Proposed cuts to cybersecurity services in the pending U.S. federal budget for fiscal-year 2026 that may soon be signed into law would effectively diminish the government’s role as the central clearinghouse for critical cybersecurity-related information. In addition to public sector impacts, funding and staffing reductions in key agencies like the Cybersecurity and Infrastructure Security Agency (CISA) may also have a significant impact on the private sector as many companies rely on federal services to bolster their cyber defenses. As a result, many organizations may urgently need to consider alternatives.
Initially, the Trump administration’s budget proposals to Congress sought to cut $491 million, or 17%, of the CISA budget and more than 1,000 staff members, purportedly to refocus the agency on defending the federal network and increasing critical infrastructure resilience. In July, the House of Representatives’ subcommittee on homeland security passed a much smaller 4.6 % budget cut of $134 million and did not mention any CISA staff cuts. The final numbers remain to be seen, however, as the fiscal 2026 budget has yet to pass the full House and be reconciled with the Senate appropriation, and Congress continues to struggle to pass even a temporary resolution to fund the government in the new fiscal year.
Regardless of the final budget details, a mix of voluntary departures, layoffs and buyouts have already resulted in dramatic staff losses at CISA. According to Jen Sovada, public sector general manager at cybersecurity software firm Claroty, recent coverage indicated the agency’s staffing has dropped to between 2,200 and 2,600 employees, from 3,700 at the start of the year. Further funding losses could significantly impact CISA’s role as a trusted provider of key cybersecurity services.
CISA’s Role in Cybersecurity
CISA serves as the nexus of the federal government’s efforts to identify and mitigate cyberrisks. Its core mission is to protect the federal government and critical infrastructure. Public and private organizations take advantage of the cyber-related services it provides, and with expected budgetary cuts, those services will likely be less robust and difficult to replace.
For example, CISA and other agencies offer forums for Fortune 100 chief information officers and other groups to confidentially share sensitive information about cyberattacks. In turn, the agencies use that information to alert the broader business community to new risks. In addition, critical infrastructure companies are required to send notifications of significant cyber incidents within 72 hours to CISA, which are also disseminated as warnings to relevant organizations.
“CIOs and CISOs have a lot on their plates, and CISA helps them prioritize what needs to be fixed,” Sovada said. “When they receive a CISA alert, they know they may need to drop other things and address what has been identified.”
A deeper dive into the Trump administration’s budget proposals shows additional cuts that would cripple these services. The CISA proposal, for example, slashes funding by 62% for its Stakeholders Engagement Division, which leads CISA’s partnerships with critical infrastructure organizations.
“Those are the folks providing support to critical infrastructure operators, sharing cyberthreat intelligence for criminal as well as nation state-types of attacks,” said Curtis Dukes, general manager of the best practices and automation group at the Center for Internet Security, and formerly the information-assurance director at the National Security Agency (NSA). The NSA works closely with CISA and FBI to ascertain threats to national security.
Dukes noted there is a proposed 73% hit to CISA's National Risk Management Center, which analyzes and predicts threats to national infrastructure. “That does not mean CISA will not provide alerts, but when department budgets are cut by more than 50%, it becomes more difficult for them to publish the alerts in a timely fashion,” he said.
According to Michael Daniel, president and CEO of the Cyber Threat Alliance (CTA), the federal government also collects cyber-related information that individual companies would otherwise have difficulty obtaining. For example, CISA’s Joint Cyber Defense Collaborative brings together big technology providers that are experts in cybersecurity to identify potential cyberrisks and how to mitigate them. Similarly, the FBI and NSA are alerted to cyber incidents occurring across the United States and globally, and the criminal and state actors behind them. Agencies focusing on specific sectors, such the Coast Guard, Department of the Treasury, Department of Energy, also provide cyber-related support to the industries they work with.
The impact of budget cuts on cybersecurity services may not be noticeable immediately, but over time, fewer businesses are likely to receive CISA assessments of their cybersecurity efforts or FBI assistance to investigate cybercrimes and potentially retrieve stolen funds. “We have spent several decades trying to build the federal government’s capacity to assist and collaborate with the private sector to reduce our national cyberrisk, and now that is being walked back,” Daniel said.
In its justification to reduce CISA’s National Institute of Standards and Technology’s (NIST) budget by $325 million, the White House accused the agency of developing “curricula that advances a radical climate change agenda” and pushing “environmental alarmism with its university grants.” In reality, the agency’s primary function is to create standards that enable organizations to interact more efficiently and securely. Sharp cuts could slow the development of standards to manage cyberrisks more effectively. Last August, for example, it finalized post-quantum cryptography standards that enable organizations to better protect their sensitive data and communications from potential attacks generated by quantum computers.
On a positive note, Sovada said that Congress has instead recommended an overall NIST budget increase of 11% compared to the fiscal year 2025 level, “explicitly rejecting the proposed cuts.”
Seeking Alternatives for Cyber Defense
While CISA’s focus on protecting government infrastructure and critical infrastructure will likely continue, cuts could lead to a “de-prioritization” of organizations outside of the federal government and critical infrastructure sectors, said Richard Watson, global cyber consulting leader at EY. As a result, organizations will need to seek out other options to aid in their cyber defense.
To that end, nongovernmental organizations that enable companies to share information about cyberattacks and cybersecurity may become increasingly important. Information Sharing and Analysis Centers (ISACs), for example, are nonprofit organizations that aim to facilitate sharing of information and analysis on cyberthreats and vulnerabilities within critical infrastructure sectors.
The Department of Homeland Security has designated the Multi-State Information Sharing and Analysis Center (MS-ISAC) as its key cybersecurity resources for state, local, tribal and territorial governments. Other ISACs focus on sectors such as financial services, energy and water and are often affiliated with the sector’s regulator. Information Sharing and Analysis Organizations (ISAOs) provide a similar function for other sectors and small businesses. The organizations convene meetings of sector participants and provide cyber-related alerts, and some have developed platforms to share information. “Those types of platforms have delivered a lot of value historically, and many companies may find they get more timely information out of them,” Watson said.
Companies will also need to take action on their own. “A defensive strategy would be to increase investment in threat intelligence and threat detection,” Watson said. For example, many organizations have been going through “modernization periods,” incorporating generative artificial intelligence to read and consolidate threat intelligence and act on it more efficiently, he said. Whether they are incorporating AI or not, it is incumbent on organizations to strengthen their incident response capabilities, especially where a pullback from CISA could create weaknesses. That may involve putting in place retainers enforced by commercial contracts to bring in firms that specialize in responding to cyber incidents and forensically determining how they occurred.
In addition, practicing with tabletop simulations, real-world scenarios and broader stakeholder management group exercises will also be critical to boosting an organization’s cybersecurity preparedness. “This way everyone understands what they are supposed to be doing in the event of an incident, and the company has a well-oiled incident response process that is controlled by the organization and less reliant on support from external entities such as CISA,” Watson said.