Skip to content
News Regulation

Trump AI executive order hits its 30-day deadline today as Treasury forms cybersecurity clearinghouse

· by Pondero Newsdesk

The short version

The June 2 executive order on AI frontier model standards reaches its first compliance milestone on July 2, requiring Treasury to stand up an AI cybersecurity clearinghouse and CISA to issue binding directives to federal agencies.

Trump AI executive order hits its 30-day deadline today as Treasury forms cybersecurity clearinghouse

July 2 is the first hard deadline inside President Trump's June 2 executive order on AI and cybersecurity. By today, the Treasury Department must have a new "AI cybersecurity clearinghouse" operational, CISA must have issued binding directives to federal agencies on AI-enabled cyber defense, and the Department of War must have prioritized cyber defense of its information systems. The order also sets an August 1 deadline for agencies to define which AI models count as "covered frontier models" subject to a new pre-release government engagement window.

What the order requires

The executive order, titled "Promoting Advanced Artificial Intelligence Innovation and Security" and signed June 2, organizes its directives into three areas: upgrading federal cybersecurity using AI-enabled tools, creating a voluntary engagement framework for frontier model developers, and directing the Attorney General to prioritize enforcement of existing computer fraud statutes against AI-enabled attacks per the White House.

The 30-day actions due today include the Treasury-led AI cybersecurity clearinghouse, which will coordinate vulnerability scanning across critical infrastructure in voluntary collaboration with the AI industry. Participating operators include rural hospitals, community banks, and local utilities. CISA's binding operational directives, also due today, expand AI-enabled defensive tools to state and local authorities and critical infrastructure operators. The Committee on National Security Systems and the Secretary of War each face their own 30-day cyber defense prioritization requirements.

The 60-day deadline, falling August 1, is where the frontier model piece lands. By that date, Treasury, the National Security Agency, and CISA must together develop a classified benchmarking process for assessing AI models' advanced cyber capabilities, and set the threshold at which a model qualifies as a "covered frontier model." They must also design a voluntary pre-release engagement framework giving the federal government access to covered frontier models for up to 30 days before the developer's planned release to "trusted partners."

What the framework does not do

The order explicitly prohibits the framework from functioning as a mandatory licensing or pre-clearance system. No new crimes are created. No existing mandatory obligations land on AI developers today. Per the Latham and Watkins client alert, the order does not define "covered frontier model" or "trusted partners" in the text itself; both definitions are left to the classified process due August 1 per the Latham analysis.

That classification matters for developers. Because the benchmarking threshold will be classified, companies building large models with cybersecurity-relevant capabilities will have limited visibility into whether their model crosses the line. Freshfields notes that developers who opt into the voluntary framework should plan for the 30-day pre-release access window as a potential buffer in their release timelines per Freshfields' analysis.

The backdrop here is the Fable 5 incident from June. Anthropic's export-control suspension of Claude Fable 5 lasted 18 days and stemmed from an absence of any agreed pre-release government review process. The EO's voluntary framework is a direct institutional response to that gap, though it would not have applied retroactively: the 30-day window applies to pre-release access, not to post-release export enforcement.

Why it matters for AI operators

For teams building on frontier models, the near-term change is monitoring, not compliance. No mandatory obligations exist today. The practical risk is that an August 1 classified benchmark definition could unexpectedly capture a model a company planned to ship freely. The process to find out whether a given model qualifies will require engaging with NSA and CISA, since the threshold is not public.

The cybersecurity clearinghouse is more immediately concrete for operators in regulated sectors. If Treasury stands up the clearinghouse on schedule today, CISA will begin coordinating vulnerability scanning across critical infrastructure, and scan findings could surface in Binding Operational Directives that carry real compliance weight for hospitals, utilities, and community banks. These operators should track CISA's BOD publication log in the coming weeks.

On the cybercrime enforcement side, the AG's prioritization directive is a prosecutorial signal rather than a new statute. Existing laws including 18 U.S.C. 1030 (the Computer Fraud and Abuse Act) and wire fraud statutes now have explicit presidential direction to be applied to AI-enabled attacks.

What to watch next

The August 1 deadline is the next major milestone: that is when the classified "covered frontier model" definition arrives and the voluntary pre-release framework takes shape. Until then, the concrete visible action is whether Treasury's clearinghouse begins coordinating scans and whether CISA publishes its binding directives in the coming days. Developers planning model releases for Q3 2026 should confirm with counsel whether their timelines need to account for a potential 30-day government access window once the August benchmark definition is public.

Sources