Federal Budget Cuts Threaten Cyber Defense Role of the Cybersecurity and Infrastructure Security Agency

In a Risk Management Magazine article, John Hintze reports that proposed federal budget cuts for fiscal year 2026 could sharply reduce the reach and resources of the Cybersecurity and Infrastructure Security Agency (CISA), long regarded as the federal government’s primary cybersecurity coordinator. 

The cuts, initially proposed at 17% but later reduced to 4.6% in a House subcommittee version, remain uncertain as Congress struggles to finalize appropriations. Regardless of the outcome, staffing losses at the Cybersecurity and Infrastructure Security Agency are already significant, with the agency reportedly down to between 2,200 and 2,600 employees from its earlier peak of 3,700.

CISA’s mission is to safeguard federal systems and critical infrastructure while supporting private-sector cyber defense through information sharing and incident reporting. Hintze cites experts who warn that deep cuts could erode those capabilities. 

Curtis Dukes of the Center for Internet Security notes that proposals targeting CISA’s Stakeholders Engagement Division and National Risk Management Center, by as much as 62% and 73%, respectively, could slow the dissemination of vital cyber alerts. Similarly, Michael Daniel of the Cyber Threat Alliance cautions that decades of progress in government-private collaboration to reduce national cyberrisk may be reversed.

Although the White House also proposed slashing the National Institute of Standards and Technology’s (NIST) budget, Congress has so far recommended an increase, rejecting those reductions. Still, Richard Watson of EY warns that a leaner CISA may shift its focus toward federal systems, leaving private companies to seek alternative resources, such as Information Sharing and Analysis Centers (ISACs), and to strengthen their internal response capabilities. 

For compliance leaders, budget-driven gaps in federal cybersecurity support demand renewed investment in threat intelligence, incident preparedness, and public-private collaboration.