The Department of Homeland Security estimated over the weekend that it would send home about two-thirds of employees at the Cybersecurity and Infrastructure Security Agency in the event of a government shutdown.

It’s the first time that the second Trump administration has released its contingency plan in response to what would happen if Congress doesn’t keep the government funded after Oct. 1 — something that looks likely at the moment. The furlough of two-thirds of CISA employees is also relatively close to the last time the Biden administration produced shutdown guidance in 2023.

According to the DHS document, 889 of CISA’s 2,540 personnel would keep working through a government funding lapse. That workforce estimate is from May, and could be smaller now. In 2023, DHS anticipated that it would keep 960 of its then-3,117 employees at work.

The Biden administration said that year that it would have had the ability to recall another 790 CISA employees if needed. The latest DHS guidance doesn’t include any information on recallable employees, and CISA didn’t immediately respond to a request for that figure Monday.

Furloughs of cyber personnel could have a whole host of potentially negative consequences, government officials and outside cyber experts have warned. Those consequences could be even worse as the Trump administration slashes the federal workforce, some say.

A temporary reduction could invite more attacks on the federal government; slow down patching, cyber projects and regulations; prompt permanent departures from workers disillusioned about the stability of federal cyber work; hinder cybercrime prosecutions; and freeze cyber vulnerability scans.

The latest CISA furlough estimates are “scary,” one cyber researcher wrote on the social media platform Bluesky. The White House has also instructed agencies to plan for mass firings in the event of a shutdown.

At other agencies, some federal cybersecurity-related personnel are likely to continue working during a federal funding lapse, because the law deems some government functions as “excepted,” such as those focused on missions like national security, law enforcement or protection of property and human safety. For example, at the Health and Human Services Department, the fiscal year 2026 contingency plan states that “HHS estimates that 387 staff (excluding those otherwise authorized by law) will be excepted for the protection of computer data.”

Unlike in past years, agencies are hosting contingency plans on their websites on a case-by-case basis, rather than on the website of the Office of Management and Budget. Some plans that have been published, such as those for the Department of Defense, don’t specify figures for cyber personnel.

Hundreds of thousands of federal workers could be furloughed, in total.

Two major cybersecurity laws, one providing legal protections for cyber threat data sharing and another providing state and local grants, are also set to expire in mere days. A House-passed continuing resolution would’ve temporarily extended them, but the legislation didn’t advance in the Senate.

The post Two-thirds of CISA personnel could be sent home under shutdown appeared first on CyberScoop.

Pessimism is mounting about the chances that Congress will reauthorize a cyber threat information-sharing law before it’s set to expire at the end of this month — with no clear path for either a temporary or long-term extension.

Industry groups and the Trump administration have put a lot of muscle into renewing the 2015 Cybersecurity Information Sharing Act (CISA 2015), which they say is a vital tool in the fight against malicious hackers because of the legal protections it provides for organizations to share cyber threat data with each other and the government.

But in recent weeks, multiple efforts to re-up the law have failed or been brushed aside:

• The House inserted a two-month extension of CISA 2015 into a continuing resolution to avert a government shutdown, but after the House passed the bill, the Senate voted against the continuing resolution last week. Negotiations about continuing to fund the federal government past the end of this month appear to be at a standstill.
• The Senate Homeland Security and Governmental Affairs Committee had scheduled a markup of legislation last week introduced by Chairman Rand Paul, R-Ky., to extend the law with significant changes that drew bipartisan and industry criticism. The panel then abruptly canceled the markup.
• The top Democrat on Paul’s panel, Gary Peters of Michigan, tried to get an unaltered or “clean” 10-year reauthorization of the expiring law passed on the Senate floor with a unanimous consent motion, but Paul objected without explanation, preventing it from advancing.
• House Homeland Security Chairman Andrew Garbarino, R-N.Y., sought earlier this month to offer his legislation to extend and alter CISA 2015 as an amendment to the House version of the annual defense policy bill, or National Defense Authorization Act (NDAA), but the Rules Committee prohibited the amendment from receiving a vote. (A Senate intelligence policy bill had included a 10-year extension, but when senators folded the intelligence authorization bill into that chamber’s version of the NDAA, Paul objected and got it removed.)

All of that leaves an extension of CISA 2015 without a home, and with a key senator, Paul, likely to stand in the way of swift renewal anytime soon. Under the circumstances, “I bet it does” expire, one industry source said of CISA 2015. 

“I’d be pleasantly surprised if it is continued given Paul’s objection,” the source said.

And that could be a big problem for both lawmakers and private-sector organizations.

While it’s unclear exactly how even a temporary lapse in the law might affect cyber information sharing, some have offered dire predictions about how bad it will be. In the legal community, “if you’re giving people a reason not to do something, they won’t do it,” said another industry source. 

If there’s a big breach during a time when the law has expired, the political risks increase, because cyberattack victims are likely to blame the lapse for what happens, said the source, who has extensive cybersecurity policy experience.

Best hopes (until recently)

Advocates had long pinned their hopes that a temporary two-year CISA 2015 renewal would be included in the continuing resolution (CR), given the urgency to avoid a government shutdown and the fact that the law was sent to expire when the fiscal year ends gave Congress a perfect opportunity. The House GOP’s inclusion of that short-term extension language in the CR — and Democrats’ support for it in their own proposal — indicated widespread support for the idea. The CR passed 217-212.

Senate leaders have a tradition of honoring objections on policy matters from the heads of the committees with jurisdiction over those topics when they are up for consideration in other bills. But multiple observers told CyberScoop that they interpreted the inclusion of the CISA 2015 law extension in the House CR as a sign that Senate leaders were prepared to ignore objections from Paul in this case. 

Besides lawmakers and private-sector groups, the Trump administration has been pressing for renewal. Industry and Senate sources say that new National Cyber Director Sean Cairncross has been especially focused on selling lawmakers on the need for action on CISA 2015.

But temporary renewal is now a casualty of the broader fight over a government shutdown, with the Senate voting 44-48 against the CR.

Paul complications

Earlier this month, the House Homeland Security Committee approved Garbarino’s bill to renew CISA 2015 for 10 years by a vote of 25-0. While Democrats questioned whether the legislation should’ve included any changes to the law rather than a “clean” reauthorization, Garbarino’s changes themselves garnered no significant opposition.

That wasn’t the case for the version Paul sponsored and that was scheduled for vote in his committee last week, which would have provided a two-year reauthorization. Industry groups objected to the Paul legislation striking provisions of the 2015 law that provided protections related to cyber threat data sharing with the federal government against disclosure from Freedom of Information Act requests. They opposed a section that would get rid of the law’s section on federal preemption, under which the law supersedes state laws and regulations.

Democrats also raised concerns about several key definitions in the law, including those related to the rules for  how companies can use defensive measures. According to Senate aides who spoke with CyberScoop, these changes could leave small- and medium-sized businesses particularly vulnerable. Combined with the other industry objections, the aides said, Paul’s bill would have functionally ended private sector information sharing with the government.

Industry is wary of major changes to CISA 2015 in general.

“The fact is that over the last 10 years, it’s been an effective way for the private sector to share information, which is a key ingredient in improving cybersecurity, and we should just be very careful while making changes to something that is working pretty well,” said Henry Young, senior director of policy for Business Software Alliance.

A section of the legislation that Paul wrote on free speech protections also created questions.  Five Senate and industry sources told CyberScoop that Paul canceled the markup because Senate Republican panel members planned amendments that would have, with somewhat different approaches, stripped Paul’s changes in favor of a “clean” reauthorization. 

Spokespeople for senators that sources said were behind those amendments, Joni Ernst of Iowa and Bernie Moreno of Ohio, did not respond to requests for comment.

A spokesperson for Paul disputed what the sources told CyberScoop about the reason for the cancellation.

“The characterization of the cancellation of the markup is false,” said the spokesperson, Gabrielle Lipsky. “The Democrats, who are not negotiating in good faith, asked for more time.”

Peters said in a Senate floor speech Friday that it was “disappointing” that Paul canceled the markup, and that “we were blocked from even having a discussion about the policy or draft legislation.”

Constituents in Paul’s home state have lobbied him on the importance of a “clean” reauthorization of CISA 2015; Paul’s public remarks about extension of the law have largely focused on passing a bill that includes additional guarantees on free speech.

“We make this request respecting your determination to protect Americans’ privacy and freedom of speech from censorship and intimidation by federal government employees, and we share those concerns,” a number of Kentucky business groups wrote to Paul in a Sept. 17 letter advocating for a “clean” extension. “We would welcome the opportunity to work with you to increase privacy and censorship protections in other legislation.” 

Peters asked for unanimous consent Friday for the Senate to advance a 10-year reauthorization. Paul said only, “I object,” thus blocking the renewal effort from Peters.

“Congress must pass an extension of these cybersecurity protections and prevent a lapse that would completely undercut our cybersecurity defenses and expose critical sectors to preventable attacks,” Peters said in a statement to CyberScoop. “These liability protections ensure trusted, rapid information sharing between the private sector and government to quickly detect, prevent, and respond to cybersecurity threats. I’m continuing to work toward a bipartisan, bicameral deal that will renew these protections for the long-term, but we cannot afford to let these critical cybersecurity protections expire at the end of the month.”

Other avenues

A common hope among advocates was that after a short-term extension became law as part of the CR, a longer-term extension would be included in the NDAA, which often passes toward the end of each calendar year or the start of the next.

But hopes for that diminished after actions in both the House and Senate. In the Senate, the Intelligence Committee had included a 10-year renewal in its annual intelligence authorization bill. That legislation was then included in the Senate version of the NDAA, but sources on and off the Hill told CyberScoop that Paul objected to inclusion of the CISA 2015 extension, so it was removed.

And the Rules Committee decided on Sept. 9 that Garbarino’s CISA 2015 renewal amendment wasn’t germane, thus preventing him from offering it during debate on the House floor about the NDAA. One day later, the House passed its version of the NDAA, 231-196.

The next steps for CISA 2015 reauthorization are unclear. Paul’s office did not respond to a question about his future plans for renewing CISA 2015.

Options for a short-term renewal are limited for now to whatever congressional leaders do to try to revive or replace a CR, but the timeline for doing so before CISA 2015 expires is exceptionally tight. Options for a long-term renewal might include an amendments package for the Senate version of the NDAA, since the full Senate has yet to take up its bill.

CISA 2015 “must not lapse on September 30, 2025. Allowing it to expire will create a significantly more hostile security environment for the U.S.,” Matthew Eggers, vice president of cybersecurity policy in the cyber, intelligence, and security division at the U.S. Chamber of Commerce, told CyberScoop in a written statement. “The Chamber advocates for a multi-year reauthorization of this vital law. Short-term extensions are counterproductive. Both the private sector and the government need certainty, including the ability to allocate resources for long-term cybersecurity planning and implementation. House and Senate leaders and the Trump administration have expressed strong support for reauthorizing CISA 2015.”

The post Cyber threat information law hurtles toward expiration, with poor prospects for renewal appeared first on CyberScoop.

Federal agencies are increasingly incorporating artificial intelligence into the cyberdefenses of government networks, and there’s more still to come, acting Federal Chief Information Security Officer Michael Duffy said Thursday.

“We’re at an exciting time in the federal government to see that we’re not only putting AI in production, but we’re finding ways to accelerate emerging technology across the government, across all missions and all angles,” Duffy said at FedTalks, produced by Scoop News Group. In his “role overseeing federal cybersecurity policy,” he said, he is “able to see these at the ground level, as agencies bring excitement and enthusiasm and hope for what they can optimize through artificial intelligence.”

Cyber attackers are moving faster than ever, and on a much larger scale than before, he said. They’re also using technology in new ways. But it’s not all “doom and gloom” when it comes to the cybersecurity of federal networks, especially because of feds’ move toward AI, Duffy said.

“I’m pleased to say that the advancements that we’ve made over the past decade in the federal government have brought us to this point: Agencies are poised now, postured, positioned, to take advantage of new capabilities, bring them into federal agencies and make them work for the mission,” he said.

The next decade is important, and needs a “clear vision” of the available technologies and the threat landscape, “and how AI-interconnected digital ecosystems will both strengthen and strain that defensive posture,” Duffy said.

The focus now is on protecting sensitive information and making sure the government has efficient and secure interactions with the general public, he said. That includes “leveraging AI to identify vulnerabilities at scale,” Duffy said.

He said that will require the government to update a key document on federal information security, the Office of Management and Budget Circular A-130. A Biden administration executive order from January ordered an update within three years, and a June Trump executive order retained that requirement, albeit with fewer specifications about what the update would entail.

But Duffy noted the document had not been updated since the onset of large-scale AI adoption; its last update was in 2016.

In coordination with the federal chief information officer, Duffy said his office was undertaking a review of AI to measure its strengths and limitations. That includes several steps, among them evaluating the best methods of swiftly adopting AI but with safeguards for proper use.

“We’ll assess the existing cyber defense capabilities within agencies and explore cyber-centric AI use cases,” he also said.

“We’re working with CISOs to rationalize their cybersecurity tool stack to ensure individual agencies are well-postured for the evolving threat environment, while identifying opportunities to eliminate redundant and ineffective systems and capabilities to leverage enterprise-wide capabilities and programs — shared services to gain efficiencies and scale, successful AI pilots occurring within agencies,” he said.

And “we’re working with agencies to increase operational resilience as well, and our collective capacity to respond to AI incidents,” Duffy said.

The post Agencies increasingly dive into AI for cyber defense, acting federal CISO says appeared first on CyberScoop.

A top official at the Cybersecurity and Infrastructure Security Agency on Thursday rejected concerns that personnel and program cuts at CISA have hindered its work.

Nick Andersen, who just began serving as executive assistant director of cybersecurity at CISA this month, said he’s seen the agency function at a high level from both the outside and inside.

“There’s been an awful lot of reporting recently about CISA and the potential for degraded operational capabilities, and I’m telling you, nothing can be further from the truth,” he said at the Billington Cybersecurity Summit. “It is just a fantastic opportunity to see the high-level output and throughput that this team has.

“There is not a single instance where I can think of that somebody reaches out — whether it’s in our remit or not, we are connecting them with the right level of resources, and we are helping them to make themselves right, whether it’s incidents that we see affecting a state/local partner, small- or medium-sized businesses or the largest critical infrastructure owner/operators,” he continued.

The Trump administration has cut or plans to cut more than 1,000 personnel at the agency, a third of its total full-time employees, and has sought nearly half a billion dollars in funding reductions.

CISA’s shuttering of an array of programs has drawn widespread criticism from many in industry as well as from state and local governments who have partnered with the agency, not to mention concerns from Capitol Hill.

But Andersen said CISA has full support from President Donald Trump, who clashed with agency leadership in his first term, and Department of Homeland Security Secretary Kristi Noem.

“We have exceedingly strong relationships with” other government agencies and the private sector, Andersen touted. “The level of commitment within this team is second to none, and we’re just going to continue to hone and focus [on] that operational mission of what CISA should be delivering on. We’re going to continue to sort of separate out the fluff, but we are going to take every single dollar, every single resource, every single manpower hour to deliver an even sharper focus on those core capabilities in keeping with what President Trump identified as our administration priorities.”

Those priorities, Andersen said, include fortifying federal networks. “Raising the collective bar across the dot gov is a big one,” he said.

It also includes strengthening relationships with critical infrastructure owners and operators. “We want to be able to work very closely with our critical infrastructure partners on focused resilience efforts, be able to raise the bar in a sprint between now and 2027 as we prepare for the potential of China making good on its promise … to take Taiwan,” he said, so that “our critical infrastructure is not going to be held hostage.”

And it includes strengthening partnerships with other federal agencies as well as state and local governments, Andersen said.

The post CISA work not ‘degraded’ by Trump administration cuts, top agency official says appeared first on CyberScoop.

The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.

A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.

“We received a significant number of public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and ensure clarity,” said Marci McCarthy, director of public affairs at CISA. “Stakeholder input is extremely important as we work to draft a rule that improves our collective security. CISA remains committed to implementing CIRCIA to maximize impact while minimizing unnecessary burden to entities in critical infrastructure sectors.”

McCarthy said CISA would take the time prior to May to “examine options within the rulemaking process to address Congressional intent and streamline CIRCIA’s requirements.”

A top lawmaker and leading industry group also told CyberScoop the delay could help make those kinds of changes.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the Trump administration assured him that it would prioritize soliciting additional feedback from groups that would be affected by the regulations.

“I support the administration’s decision to extend the deadline for CIRCIA’s final rule as long as this additional time is used to properly capture private-sector feedback on the proposed rule’s reporting requirements and ensure the final rule fulfills congressional intent for the law,” he said. “I share the concern of many industry stakeholders that CIRCIA should not place duplicative or overly broad requirements on critical infrastructure owners and operators. Doing so could unnecessarily burden America’s cyber professionals as they work to defend our networks from heightened threats.”

The 2022 law will require critical infrastructure owners and operators to report to CISA within 72 hours if they suffer a major cyberattack, and to report within 24 hours if they pay a ransomware demand. It was inspired by a spate of major cyberattacks, such as the 2021 Colonial Pipeline hack.

But CISA’s proposed rule — and how it interpreted the scope of whom the law would apply to or what kind of incidents would constitute reporting to CISA — had drawn industry criticism from groups that wanted a narrower reading of the definitions of the law’s key terms and phrases.

The Information Technology Industry Council, which had co-signed letters about the proposed regulation, said the delay gives CISA a chance to adopt industry input.

“Enhancing operational efficiency through improved visibility into significant cyber incidents remains a top priority for the tech industry,” said Leopold Wildenauer, director of cybersecurity policy for the group. “CIRCIA will have a significant impact on the U.S. cyber landscape, so it’s critical to get it right. CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congress’s original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes.”

Bloomberg Law had earlier reported the planned delay, based on a notice that disappeared from the Office of Information and Regulatory Affairs website for weeks afterward.

Personnel cutbacks at CISA and other developments had long prompted concerns that the agency would not meet the October CIRCIA deadline. Department of Homeland Security Secretary Kristi Noem said in May she would support re-opening industry consultation on the proposed regulation.

The top Democrat on Garbarino’s panel, Mississippi Rep. Bennie Thompson, said the Trump administration appears to have done little to meet the deadline, among other criticisms. He told CyberScoop in an emailed statement that he first learned about the rulemaking time shift last week.

“I’m disappointed that CISA has failed to keep its authorizers — and one of the authors of the CIRCIA — updated of its lack of progress in issuing a final rule,” he said. “I am also disappointed that CISA has yet to initiate an ex parte process to gather additional input to inform the final rule. All evidence suggests the administration burned seven months doing nothing while it could have been engaging with stakeholders and working toward a final rule. Full implementation of CIRCIA will enhance our collective ability to detect and disrupt cyber threats and, if done right, drive harmonization of cyber incident reporting rules.”

The former CISA official who ran the CIRCIA program, Lauren Boas Hayes, wrote in an op-ed for CyberScoop in July that it was always going to be difficult for CISA to meet the October deadline without a confirmed director. The Senate Homeland Security and Governmental Affairs Committee has since approved the nomination of Sean Plankey, but the full Senate has yet to vote to confirm him.

“I am happy to see that they are acknowledging that and moving the deadline to a reasonable timeframe so that they can make those policy decisions, give the program clear prioritization and direction, and continue to move towards a CIRCIA final rule that will have positive impacts for the nation and and for our national security,” Boas Hayes told CyberScoop in response to the shifted deadline. “I hope that the acting director of CISA is providing that clear guidance and prioritization to the staff so that they can continue to make progress now and when the CISA director joins the agency and is on-boarded fully and ready to make all those policy decisions.” 

The notice about the delay clears up uncertainty about CISA’s plans, said Caleb Skeath, a partner at the Covington law firm.

“It helps provide some clarity on what the next steps are. We did have a statutory deadline for having these rules published, but there had not been a lot of information coming out of CISA for a pretty long period of time since the comment period,” he said. “And it’s a very broad, wide-ranging rule that’s going to impact a lot of entities across a lot of industry sectors, and is going to require very quick reporting of a lot of information about cybersecurity incidents.”

There are limits to the kinds of changes the Trump administration could make to the proposed regulation without going to Congress for additional leeway, Skeath said. And it’s possible that it could take extra time beyond publication of a final rule in May for the regulation to go into effect, he said.

Updated 9/8/25: This story was updated to include comments from Thompson and Boas Hayes.

The post CISA pushes final cyber incident reporting rule to May 2026 appeared first on CyberScoop.

Two executive orders President Donald Trump has signed in recent months could prove to have a more dramatic impact on cybersecurity than first thought, for better or for worse.

Overall, some of Trump’s executive orders have been more about sending a message than spurring lasting change, as there are limits to their powers. Specifically, some of the provisions of the two executive orders with cyber ramifications — one from March on state and local preparedness generally, and one from June explicitly on cybersecurity — are more puzzling to cyber experts than anything else, while others preserve policies of the prior administration which Trump has criticized in harsh terms. Yet others might fall short of the orders’ intentions, in practice.

But amid the flurry of personnel changes, budget cuts and other executive branch activity in the first half of 2025 under Trump, the full scope of the two cyber-related executive orders might have been somewhat overlooked. And the effects of some of those orders could soon begin coming to fruition as key top Trump cyber officials assume their posts.

The Foundation for Defense of Democracies’ Mark Montgomery said the executive orders were “more important” than he originally understood, noting that he “underestimated” the March order after examining it more closely. Some of the steps would be positive if fully implemented, such as the preparedness order’s call for the creation of a national resilience strategy, he said.

The Center for Democracy & Technology said the June order, which would unravel some elements of executive orders under presidents Joe Biden and Barack Obama, would have a negative effect on cybersecurity.

“Rolling back numerous provisions focused on improving cybersecurity and identity verification in the name of preventing fraud, waste, and abuse is like claiming we need safer roads while removing guardrails from bridges,” said the group’s president, Alexandra Reeve Givens. “The only beneficiaries of this step backward are hackers who want to break into federal systems, fraudsters who want to steal taxpayer money from insecure services, and legacy vendors who want to maintain lucrative contracts without implementing modern security protections.”

The big changes and the in-betweens

Perhaps the largest shift in either order is the deletion of a section of an executive order Biden signed in January on digital identity verification that was intended to fight cybercrime and fraud. In undoing the measures in that section, the White House asserted that it was removing mandates “that risked widespread abuse by enabling illegal immigrants to improperly access public benefits.”

One critic, speaking on condition of anonymity to discuss the changes candidly, said “there’s not a single true statement or phrase or word in” the White House’s claim. The National Security Council did not respond to requests for comment on the order.

Some, though, such as Nick Leiserson of the Institute for Security and Technology, observed that the digital identities language in the Biden order was among the “weakest” in the document, since it only talked about how agencies should “consider” ways to accept digital identities.

The biggest prospective change in the March order was a stated shift for state and local governments to handle disaster preparedness, including for cyberattacks, a notion that drew intense criticism from cyber experts at the time who said states don’t have the resources to defend themselves against Chinese hackers alone. But that shift could have bigger ripples than originally realized.

Errol Weiss, chief security officer at the Health-ISAC, an organization devoted to exchanging threat information in the health sector, said that as the Cybersecurity and Infrastructure Security Agency has scaled back the free services it offers like vulnerability scanning, states would hypothetically have to step into that gap to aid entities like the ones Weiss serves. “If that service goes away, and pieces of it probably already have, there’s going to be a gap there,” he said.

Some of the changes from the March order might only be realized now that the Senate has confirmed Sean Cairncross as national cyber director, or after the Senate takes action on Sean Plankey to lead CISA, said Jim Lewis, a fellow at the Center for European Policy Analysis.

For instance: The order directs a review of critical infrastructure policy documents, including National Security Memorandum 22, a rewrite of a decade-old directive meant to foster better threat information sharing and respond to changing threats. There are already signs the administration plans to move away from that memorandum, a development that a Union of Concerned Scientists analyst said was worrisome, but critics of the memo such as Montgomery said a do-over could be a good thing.

Most of the other biggest potential changes, however, are in the June order. This is a partial list:

• It eliminates a requirement under the January Biden order that government vendors provide certifications about the security of their software development to CISA for review. “I just don’t think that you can play the whole, ‘We care about cyber,’ and, ‘Oh, by the way, this incredible accountability control? We rolled that back,’” said Jake Williams, director of research and development at Hunter Strategy.
• It removes another January Biden order requirement that the National Institute of Standards and Technology develop new guidance on minimum cybersecurity practices, thought to be among that order’s “most ambitious prescriptions.”
• It would move CISA in the direction of implementing a “no-knock” or “no-notice” approach to hunting threats within federal agencies, Leiserson noted.
• It strikes language saying that the internet data routing rules known as Border Gateway Protocol are “vulnerable to attack and misconfiguration,” something Williams said might ease pressure on internet service providers to make improvements. “The ISPs know it’s going to cost them a ton to address the issue,” he said.
• It erases a requirement from the Biden order that contained no deadline, but said that federal systems must deploy phishing-resistant multi-factor authentication. 
• It deletes requirements for pilot projects stemming from the Defense Advanced Research Projects Agency-led Artificial Intelligence Cyber Challenge. DARPA recently completed its 2025 challenge, awarding prize money at this year’s DEF CON cybersecurity conference.
• It says that “agencies’ policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks,” a change security adviser and New York University adjunct professor Alex Sharpe praised.

Some of the changes led to analysts concluding, alternatively, a continuation or rollback of directives from the January Biden executive order on things like federal agency email encryption or post-quantum cryptography.

The head-scratchers and the mysteries

Some of the moves in the June order perplexed analysts.

One was specifying that cyber sanctions must be limited, in the words of a White House fact sheet, “to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.” The Congressional Research Service could find no indication that cyber sanctions had been used domestically, and said the executive order appears to match prior policy.

Another is the removal of the NIST guidance on minimum cybersecurity practices. “If you’re trying to deregulate, why kill the effort to harmonize the standards?” Sharpe asked. 

Yet another is deletion of a line from the January Biden order to the importance of open-source software. “This is a bit puzzling, as open source software does underlie almost all software, including federal systems,” Leiserson wrote (emphasis his).

Multiple sources told CyberScoop it’s unclear who wrote the June order and whom they consulted with in doing so. One source said some agency personnel complained about the lack of interagency vetting of the document. Another said Alexei Bulazel, the NSC director of cyber, appeared to have no role in it.

Another open question is how much force will be put behind implementing the June order.

It loosens the strictness with which agencies must carry out the directives it lays out, at least compared with the January Biden order. It gives the national cyber director a more prominent role in coordination, Leiserson said. And it gives CISA new jobs.

“Since President Trump took office — and strengthened by his Executive Order in June — CISA has taken decisive action to bolster America’s cybersecurity, focusing on critical protections against foreign cyber threats and advancing secure technology practices,” said Marci McCarthy, director of public affairs for CISA.

California Rep. Eric Swalwell, the top Democrat on the House Homeland Security Committee’s cyber subpanel, told CyberScoop he was skeptical about what the June executive order signalled about Trump’s commitment to cybersecurity.

“The President talks tough on cybersecurity, but it’s all for show,” he said in a statement. “He signed the law creating CISA and grew its budget, but also rolled back key Biden-era protections, abandoned supply chain efforts, and drove out cyber experts. CISA has lost a third of its workforce, and his FY 2026 budget slashes its funding …

“Even if his cyber and AI goals are sincere, he’s gutted the staff needed to meet them,” Swalwell continued. “He’s also made the government less secure by giving unvetted allies access to sensitive data. His actions don’t match his words.”

Montgomery said there was a contradiction between the June order giving more responsibilities to agencies like NIST while the administration was proposing around a 20% cut to that agency, and the March order shifting responsibilities to state and local governments without giving them the resources to handle it.

A WilmerHale analysis said that as the administration shapes cyber policy, the June order “signals what that approach is likely to be: removing requirements perceived as barriers to private sector growth and expansion while preserving key requirements that protect the U.S. government’s own systems against cyber threats posed by China and other hostile foreign actors.”

For all of the changes it could make, analysts agreed the June order does continue a fair number of Biden administration policies, like commitments to the Cyber Trust Mark labeling initiative, space cybersecurity policy and requirements for defense contractors to protect sensitive information.

Some of those proposals didn’t get very far before the changeover from Biden to Trump. But it might be easier for the Trump administration to achieve its goals.

“It’s hard to say the car is going in the wrong direction when they haven’t started the engine,” Lewis said. “These people don’t have the same problem, this current team, because they’re stripping stuff back. They’re saying, ‘We’re gonna do less.” So it’s easier to do less.”

The post The overlooked changes that two Trump executive orders could bring to cybersecurity appeared first on CyberScoop.

Sean Cairncross took his post this week as national cyber director at what many agree is a “pivotal” time for the office, giving him a chance to shape its future role in the bureaucracy, tackle difficult policy issues, shore up industry relations and take on key threats.

The former White House official, Republican National Committee leader and head of a federal foreign aid agency became just the third Senate-confirmed national cyber director at an office (ONCD) that’s only four years old. He’s the first person President Donald Trump has assigned to the position after the legislation establishing it became law at the end of his first term.

Two people — House Homeland Security Chairman Andrew Garbarino, R-N.Y., and Adam Meyers, senior vice president of counter adversary operations at CrowdStrike — specifically used the word “pivotal” to describe this moment for Cairncross and his office, while others said as much in other ways.

“It’s a new organization, and with any new organization, you’ve got to build up the muscle memory of how ONCD fits into the interagency process and what it means to set a unified national cybersecurity agenda, the language the director was using in his nomination hearing,” Nicholas Leiserson, a former assistant national cyber director under President Joe Biden who worked on the legislation to create the office as a Hill staffer, told CyberScoop. “We need to make sure that ONCD is the center of the policymaking apparatus. … That is going to be critical to his success.”

Brian Harrell, a former infrastructure protection official at the Deparment of Homeland Security and the Cybersecurity and Infrastructure Security Agency in Trump’s first term, said that with personnel reductions at CISA and change elsewhere, Cairncross has a big opportunity.

“ONCD must be seen as the air traffic controller on all things cyber moving forward,” he said via email. “Given the agency rebuild happening at CISA, and new leadership at FBI and NSA cyber, now is the time to build influence and patch struggling relationships. Add to this, a private sector that is unsure where to turn to during a crisis … Sean must be seen as a convener and facilitator to get the President the right information to make key decisions.”

On the policy front, Leiserson, now senior vice president for policy at the Institute for Security and Technology, said Cairncross has a great opportunity to work through the thicket of federal cybersecurity regulations and disentangle them in a harmonization effort that began under Biden and has bipartisan support. Some seasoned staffers who worked on the issue then remain in the federal government, Leiserson said.

Garbarino also brought up harmonization in a written statement as an issue he wants to see Cairncross address, along with leading the charge renewing the 2015 threat data sharing law known as the Cybersecurity Information Sharing Act, set to expire next month. Jason Oxman, president of the Information Technology Industry Council, said in a press release congratulating Cairncross that renewal of that law was “essential to help ONCD achieve its cybersecurity mission.”

USTelecom President and CEO Jonathan Spalter said enhancing the government’s relationship with the private sector, a subject Cairncross brought up in his confirmation hearing, was also vital. Dave DeWalt, CEO of NightDragon, a venture capital and advisory firm, said of Cairncross in a statement to CyberScoop: “I know that under his leadership, public-private partnership will continue to strengthen and secure our future.”

Those policy challenges, as well as the challenges of strengthening the national cyber director’s standing within the federal government and fortifying the public-private partnership, go hand-in-hand with the threats Cairncross will have to confront.

“The mission of the Office of the National Cyber Director has never been more critical: advancing a unified, strategic, and forward-leaning approach to the cyber threats facing our increasingly digital society,” Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University and a former member of the Cyberspace Solarium Commission that recommended that Congress create the office, said in a written statement.

Leiserson said threats like the Chinese hackers known as Salt Typhoon penetrating telecommunications networks surely would be at the forefront of Cairncross’s concerns — a threat Cairncross brought up at his confirmation hearing. Harrell mentioned the looming possibility of a Chinese attack on Taiwan.

Oxman raised the threats to U.S. critical infrastructure and the supply chain. CrowdStrike’s Meyers, in a statement to CyberScoop, said the pivotal moment of Cairncross’s confirmation comes as “threat actors weaponize AI and the threat landscape continues to evolve at machine speed.”

Cairncross comes into the job with far less cybersecurity experience than many who have held federal cyber leadership posts. And he comes in with other potential disadvantages, too. At his nomination hearing, Sen. Elissa Slotkin, D-Mich., pointed to deep budget cuts at CISA, telling Cairncross that “you will oversee the single biggest cut in federal cybersecurity dollars.”

But Leiserson said it was encouraging that Trump’s fiscal 2026 budget proposal would keep funding for the Office of the National Cyber Director pretty level.

There are other reasons to be optimistic about the view from federal leaders on the office, too, some pointed out. Cilluffo noted that the 59-35 vote for Cairncross in the Senate suggested some bipartisan support. Leiserson observed that Cairncross was one of the few nominees to escape the nominee backlog in the Senate before lawmakers went on recess.

As for his relative lack of cyber experience, Cairncross has talked about surrounding himself with the right people, Leiserson said.

“You want the unicorns who are incredibly politically astute and who have very deep cyber knowledge,” he said. “These people are hard to come by. We’ve had real cyber experts on the job. Now we’ve got someone who … is going to have an easy time navigating the West Wing. That is a skill set that is vital for running a White House organization, and shouldn’t be discounted.”

The post New National Cyber Director Cairncross faces challenges on policy, bureaucracy, threats appeared first on CyberScoop.

President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.

“If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.

Should he be confirmed for the role, Plankey is set to arrive at an agency that has had its personnel and budget slashed significantly under Trump, a topic of concern for Democratic senators including the ranking member on the panel vetting him, Gary Peters of Michigan. Peters asked how he’d handle the smaller CISA he’s inherited while still having a range of legal obligations to fulfill.

“One of the ways I’ve found most effective when you come in to lead an organization is to allow the operators to operate,” Plankey said. “If that means we have to reorganize in some form or fashion, that’s what we’ll do, I’ll lead that charge. If that means we need a different level of funding than we currently have now, then I will approach [Department of Homeland Security Secretary Kristi Noem], ask for that funding, ask for that support.”

Under questioning from Sen. Richard Blumenthal, D-Conn., about whether he believed the 2020 election was rigged or stolen, Plankey, like other past Trump nominees, avoided answering “yes” or “no.” 

At first he said he hadn’t reviewed any cybersecurity around the 2020 election. He then said, “My opinion on the election as an American private citizen probably isn’t relevant, but the Electoral College did confirm President Joe Biden.” 

Blumenthal pressed him, saying his office was supposed to be above politics, and asked what Plankey would do if Trump came to him and falsely told him the 2026 or 2028 elections were rigged. 

“That’s like a doctor who’s diagnosing someone over the television because they saw them on the news,” Plankey answered.

Chairman Rand Paul, R-Ky., rebutted Blumenthal, saying “CISA has nothing to do with the elections.” But Sen. Josh Hawley, R-Mo., later asked Plankey about CISA’s “important” role in protecting election infrastructure, and asked how he would make the line “clear” between past CISA disinformation work that Republicans have called censorship and cybersecurity protections.

Plankey answered that Trump has issued guidance on the protection of election security infrastructure like electronic voting machines, and it’s DHS’s job “to ensure that it is assessed prior to an election to make sure there are no adversarial actions or vulnerabilities in it,” something he’d focus on if Noem tasked CISA with the job.

Plankey said he would not engage in censorship — something his predecessors staunchly denied doing — because “cybersecurity is a big enough problem.” His focus would be on defending federal networks and critical infrastructure, he said. To improve federal cybersecurity, he said he favored “wholesale” revamps of federal IT rather than smaller fixes.

The Center for Democracy and Technology said after Plankey’s hearing it was concerned about how CISA would approach election security.

“CISA has refused to say what its plans are for the next election, and election officials across the country are flying blind,” said Tim Harper, senior policy analyst on elections and democracy for the group. “If CISA is abandoning them, election officials deserve to know so they can make plans to protect their cyber and physical infrastructure from nation-state hackers. Keeping them in the dark only helps bad actors.”

Plankey indicated support for the expiring State and Local Cybersecurity Grant Program, as well as the expiring 2015 Cybersecurity and Information Sharing Act, both of which are due to sunset in September.

Paul told reporters after the hearing that he planned to have a markup of a renewal of the 2015 information sharing law before the September deadline, with language added to explicitly prohibit the Cybersecurity and Infrastructure Security Agency from any censorship.

Plankey’s nomination next moves to a committee vote, following an 11-1 vote last month to advance the nomination of Sean Cairncross to become national cyber director. Plankey’s nomination would have another hurdle to overcome before a Senate floor vote, as Sen. Ron Wyden, D-Ore., has placed a hold on the Plankey pick in a bid to force the administration to release an unclassified report on U.S. phone network security.

“The Trump administration might not have been paying attention, so I’ll say it again: I will not lift my hold on Mr. Plankey’s nomination until this report is public. It’s ridiculous that CISA seems more concerned with covering up phone companies’ negligent cybersecurity than it is with protecting Americans from Chinese hackers,” Wyden said in a statement to CyberScoop. “Trump’s administration won’t act to shore up our dangerously insecure telecom system, it hasn’t gotten to the bottom of the Salt Typhoon hack, and it won’t even let Americans see an unclassified report on why it’s so important to put mandatory security rules in place for phone companies.”

The post Plankey vows to boot China from U.S. supply chain, advocate for CISA budget appeared first on CyberScoop.

Data from sensors that detect threats in critical infrastructure networks is sitting unanalyzed after a government contract expired this weekend, raising risks for operational technology, a program leader at Lawrence Livermore National Laboratory told lawmakers Tuesday.

That news arrived at a hearing of a House Homeland Security subcommittee on Stuxnet, the malware that was discovered 15 years ago after it afflicted Iran’s nuclear centrifuges. The hearing focused on operational technology (OT), used to monitor and control physical processes in things like manufacturing or energy plants.

Amid a Department of Homeland Security review of contracts, the arrangement between the laboratory and DHS’s Cybersecurity and Infrastructure Security Agency to support the CyberSentry program expired Sunday, the laboratory program manager Nathaniel Gleason told lawmakers under questioning Tuesday. An agency official told CyberScoop later Tuesday that the program is still operational.

CyberSentry is a voluntary program for critical infrastructure owners and operators to monitor threats in both their IT and OT networks.

“We’re looking for threats that haven’t been seen before,” Gleason told California Rep. Eric Swalwell, the top Democrat on the Subcommittee on Cybersecurity and Infrastructure Protection. “We’re looking for threats that exist right now in our infrastructure. One of the great things about the CyberSentry program is that it takes the research and marries it with what is actually happening on the real networks. So we’re not just doing science projects. We’re deploying that technology out in the real world, detecting real threats.”

But the lab can’t legally analyze the data from the CyberSentry sensors without funding from government agencies, and funding agreements were still making their way through DHS processes before the contract expired this weekend, he said.

“One of the most important things is getting visibility into what’s happening on our OT networks,” Gleason said. “We don’t have enough of that. So losing this visibility through this program is a significant loss.”

Spokespeople for the lab did not immediately provide further details on the size or length of the contract. Other threat hunting contracts have also expired under the Trump administration. 

Chris Butera, CISA’s acting executive assistant director for cybersecurity, said in a statement to CyberScoop that the “CyberSentry program remains fully operational.”

“Through this program, CISA gains deeper insight into network activity of CyberSentry partners, which in turn helps us to disseminate actionable threat information that critical infrastructure owners and operators use to strengthen the security of their networks and to safeguard American interests, people, and our way of life,” Butera said. “CISA routinely reviews all agreements and contracts that support its programs in order to ensure mission alignment and responsible investment of taxpayer dollars. CISA’s ongoing review of its agreement with Lawrence Livermore National Laboratory has not impacted day-to-day operations of CyberSentry and we look forward to a continued partnership.”

Tatyana Bolton, executive director of the Operational Technology Cyber Coalition, told the subcommittee there aren’t enough federal OT cybersecurity resources in general.

“We must better resource OT security,” Bolton said. “From addressing the growing tech debt,  hiring cybersecurity experts, to procuring and building updated systems, OT owners and operators don’t have the necessary funding to defend their networks.”

Those owners and operators spend 99 cents of every dollar on physical security and 1 cent on cybersecurity, she said. Reauthorizing the State and Local Cybersecurity Grant Program, due to expire in September, would help with that, Bolton said.

The Trump administration has made large cuts in CISA’s budget since the president took office in January.

This story was updated July 22 with comments from CISA’s Chris Butera.

The post Contract lapse leaves critical infrastructure cybersecurity sensor data unanalyzed at national lab  appeared first on CyberScoop.