty recommend independently assessing risks posed by frontier AI models, as CISA may rely more heavily on AI tools and produce faster, but potentially less comprehensive, evaluations.
CISA Moving Quickly to Implement New AI Executive Order
The Cybersecurity and Infrastructure Security Agency (CISA) is starting to implement the requirements outlined in President Trump’s executive order on AI security.
The executive order, signed last week, requires CISA to “expedite and prioritize the cyber defense of civilian federal government information systems.” This includes establishing or expanding the “federal programs and cybersecurity services that enhance AI-enabled defensive tools,” which CISA’s acting director said is a top priority for the agency.
“Before the end of the week, we’re going to be rolling out some specific artificial intelligence platform access for our federal government-wide partners,” said acting CISA Director Nick Andersen at the TechNet Cyber conference.
The order also requires CISA to work with other federal agencies to facilitate access to cyber defense tools, including frontier AI models, for critical infrastructure.
Anderson also said CISA will work to further secure its networks using AI, in addition to publishing binding directives to other federal agencies to do the same, along with instructions to refine vulnerability management processes.
Big Picture
Implementing the requirements within this executive order could be a significant challenge for CISA, which has already been operating at limited capacity due to aggressive funding cuts and a depleted workforce.
"My concern is whether the workforce reductions, loss of expertise, and organizational disruption leave enough capacity (or even a healthy enough culture) to build programs that are operationally effective rather than simply administratively complete.” Lisa Perdelwitz, IANS Faculty.
CISA’s reduced capacity could force the agency to rely more heavily on AI tools to do the work that would typically be completed by humans in order to implement these new programs. If this human expertise is missing, AI tools evaluating frontier AI models may become the norm.
"What happens when you elevate a government agency to become a critical component in the rapid innovation cycle of technology but don't resource the organization as appropriate? Those left standing at CISA will likely be forced to use AI tools to evaluate these AI models.” Aaron Turner, IANS Faculty.
Implementing the requirements laid out in the AI executive order will be an important step, but the real measure of success is whether the agency can materaially improve the security of federal networks.
"An effective cybersecurity program is not measured by the number of policies written, directives issued, or milestones reported as complete. It is measured by whether risk is actually reduced, whether organizations change behavior, whether capabilities improve, and whether those improvements are sustained over time.” Lisa Perdelwitz, IANS Faculty.
IANS Faculty Recommendations
- Replace lost federal capacity with private-sector resources: Diversify threat intelligence sources so you’re not waiting on federal advisories. Increase internal vulnerability assessment cadence and prioritize remediation based on your exposure, not on when external guidance arrives.
- Rework your operating model: Shift to becoming less dependent on CISA advisories/directives and evaluate the impact of new technology internally with clear ownership and escalation.
- Rebalance towards operational resilience: Map critical business outcomes and dependencies (people/process/technology/vendors), run joint disruption exercises, and align shared metrics across teams.
Authors & Contributors
Emily Dempsey, Author, IANS News
Aaron Turner, IANS Faculty
Lisa Perdelwitz, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.