Impacts of CISA cuts on federal agencies outlined
The Cybersecurity and Infrastructure Security Agency (CISA) has faced significant challenges due to budget cuts, affecting its workforce and capacity to provide comprehensive national cybersecurity support.
The initial proposed cut by the Trump administration was $495 million, which was significantly less than the proposed cut. As a result, CISA's workforce has been reduced by about one-third, leading to the termination of many contracts supporting critical government cybersecurity functions.
This downsizing has raised concerns that CISA’s capacity to offer free cybersecurity services—such as vulnerability scans, expert assessments, and tailored guidance—may be severely diminished, creating more weaknesses exploitable by cyber adversaries like Russia and China targeting critical infrastructure.
Despite these challenges, CISA officials have stated that the agency is continuing its key cybersecurity work and maintaining a talented workforce focused on protecting federal networks and infrastructure. The agency also remains actively issuing emergency directives, such as those for Microsoft Exchange vulnerabilities, to mitigate cyber risks to federal systems.
However, the broader impact of the budget reductions includes weakened federal support for critical infrastructure cybersecurity, potentially shifting responsibility to states and local governments, which may lack comparable resources and expertise. Additionally, there is a reduced presence and engagement in industry forums and partnerships, potentially undermining collaborative cybersecurity efforts with private industry and other stakeholders.
Moreover, general trends of cyber budgets stagnating or growing very slowly, alongside a cybersecurity talent shortage, heighten risks and stretch resources thinly across organizations.
In April 2023, CISA's contract with MITRE, which administers the Common Vulnerabilities and Exposures (CVE) program, a global vulnerability database, nearly expired, which could have left all stakeholders in a global-operations-threatening lurch.
Federal agencies and other CISA stakeholders may look to alternative providers of threat intelligence, including open-source platforms and commercial feeds. However, most of these solutions require additional costs or workforce.
The current administration's policy agenda includes cutting spending and downsizing government at the federal level, which could lead to further downsizing and a brain drain that can only serve to weaken CISA's vulnerability management, threat intelligence, and incident response capabilities.
The Government Accountability Office acknowledges that efforts to meet cybersecurity challenges facing the government are woefully behind, with more than 850 recommendations not fully implemented as of February 2023.
Despite these challenges, most cybersecurity experts still trust and hope for the preservation of the current CISA model. However, budget cuts could affect CISA's benchmarking tools and scoring mechanisms, impacting system hardening and security.
In summary, while CISA is striving to maintain operations, budget cuts have curtailed its workforce and program capacity, threatening its ability to provide comprehensive national cybersecurity support and respond swiftly to emerging threats, thereby increasing vulnerabilities to cybercrime against critical infrastructure.
- The budget cuts faced by the Cybersecurity and Infrastructure Security Agency (CISA) have led to the termination of many contracts supporting critical government cybersecurity functions, potentially affecting their capacity to provide technology-based security solutions.
- As a result of budget cuts, CISA's ability to offer free cybersecurity services, such as vulnerability scans and expert assessments, could be severely diminished, making the nation more vulnerable to cyber threats, especially from adversaries like Russia and China targeting critical infrastructure.
