COMMENTARY: Government agencies at both the state and federal levels are grappling with the challenge of modernizing and securing their infrastructure while facing tighter budgets and fewer resources than ever.
While it's a very real resource strain, especially for the staff who remain after workforce reductions, this situation isn't likely to compromise critical infrastructure protection, a very important mission of the Cybersecurity and Infrastructure Security Agency (CISA).
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
It’s something the Trump administration has explicitly prioritized, which includes collaborating with state and
critical infrastructure partners to secure all 16 designated sectors vital to Americans' daily lives.
For other areas that may experience budget cuts, the federal government has fostered stronger public-private collaboration, encouraging private sector involvement through various initiatives such as working groups, GitHub discussions, and public comment periods, as evidenced by programs like FedRAMP 20x and the
CISA Secure-by-Design pledge.However, we now know that
one-third of the workforce at CISA has
already left the agency through voluntary buyouts, early retirement, or layoffs. To understand how
CISA will navigate these complexities and reshape the national cybersecurity landscape, I break down the strategic refocusing of the agency, the increasing emphasis on public-private collaboration, and the essential implications for securing critical missions.
Realigning CISA: Streamline and refocus efforts
The administration wants to streamline CISA, eliminate duplicate positions, reduce waste, and ultimately refocus efforts and resources on crucial public-private partnerships. It's important to note that the exact scope of these cuts remains a dynamic situation. Congressional proposals for CISA budget reductions are less severe than those initially put forth by President Trump, suggesting ongoing negotiations that will likely result in a compromise.
Regardless of the shifting landscape, there's a strong belief that the focus on critical infrastructure will remain largely unaffected. The administration has been explicit in outlining areas of focus and priority, and critical infrastructure consistently ranks high on this list. This commitment includes continuing vital liaisons with state governments to strengthen infrastructure security at the state level.
Build stronger public-private partnerships
In areas where budget realignments may occur, the federal government appears to be doubling down on its reliance on public-private partnerships.
FedRAMP 20x stands out as a prime example of this strategy. This program actively encourages engagement from the private sector through avenues like working groups dedicated to setting standards, GitHub discussion groups for collaborative problem-solving, and public comment periods on new standards. It's anticipated that CISA will continue to pursue a similar collaborative path to ensure it leverages expertise, research, and intel from the private sector.
CISA also continues to support its
Secure-by-Design principles. These principles encompass crucial security practices such as enabling multi-factor authentication (MFA), reducing default passwords, and proactively eliminating certain types of vulnerabilities from their products and services. By offering these guardrails for organizations to abide by, the government has armed the private sector with guidance versus expecting them to navigate this uncharted territory alone. I expect this to continue, especially as we watch regulations and guidance around AI come from the government.
How to secure agencies in a new era
Given the prevailing strain on resources, agencies should prioritize tools that offer comprehensive cloud-agnostic security coverage. It’s the reality in which organizations operate today. These tools must offer precise risk scoring based on asset context and identified attack paths, and critically, integrate workflows across various functions, including compliance. It’s essential to embrace such holistic approaches to ensure the continuity and integrity of their missions.
Despite initial concerns, the impact of these changes may not be as severe as first anticipated. We've already seen significant positive momentum from initiatives like the CISA Secure-by-Design pledge and FedRAMP 20x, demonstrating the effectiveness of strong public-private partnerships. It's unlikely that any political group would support cutting vital resources for our cybersecurity infrastructure.
In the end, the budget adjustments are expected to land in a middle ground, allowing agencies to continue their essential mission of guiding the private sector forward during times of change and innovation.
Tim Chase, principal technical evangelist, Orca SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.