Presidential Directives on Cybersecurity and AI

Today, much of government function and information economy run on digital infrastructure, making cybersecurity an important policy issue, and often implicates national security. Further, the developments in artificial intelligence (AI) raises novel cybersecurity questions and requires policy decisions that weighs various considerations on privacy, security, safety, fairness, civil rights, and others. The public deserves a debate about appropriate U.S. cybersecurity measures that includes clear and accessible explanations of the White House’s cybersecurity policy. However, cybersecurity policy is too often set by presidential directives that are not available to the public.

Presidential administrations use presidential directives as instruments of national security to direct cybersecurity policy. They generally derive from the policy papers produced by the National Security Council (NSC), that advises the present on national security issues. “Presidential directive” is a general descriptive term, and different administrations have used different terms to designate presidential directives on cybersecurity. For example, the Obama Administration used “Presidential Policy Directive,” and the George W. Bush Administration used “National Security Presidential Directive.” A presidential directive has the same legal effect as an Executive Order, and they similarly remain in effect through change in administration unless otherwise specified or superseded by later directives. Unlike Executive Orders, however, presidential directives are not required to be published in the Federal Register and may be highly classified. This has been the case for presidential directives pertaining to cybersecurity. The secrecy surrounding cybersecurity policy has hindered productive public debate in this area.

Below, significant presidential directives on cybersecurity are discussed in reverse chronological order, followed by EPIC’s efforts to make the debate about U.S. cybersecurity policy public.   

Trump Administration II:

As of this writing (Oct. 22, 2025), President Trump in his second term has made all but one of his National Security Presidential Memoranda (NSPM) public.

Below is the list of the NSPMs thus far, with short summaries: 

NSPM-1 (Jan. 20, 2025): Organization of the National Security Council

This NSPM changes the National Security Council’s (NSC) processes to merge the Homeland Security Council and the NSC on certain topics, signaling the prioritization of immigration and border policy as national security matters, along with other traditional national security issues.

NSPM-2 (Feb. 4, 2025): Imposing Maximum Pressure on the Government of the Islamic Republic of Iran, Denying Iran All Paths to a Nuclear Weapon, and Countering Iran’s Malign Influence

NSPM-2 does not change any U.S. sanctions, export controls, or other restrictions associated with Iran. Instead, among other things, it directs the U.S. Department of the Treasury to “immediately” impose sanctions or other “appropriate enforcement remedies” on persons violating U.S. sanctions on Iran, and to “implement a robust and continual sanctions enforcement campaign.” While the U.S. already imposes an embargo on Iran, the NSPM also directs the Department of Commerce to enforce export control and for the Department of Justice to enhance its enforcement of sanctions evasion.

NSPM-3 (Feb. 21, 2025): America First Investment Policy

The NSPM-3 directs the creation of an expedited process for reviewing investment for countries allied with the U.S., while directing resources to prevent foreign adversaries – defined as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and the Maduro regime in Venezuela – form gain access to sensitive technologies. The NSPM also specifically identifies food supply, farmland, minerals and natural resources as part of the U.S. critical infrastructure. 

NSPM-4 (April 11, 2025): Military Mission for Sealing the Southern Border of the United States and Repelling Invasions

NSPM-4 directs the Departments of Defense, Interior, Agriculture, and Homeland Security to carry out a military mission to “seal” the southern border and repel unlawful incursions. Citing Executive Order 14167 and the declared “national emergency” at the southern border, the memorandum authorizes DOD to assume jurisdiction over certain federal lands for military operations, including construction of border barriers and surveillance systems.

NSPM-5 (June 30, 2025): Reissuance of and Amendments to National Security Presidential Memorandum 5 on Strengthening the Policy of the United States Toward Cuba

The NSPM-5, focused on Cuba policy, is largely the same as the NSPM issued in the first Trump administration, the 2017 NSPM-5. While framed as an effort to promote free enterprise, democracy, human rights, and freedom in Cuba, NSPM-5 introduces a suite of restrictive policies and actions that curtail lawful financial engagement, restrict travel and association, and burden nonprofit and humanitarian organizations operating in, or providing support to, Cuba.

NSPM-6: Not public

NSPM-7 (Sept. 25, 2025): Countering Domestic Terrorism and Organized Political Violence

This NSPM is explained in detail below.  

NSPM-8 (Oct. 15, 2025): Use of Available Department of War Funds for Military Pay and Allowances during the Lapse in Annual Appropriations

NSPM-8 directs the Secretary of Defense to use any available Fiscal Year 2025 funds to continue paying active duty and reserve military personnel during the ongoing government shutdown and lapse in appropriations.

National Security Presidential Memorandum 7 (NSPM-7)

NSPM-7 particularly raises alarms of overbroad use of the executive power, threatening First Amendment-protected speech and targeting dissent. Far from being a memo that addresses legitimate cybersecurity or national security concerns, the memo cites no evidence while contending that there is a left-wing conspiracy to carry out acts of political violence. Further, the memo seeks to elevate the perceived threat level from left-wing political violence by designating antifa to be a “domestic terrorist organization,” even though “antifa” is not a group or an organization. Worse, the administration has no authority to designate groups as domestic terrorist organizations, made clear from the lack of citation to any statute or constitutional provision for support.

NSPM-7 targets disfavored political viewpoints, which are protected under the First Amendment. NSPM-7 directs federal agencies to prioritize investigations of a swath of identities and ideologies that it depicts as falling under “the umbrella of self-described ‘anti-fascism.’” These include “anti-Americanism, anti-capitalism, and anti-Christianity; support for the overthrow of the United States Government; extremism on migration, race, and gender; and hostility towards those who hold traditional American views on family, religion, and morality.” The targeting of constitutionally protected speech to silence dissenting viewpoints is a fundamental challenge to the protections that the First Amendment guarantees for every person in the United States, including noncitizens.

Biden Administration:

Under the Biden Administration, the presidential directives on cybersecurity were designated “National Security Memoranda” (“NSM”). The Biden White House made almost all of the NSMs public. In total, the Biden administration issued 25 NSMs. Many of the NSMs focused on improving cybersecurity, infrastructure, and public health. 

NSM-25: National Security Memorandum 25

Of specific interest to EPIC’s work, the Biden administration issued the first-ever national security memorandum on AI in October 24, 2024 (NSM-25). President Biden directed his national security staff to develop the NSM in October 2023 as part of his Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (EO 14110).  According to a fact sheet released by the White House, the NSM focused on three critical areas: ensuring U.S. leadership in developing “safe, secure, and trustworthy” AI, using cutting-edge AI to advance U.S. national security interests, and building an international consensus on AI governance, closely mirroring EO 14110. 

Along with the memo, the White House published the “Framework to Advance AI Governance and Risk Management in National Security.” Both the memo and the framework emphasize the need to protect human rights, civil rights, civil liberties, and privacy when using AI. The framework provided the details of how the U.S. government plans to accomplish the protection of rights and liberties while using AI for national security systems. The framework identified certain prohibited uses, high-impact uses that require additional scrutiny, and uses that impact federal personnel and outlined the minimal risk management practices agencies must implement. Importantly, the framework applied to both new and existing AI uses. The framework also requires certain oversight and transparency measures. However, the oversight appears to be mostly within the agency and lacks clear independent oversight mechanisms requirements. Before the NSM was used, EPIC was part of a coalition calling on the Biden Administration to adopt meaningful guardrails for the use of AI in national security systems, including certain transparency, assessment, testing, oversight, and procurement requirements.

Trump Administration I:

During his first administration, President Trump issued 36 NSPMs. In a shift from the previous administrations, many, although less than the majority, of the NSPMs were made public. The majority of them are still not made available to the public today (Oct. 22, 2025). 

National Security Presidential Memorandum 7 (NSPM-7)

Of particular interest to EPIC’s focus, on October 5, 2017, the Trump White House released the “National Security Presidential Memorandum” (“NSPM-7”). The Presidential Memorandum describes an “Annex” that lists categories of “identity attributes and associated information about individuals, organizations, groups, or networks assessed to be a threat to the safety, security, or national interests of the United States.” According to NSPM-7, these categories comprised “national security threat actor information.” The NSPM-7 was posted publicly on the White House website, but the Annex was not made public. EPIC immediately filed a FOIA request with Departments of Homeland Security, Commerce, and Justice for the Annex. The White House subsequently published the annex that EPIC requested on whitehouse.gov.  

National Security Presidential Memorandum 13 (NSPM-13)

Another NSPM of note was the NSPM-13, published in August of 2018, which rescinded Obama-era guidance known as Presidential Policy Directive 20 (PPD 20). PPD 20 had dictated when the U.S. government can deploy cyber weaponry against its adversaries, requiring federal agencies to gain approvals from various stakeholders before engaging in a cyber attack. NSPM-13 was never published, but the administration touted that the new policy would allow the Defense Department to launch offensive cyber strikes without an elaborate approval process. Critics pointed out that the new policy could lead to the reckless use of cyberweapons and fuel conflicts with foreign governments or sabotage the work of other agencies.

Obama Administration:

Presidential Policy Directive 41 (PPD-41)

The Obama Administration released PPD-41 in July 2016 to outline how the Federal Government responds to significant cyber incidents following Russian cyber-attacks during the 2016 election. PPD-41 clarifies that the FBI is the lead federal agency for investigating cyber-attacks in the United States by criminals, overseas adversaries, and terrorists. 

But questions have been raised about the failure of the FBI to adequately investigate the attacks on the nation’s political institutions. In 2017, EPIC therefore pursued to help the public “evaluate the FBI response to the Russian interference, assess threats to American democratic institutions, and to ensure the accountability of the federal agency with the legal authority to safeguard the American people against foreign cyber-attacks. In EPIC v. FBI, EPIC obtained documents concerning the FBI’s victim notification procedures. The Inspector General found that the FBI’s system for notifying victims of cyberattacks is “unreliable” and “incomplete” and that “not all victims were informed of their rights as required by” DOJ guidelines, which are “outdated since they do not consider the needs of victims of cybercrime.”

Presidential Policy Directive 20 (PPD-20)

PPD-20 was implemented by President Obama in October 2012 but was not released to the public. Immediately after the news broke that President Obama had signed a new cybersecurity directive, EPIC submitted a FOIA request directed at the NSA requesting the release of the directive. The NSA denied EPIC’s request. PPD 20 became public after it was released by The Guardian on June 7, 2013, which had received the document from NSA leaker Edward Snowden.

The directive orders the creation of potential targets for Offensive Cyber Effects Operations by the National Security Agency and details government policy regarding offensive cyber action and instructions to compile a list of potential targets for such action. According to the classified document, the “Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk …” According to news reports, the directive gave broader power to the military to block cyberattacks and discussed what constitutes an “offensive” verses a “defensive” action with respect to cyberwar and cyberterrorism. Additionally, the directive discussed the use of cyber-operations–actions taken outside U.S. networks.

Pre-2009 administrations: 

National Security Presidential Directive 54 (NSPD 54)

NSPD 54 was implemented by President George W. Bush in January 2008. NSPD 54 was issued concurrently as Homeland Security Presidential Directive 23. The NSPD 54/HSPD 23 authorized the DHS (together with OMB) to set minimum operational standards for Federal Executive Branch civilian networks, and it empowers DHS to lead and coordinate the national cybersecurity effort to protect cyberspace and the computers connected to it. The directive also contains the Comprehensive National Cybersecurity Initiative (CNCI). The broad scheme of CNCI was described in a publicly-released 20009 document which included 12 initiatives:

• Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
• Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
• Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
• Initiative #4. Coordinate and redirect research (R&D) and development efforts.
• Initiative #5. Connect current cyber ops centers to enhance situational awareness.
• Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
• Initiative #7. Increase the security of our classified networks.
• Initiative #8. Expand cyber education.
• Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs.
• Initiative #10. Define and develop enduring deterrence strategies and programs.
• Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
• Initiative #12. Define the Federal role of extending cybersecurity into critical infrastructure domains.

On June 5, 2014, the NSA released National Security Presidential Directive 54 (“NSPD 54”) to EPIC after nearly five years of FOIA litigation in EPIC v. NSA. NSPD 54 outlined the Comprehensive National Cybersecurity Initiative (CNCI), the federal government’s effort to coordinate cybersecurity policy across federal law enforcement, intelligence and executive agencies, as well as with other law enforcement agencies and the private sector. The previously-classified document revealed the underlying legal authority for sweeping changes to federal cybersecurity. Additionally, NSPD 54 contained significant differences from the previously-released description of the CNCI. For the first time, the public had access to the document empowering federal agencies to share cybersecurity information, develop offensive cyber programs and improve automated and predictive cyber technologies. NSPD 54 provided the public with an explanation of the government’s legal and policy choices regarding cybersecurity.

National Security Presidential Directive 38 (NSPD 38)

NSPD 38 was issued on July 7, 2004, as the National Strategy to Secure Cyberspace. The contents of this classified directive have never been released, but prior to the issuance of NSPD 38, the White House released a different document also entitled “National Strategy to Secure Cyberspace” that detailed five priorities to secure cyberspace:

1. A National Cyberspace Security Response System.
2. A National Cyberspace Security Threat and Vulnerability Reduction Program.
3. A National Cyberspace Security Awareness and Training Program.
4. Securing Governments’ Cyberspace
5. National Security and International Cyberspace Security Cooperation

NSPD 38 was superseded by PPD 20 under the Obama Administration.

National Security Decision Directive 145 (NSDD 145)

NSDD 145 was issued by President Reagan in 1984. The directive gave the NSA control over all government computer systems containing “sensitive but unclassified” information. NSDD 145 was followed by a second directive issued by National Security Advisor John Poindexter that extended NSA authority over non-government computer systems. In response to these directives, Congress passed the Computer Security Act of 1987 (CSA). The Act reaffirmed that the National Institute for Standards and Technology (NIST) was responsible for the security of unclassified, non-military government computer systems. CSA limited the National Security Agency to providing technical assistance in the civilian security realm.

Freedom of Information Request for NSPD 54

EPIC submitted a FOIA request in June 2009 directed at the NSA requesting copies of the directive along with copies of any initiatives or privacy policies associated with the directive. The NSA initially made no substantive determination regarding EPIC’s FOIA request. EPIC subsequently filed an administrative appeal and then the NSA released two documents that had previously been made public. Eventually, NSA also identified three relevant documents that it refused to disclose. EPIC appealed the NSA’s determination and after receiving no response filed a lawsuit against the NSA.

The NSA eventually released heavily redacted versions of two of the three documents identified by the NSA as responsive to EPIC’s request. EPIC appealed this decision in Federal Court, but the District Court ruled that NSPD 54 was not an agency record discoverable under FOIA. However, after EPIC appealed this decision to the D.C. Circuit Court, the NSA released the document to EPIC with minor redactions. EPIC has released NSPD 54, allowing the public to review the government’s foundational cybersecurity policy for the first time.