The Pentagon is taking a major step forward in modernizing how it addresses cybersecurity risks.
Defense Department officials have emphasized the need to move beyond “legacy shortcomings” to deliver technology to warfighters more rapidly. In September, DoD announced a new cybersecurity risk management construct to address those challenges.
“The previous Risk Management Framework was overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements,” DoD wrote at the time. “These limitations left defense systems vulnerable to sophisticated adversaries and slowed the delivery of secure capabilities to the field.”
Weeding through legacy manual processes
The legacy of manual processes has built up over decades. Jason Venner, a solutions sales director at Diligent, said agencies have traditionally relied on people and paperwork to ensure compliance.
“It’s no one’s fault,” Venner said during Federal News Network’s Risk & Compliance Exchange 2025. “It just sort of evolved that way, and now it’s time to stop and reassess where we’re at. I think the administration is doing a pretty good job in looking at all the different regs that they’re promulgating and revising them.”
Venner said IT leaders are interested in ways to help streamline the governance, risk and compliance process while ensuring security.
“Software should help make my life easier,” he said. “If I’m a CIO or a CISO, it should help my make my life easier, and not just for doing security scans or vulnerability scans, but actually doing IT governance, risk and compliance.”
Katie Arrington, who is performing the duties of the DoD chief information officer, has talked about the need to “blow up” the current RMF. The department moved to the framework in 2018 when it transitioned away from the DoD Information Assurance Certification and Accreditation Process (DIACAP).
“I remember when we were going from DIACAP to RMF, I wanted to pull my hair out,” Arrington said earlier this year. “It’s still paper. Who reads it? What we do is a program protection plan. We write it, we put it inside the program. We say, ‘This is what we’ll be looking to protect the program.’ We put it in a file, and we don’t look at it for three years. We have to get away from paperwork. We have to get away from the way we’ve done business to the way we need to do business, and it’s going to be painful, and there are going to be a lot of things that we do, and mistakes will be made. I really hope that industry doesn’t do what industry tends to do, [which] is want to sue the federal government instead of working with us to fix the problems. I would really love that.”
Evolving risk management through better automation, analytics
DoD’s new risk management construct includes a five-phase lifecycle and then core principles, including automation, continuous monitoring and DevSecOps.
Arrington talked about the future vision for cyber risk management within DoD earlier this year.
“I’m going to ask you, if you’re a software provider, to provide me your software bill of materials in both your sandbox and production, along with a third-party SBOM. You’re going to populate those artifacts into our Enterprise Mission Assurance Support Service,” she said. “I will have AI tools on the back end to review the data instead of waiting for a human and if all of it passes the right requirements, provisional authority to operate.”
Venner said the use of automation and AI rest on a foundation of data analytics. He argued the successful use of AI for risk management will require purpose-built models.
“Can you identify, suggest, benchmark things for me and then identify controls to mitigate these risks, and then let me know what data I need to monitor to ensure those controls are working. That’s where AI can really accelerate the conversation,” Venner said.
The Cybersecurity Maturity Model Certification program is officially off the ground.
CMMC is the Pentagon’s program to evaluate whether defense contractors are following requirements for protecting controlled unclassified information. The cybersecurity requirements, based on National Institute of Standards and Technology controls, have been in Defense Department contracts since 2016.
DoD has a phased implementation plan for the program. During Phase 1, over the next year, the department will largely require CMMC self-assessments from contractors. But DoD programs have the discretion to require Level 2 CMMC third-party assessments over the next year as needed.
Tackling third-party CMMC assessments
During Phase 2, starting next November, those third-party assessments will become standard in applicable contacts.
Those third-party assessments are a key facet of the CMMC program and its goal to ensure defense contractors follow cybersecurity requirements.
The Cyber Accreditation Body is responsible for authorizing the CMMC third-party assessment organizations (C3PAOs) that will carry out those independent assessments. And Matthew Travis, CEO of The Cyber AB, said work is well underway to building out the scaffolding that will support the CMMC program.
“If there’s any remaining skepticism of whether or not the department was serious about this conformity regime, you can now just look at the Code of Federal Regulations and see both rules there,” Travis said during Federal News Network’s Risk & Compliance Exchange 2025. “Now, the real challenge is to scale the ecosystem.”
‘Impending bow wave’
So far, just under 500 defense contractors have voluntarily achieved a Level 2 CMMC certification, Travis shared.
But the Pentagon has estimated that the requirement for a Level 2 third-party assessment could apply to as many as 80,000 companies as CMMC is phased in.
“I am concerned about the impending bow wave that I think we’ll see in demand,” Travis said.
Some C3PAOs already have a backlog of assessments that stretch into next year.
“Now is the time to move if you’re ready,” Travis added. “People are going to start racing to the checkout line, and it’s going to be a wait. So move now if you’re ready, and if you’re not ready, get ready, because the sooner you do it, the sooner you’ll be able get a slot.”
Among the voluntary Level 2 assessments that have occurred to date, Travis said “false starts” have been an issue for some organizations.
“We heard frequently from the C3PAOs that they had to call it off mutually once the organization seeking certification realized all the things that they hadn’t fully done,” Travis said. “And the C3PAO said, ‘We might want to pause here. Go back to work and call us when you’re ready.’ ”
Travis said the 110 requirements required under Level 2 go beyond technical controls.
“It does require an organizational commitment,” he said. “There are physical security requirements, there are training requirements that human resources has to be involved in. There are leadership requirements in terms of resourcing.”
Another key lesson gleaned from early assessments is the need for companies to understand their external service providers. Travis said most organizations rely on cloud service providers or managed service providers for many IT and cybersecurity needs.
But whether they’re a CSP or an MSP — and to what extent they are involved in an organization’s handling of controlled unclassified information — are crucial questions in a CMMC assessment.
“Knowing who’s helping you and knowing your organization is fully committed are probably the two biggest takeaways that we’re hearing from industry,” Travis said.
CMMC’s ‘long pole in the tent’
The Cyber AB, through its no-cost contract with the Pentagon, is responsible for authorizing C3PAOs and certifying the people who conduct CMMC assessments.
Travis said there are just under 600 certified CMMC assessors today. Half of them are eligible to lead assessment teams.
But to meet the envisioned scale of the CMMC program — evaluating tens of thousands of defense contractors annually — Travis estimates there’s a need for between 2,000 and 3,000 assessors.
“That’s the most important part of the ecosystem that has to be grown. … That’s a long pole in the tent,” Travis said.
Initially, the challenge to building a pool of assessors was DoD’s drawn out rulemaking process: There was no financial incentive to become an assessor with no CMMC requirements on the horizon.
But Travis said the challenge now is getting CMMC assessors through the process quickly enough as DoD phases in the requirements. The process of becoming an assessor involves training, exams and passing a Tier 3 DoD background investigation, which is equivalent to being investigated for a secret-level security clearance. Those investigations can often take months.
Travis said assessors don’t necessarily need to start with a technical background. He pitched it as a “great way for folks to get engaged in cybersecurity.”
“Whether it’s a full time job or a side hustle, these assessors are going to be in demand,” Travis said. “And so the compensation that goes with it, I think, is compelling. We are encouraging folks, if they haven’t considered entering into the CMMC program, think about becoming an assessor.”
Investigators at the Office of Special Counsel returning to their jobs earlier this month would likely have been greeted with multiple Hatch Act complaints after a wave of alleged partisan political messaging by federal agencies during the shutdown.
Throughout the 43-day shutdown, multiple agencies posted messages on their websites blaming the shutdown on the “radical left,” “Democrats” and other politically tinged phrases.
Those actions immediately drew multiple Hatch Act complaints. The 1939 law restricts political activities by federal employees and is intended to ensure the nonpartisan administration of government programs.
The Education Department also changed furloughed employees’ out-of-office email replies to blame the shutdown on “Democrat senators.” A federal judge earlier this month found that the agency had violated employees’ First Amendment rights. Education was forced to change the out-of-office reply shortly before the shutdown ended.
“In this compressed timeframe, we haven’t seen this level of potential Hatch Act violations with regards to just changing emails, publishing these notices on the government websites and engaging in this partisan messaging,” Michael Fallings, managing partner at law firm Tully Rinckey, told Federal News Network.
The use of federal agency websites for such messaging was also a novel development in the long-running evolution of the Hatch Act.
Kedric Payne, who helped represent Education Department employees as vice president, general counsel and senior director of ethics at the Campaign Legal Center, said the shutdown messaging “could have been a test run of what may happen during the election year.”
“You could imagine a situation where, during the election year, there may be similar banners, similar email statements and other communications coming from the agencies that are partisan,” Payne told Federal News Network. “If there are no consequences for what happened during the shutdown, there’s not a real threat for the agencies to limit themselves on violating the Hatch Act or First Amendment rights.”
Office of Special Counsel role
OSC is responsible for investigating Hatch Act complaints. But most OSC staff were furloughed through the shutdown. Out of the agency’s 122 employees, just 17 were kept onboard, according to the OSC shutdown plan. Those excepted staff were primarily focused on handling whistleblower disclosures “involving a substantial and serious risk to public health or safety or those requiring emergency action to protect property.”
Multiple nonprofit organizations publicized their Hatch Act complaints. The total number of Hatch Act complaints received by OSC isn’t public, and OSC didn’t respond to a request for comment.
But given OSC’s relatively small staff, the backlog of work due to the furlough, and the large number of known complaints, Fallings expects the Hatch Act cases will likely face delays. OSC typically takes 120 days to conduct preliminary reviews, but there isn’t a statutory deadline for completing Hatch Act investigations.
“I think what OSC would do is try to figure out which complaints may have the most proof of a violation, and pursue those,” Fallings said.
In his opinion siding with Education Department employees and their union, District Judge Christopher Cooper referenced the Hatch Act and pointed to the executive branch’s “multifront campaign to assign blame for the government shutdown.”
“It began by plastering politically-charged language on official public websites,” Cooper wrote. “Apparently, that wasn’t enough. The department waited until its furloughed employees lost access to their email, then gratuitously changed their out-of-office messages to include yet another partisan message, thereby turning its own workforce into political spokespeople through their official email accounts. The department may have added insult to injury, but it also overplayed its hand.”
While the case ultimately hinged on federal employees’ First Amendment rights, Payne said Cooper’s ruling “recognized the spirit of the Hatch Act and its role in making sure that you don’t have government employees saying something that would be considered partisan.”
With OSC having primary responsibility to enforce the Hatch Act, legal experts are closely watching what happens next with the shutdown complaints.
If OSC finds a Hatch Act violation occurs, it can bring the case before the Merit Systems Protection Board. The penalties for a Hatch Act violation can include removal from federal service, a reduction in grade, debarment from federal employment for up to five years, suspension, reprimand or a civil penalty of up to $1,000.
Jamieson Greer, the United States Trade Representative, is currently dual-hatted as acting Special Counsel.
“In the past, the Office of Special Counsel has been very thorough releasing opinions that give clear guidance on what activities are or are not violation of the Hatch Act,” Payne said. “But we’re not clear whether or not this agency will do that this time.”
The Office of Management and Budget has released some funding for the Council of the Inspectors General on Integrity and Efficiency, after an earlier decision to effectively defund CIGIE led to the shuttering of multiple Office of Inspector General websites.
OMB apportioned just under $4.3 million for CIGIE, according to an announcement from Sens. Chuck Grassley (R-Iowa) and Susan Collins (R-Maine). The pair of senators had pushed OMB to release funding for CIGIE and the Pandemic Response Accountability Committee.
“We are pleased that following our continued outreach, OMB is releasing the funding that Congress provided for CIGIE to continue its vital work,” Grassley and Collins said. “This action, building on OMB’s earlier decision to release funding for PRAC, ensures that these important oversight entities can remain focused on delivering the accountability American taxpayers deserve. Our oversight of the administration’s actions, and CIGIE’s work, will continue.”
Grassley and Collins added that the funding will last CIGIE through Jan. 30. OMB is also conducting a “programmatic review of CIGIE’s activities,” they said.
OMB did not immediately respond to a request for comment. The Washington Post first reported on the funding decision.
In late September, OMB decided not to apportion funding for CIGIE in fiscal 2026, despite funds being available through the shutdown. Tammy Hull, the acting chairwoman of CIGIE, informed lawmakers of OMB’s decision, warning that the shuttering of the council would “result in the loss of shared services and cost-efficiencies” that support 72 offices of inspectors general across government.
On Oct. 1, multiple agency IG websites went offline due to the funding decision. CIGIE provides hotline capability and website services for 28 OIGs through Oversight.gov.
As of Tuesday afternoon, Oversight.gov was back online after being down for nearly seven weeks.
Congress created CIGIE in 2008 to professionalize the IG community. In addition to providing web and hotline services, CIGIE also conducts training, develops quality standards, and serves as an accountability function within the OIG community through its Integrity Committee.
But Trump administration officials have accused IGs of corruption, without offering evidence.
“Inspectors general are meant to be impartial watchdogs identifying waste and corruption on behalf of the American people,” OMB spokesman Armen Tooloee said in September regarding the original decision to defund CIGIE. “Unfortunately, they have become corrupt, partisan, and in some cases, have lied to the public. The American people will no longer be funding this corruption.”
President Donald Trump fired 17 IGs at the outset of his second term, in a move a federal judge later ruled to be illegal because he didn’t provide the required notification to Congress.
CIGIE in the recent past has also drawn the ire of conservative groups that view it as part of the “administrative state.” In a 2023 lawsuit, lawyers for Department of Homeland Security Inspector General Joseph Cuffari argued that CIGIE’s Integrity Committee was “a threat to the Constitution.” The Integrity Committee was investigating Cuffari’s actions as IG, including his handling of a review into deleted Secret Service texts from the Jan. 6, 2021 Capitol riot.
FILE - Senate Budget Committee Ranking Member Sen. Chuck Grassley, R-Iowa, speaks at a hearing at the Capitol in Washington, May 4, 2023. Grassley has been hospitalized in the Washington area with an infection and is receiving antibiotic infusions. v(AP Photo/J. Scott Applewhite, File)
The Federal Communications Commission is set this week to vote on reversing cybersecurity rules for telecommunications providers that were put forward following the sweeping “Salt Typhoon” hacks.
The FCC’s meeting on Thursday includes plans to consider an order to rescind a ruling and proposed rules published in the waning days of the Biden administration. The January ruling requires telecom operators to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act.
But current FCC Chairman Brendan Carr argues that ruling “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.”
The proposed order would rescind the January ruling and withdraw proposed cybersecurity rules for telecom operators.
Instead, the FCC “should instead continue to pursue an agile and collaborative approach to cybersecurity through federal-private partnerships that protect and secure communications networks and more targeted, legally sound rulemaking and enforcement,” according to a factsheet on the order of reconsideration.
‘Worst’ hack ever
The Salt Typhoon campaign was revealed in 2024. It involved penetrating hacks into U.S. telecom networks and others across the globe. The hackers were reportedly able to target the communications of political figures and government officials, including then-candidate Donald Trump and running mate JD Vance.
U.S. officials have said Chinese-government sponsored hackers are behind the campaign. Senate Intelligence Committee Ranking Member Mark Warner (D-Va.) has described it as “the worst telecommunications hack in our nation’s history.”
The Cybersecurity and Infrastructure Security Agency has since said the Salt Typhoon campaign overlapped with global threat activities targeting multiple sectors, including telecommunications, government, transportation, lodging, and military infrastructure networks.
“While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” CISA wrote in a September advisory. “These actors often modify routers to maintain persistent, long-term access to networks.”
In rolling out the January rules, Biden administration officials argued they represented a “critical step to require U.S. telecoms to improve cybersecurity to meet today’s nation state threats, including those from China’s well-resourced and sophisticated offensive cyber program.”
However, the FCC’s current leadership says the rules misinterpreted the law and “unnecessarily raised and purported to resolve issues that were not appropriate for consideration in the absence of public input.” The FCC’s factsheet also references the commission’s “recent engagement with providers and their agreement to take extensive steps to protect national security interests.”
In an October letter to the FCC, lawyers representing several telecom associations argued that the January ruling “would significantly undermine” public-private partnerships. They argued that telecom providers had voluntarily collaborated with federal agencies to investigate Salt Typhoon and adopted stronger cybersecurity measures.
Warner and Sen. Ron Wyden (D-Ore.) are also pressing the Department of Homeland Security to release an unclassified 2022 report on security vulnerabilities in the U.S. telecom sector. They argue that by not releasing the report, DHS is undermining public debate over how to best secure telecom networks in the wake of Salt Typhoon.
“The Salt Typhoon compromise represents one of the most serious espionage campaigns against the communications of U.S. government leaders in history, and highlighted important gaps in our nation’s communications security – in some cases, with providers ignoring basic security precautions such as credential re-use across network appliances and failure to adopt multi-factor authentication for highly privileged network administrator accounts,” Warner and Wyden wrote in a recent letter to DHS and the Office of the Director of National Intelligence.
Meanwhile, the House on Monday passed the “Strengthening Cyber Resilience Against State-Sponsored Threats Act.” The bill would establish a joint interagency task force to address China-linked cyber threats, including Salt Typhoon. The task force would be led by CISA, with involvement from the Justice Department, the FBI and several sector-risk management agencies.
FILE - This June 19, 2015, file photo, shows the Federal Communications Commission building in Washington. The Federal Communications Commission has issued a $6 million fine against the political consultant who sent AI-generated robocalls mimicking President Joe Biden’s voice to voters ahead of New Hampshire’s presidential primary. Steve Kramer also faces two dozen criminal charges in New Hampshire. Kramer has admitted orchestrating the message sent to thousands of voters. (AP Photo/Andrew Harnik, File)
The Department of Homeland Security is giving $10,000 bonuses to transportation security officers who demonstrated “exemplary service” through the government shutdown.
Homeland Security Secretary Kristi Noem announced the bonuses during a press conference in Houston, Texas, today. She highlighted the “tens of thousands of individuals who stepped up and continued to serve” at the Transportation Security Administration despite receiving no pay through the 43-day shutdown.
Asked whether she was referring to those who did not call out sick or stay home, Noem said, “that’s not necessarily the parameters.”
“We’re going to look at every individual that did exceptional service during this period of time when there were so many hardships,” Noem said.
DHS did not immediately respond to questions about who qualifies for the bonuses. TSA employs approximately 50,000 transportation security officers, meaning a bonus for every officer would cost roughly $500 million.
In a press release, DHS said it’s paying for the bonuses using carryover funds from fiscal 2025.
Disruptions to air travel began to grow in the final weeks of the shutdown. Security lines began to grow longer as some TSA officers called out. Meanwhile, flight delays and cancellations grew as air traffic controllers at the Federal Aviation Administration began calling out of work amid multiple missed paychecks.
Noem’s announcement comes after a Truth Social post by President Donald Trump earlier this week, in which he raged at air traffic controllers who took time off during the shutdown. Trump also announced $10,000 bonuses for controllers who “didn’t take any time off for the ‘Democrat Shutdown Hoax.’”
Transportation Secretary Sean Duffy said he agreed with Trump’s idea for a $10,000 bonus for air traffic controllers who had no missed days of work. But Duffy also offered a reprieve for some employees who missed days during the shutdown.
“We have some controllers who were put in a very difficult position,” Duffy told a Wisconsin TV station on Tuesday. “They’re young. They don’t make a lot of money when they first start out. They can make some good money later in their careers, but when they start out, they’re not making a lot. They may be the sole source of income, and they were confronted with a real problem.
However, Duffy also vowed to target “continual bad actors” during the shutdown.
“If they started to take time off because the shutdown was an excuse for them, we’ll take a look at those people, and we’ll work with the union and see what an appropriate response from the FAA will be,” he said.
Congress has temporarily extended a landmark cyber information sharing law, but industry representatives and cyber experts are urging lawmakers to act quickly to enact a more long-term solution.
The continuing resolution signed into law Wednesday night extends the provisions of the Cybersecurity Information Sharing Act of 2015 through the end of January. The law had expired Oct. 1.
CISA 2015 provides privacy and liability protections to encourage companies to share data about cyber vulnerabilities and threats. Cybersecurity leaders say those protections provide a critical underpinning to facilitate collaboration across government and industry.
Despite the temporary reprieve, the path forward for a long-term CISA 2015 extension in Congress remains unclear, with divergent reauthorization bills in the House and the Senate.
The White House has called for a “clean” 10-year reauthorization of CISA 2015. But Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) has opposed efforts to move forward such a bill in the Senate.
The long-term extension of the information sharing law, meanwhile, remains a chief concern for the technology industry.
Mike Flynn, senior vice president of government affairs for the Information Technology Industry Council, called the short-term extension “a step in the right direction.”
“Without a long-term CISA 2015 fix, cybersecurity stakeholders will continue to face uncertainty and questions that will undermine the network of information-sharing organizations and programs that have been built over the last decade,” Flynn said in a statement.
Henry Young, senior director of policy at BSA The Software Alliance, said he hopes to see a “sense of urgency” in Congress to extend the law long term.
“While we’re pleased that the law is hopefully going to be extended, we remain concerned that if the CR lapses, we’ll return to a world where cybersecurity information sharing is slowed or stopped, and that really leaves everyone at risk,” Young told Federal News Network.
CISA 2015 lapses
When the law lapsed Oct. 1, some cyber policy experts worried industry would stop sharing information about cyber threats affecting their products or networks.
But Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said information sharing between government and industry was “holding steady” through the end of October.
The cooperation “is a testament to CISA’s reputation that it’s built up and our ability to have long-term collaboration tools,” Andersen told reporters at the Palo Alto Networks public sector conference in Tysons Corner, Va., on Oct. 30.
“I hate to see what’s going to continue to happen, though, after we get past the shutdown and we start having these longer conversations with the vendor ecosystem,” Andersen added.
While companies continued to share information during the lapse, Young said the process slowed down.
“It started to slowly reintroduce the legal review into each one of these individual decisions, which isn’t going to necessarily stop all information sharing, but is going to slow it, and it also might reduce it in increments,” Young said.
“People wanted to work together and continue to share information, and they did, to some extent, but it also created more risk for them to do,” he added.
Cynthia Kaiser, former deputy director of the FBI’s cyber division and now senior vice president of Halycon’s Ransomware Research Center, said the lapse showed the need for a long-term solution to reauthorizing the law.
“It’s critical that protecting cybersecurity information sharing is considered a priority in Congress upon the government’s reopening in order to maintain a strong national security posture,” Kaiser said.
Debate in Congress
While Congress has just over two months to extend the law, the path forward for reauthorization remains murky.
In September, the House Homeland Security Committee passed the Widespread Information Management for the Welfare of Infrastructure and Government Act. The bill was led by Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.).
Garbarino’s bill would extend the CISA 2015 protections for another 10 years, while updating definitions to account for advances in artificial intelligence. It would also require the Department of Homeland Security to improve its outreach on emerging cyber threats.
In a statement released after the House passed the CR, Garbarino called for reauthorizing multiple expired DHS authorities, including CISA 2015.
“With the federal government reopening, I look forward to continuing this Committee’s important work alongside our colleagues in both the House and Senate to find long-term solutions for reauthorizing these vital DHS authorities, bolster our nation’s cyber defenses, maintain President Trump’s secure borders, and ensure the safety of America’s skies and the traveling public,” Garbarino said.
It’s unclear, however, if and when Garbarino’s bill will be called for a vote on the House floor.
In the Senate, meanwhile, Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-Mich.) and Sen. Mike Rounds (R-S.D) have put forward a bill that would extend CISA 2015 for an additional 10 years without modifying the provisions in the law.
“This short-term extension is an important stopgap, but it is set to expire in just two months unless we pass bipartisan legislation to provide more long-term certainty,” Peters said in a statement. “That’s why I’m pushing to pass my Protecting America from Cyber Threats Act with Senator Rounds, which would renew these critical protections for a full decade so that companies know they can count on them in the event of a cyberattack.”
A HSGAC aide said Peters “remains committed to getting this across the finish line and will continue working with colleagues across the aisle to make sure these protections are fully restored.”
However, Paul has blocked efforts to pass a “clean” CISA 2015 extension. He has pledged to oppose any efforts to reauthorize the law unless it prohibits the Cybersecurity and Infrastructure Security Agency from working on future disinformation efforts.
Paul has said the agency’s work in that area infringed on free speech rights. Cyber experts counter that reauthorizing the CISA 2015 law has nothing to do with CISA the agency’s work on disinformation. The cyber agency does rely on the law to undergird its collaboration with industry on cyber threats.
Officials have also lamented how the shared names between the information-sharing law and the cyber agency has muddied the waters in the debate over reauthorizing the law.
“They happen to share that same acronym, which is a fluke,” White House National Cyber Director Sean Cairncross said at the Palo Alto Networks conference last month.
A key question is whether the White House will throw its weight more forcefully behind any congressional efforts to reauthorize the bill. In public comments, Trump administration officials have advocated for a 10-year reauthorization without further modifications to the law.
“It’s a common-sense law,” Cairncross said. “The White House is pushing for a 10-year, clean reauthorization of this authority. It’s something that we want to see done. It’s important to national security and it fosters the sort of collaboration, not only amongst the private sector, but between the public and private sector that’s vital.”
The longstanding CyberCorps program is at a crossroads, as scholars struggle to find internships, jobs and support during the Trump administration’s governmentwide hiring freeze.
The CyberCorps: Scholarship for Service program is funded by the National Science Foundation and administered through the Office of Personnel Management. The program provides scholarships for up to three years to support an undergraduate or graduate student. In return, CyberCorps students agree to serve in government for a period of time equal to their scholarship.
The program has provided federal agencies with a steady pipeline of much-needed cyber talent since it was established in 2000.
But this year, CyberCorps scholars are struggling to find any open opportunities after the Trump administration instituted a governmentwide hiring freeze for most positions in February. The White House recently extended that freeze indefinitely.
Some CyberCorps scholars had received tentative job or internship offers that were revoked or paused with little explanation. Cyber-related opportunities at federal agencies have largely dried up, especially for entry-level positions, amid the hiring freeze and downsizing at agencies like the Cybersecurity and Infrastructure Security Agency.
Several students are now staring down the possibility of having to pay back their scholarships if they can’t find qualified work. CyberCorps participants are typically required to start a qualifying job within 18 months of graduating.
More than 250 current students and CyberCorps alumni have now organized to share information and press the administration for more information on the future of the program and their job prospects, according to multiple scholars involved in the group. Multiple scholars said that OPM has had little communication with them about the major changes in the federal hiring landscape.
“Many scholars feel we are being strongly armed into unwillingly owing the government hundreds of thousands of dollars for failing to find work with them, when the government is the one cutting jobs, slashing budgets, and eliminating roles we were intended to fill,” one student told Federal News Network.
In a statement, OPM Director Scott Kupor said “bringing top cybersecurity and AI talent into the federal government are critical to our national security.”
“OPM is committed to the success of SFS and is working closely with the National Science Foundation to ensure CyberCorps participants are supported during this challenging time,” Kupor said. “Once the shutdown ends, we will issue guidance to agencies encouraging them to fully leverage the program to bring these highly skilled professionals into public service.”
A spokeswoman for OPM added that “no scholars have been sent to repayment.”
“After the shutdown ends, OPM will collaborate with NSF on a mass deferment to give graduates more time to secure qualifying positions and further guidance to encourage agencies to make use of the SFS program for their hiring needs,” the spokeswoman said.
But CyberCorps scholars say they have a lot of questions about the plan for deferring their post-scholarship employment requirements, given that few federal jobs are available beyond those geared toward immigration enforcement and other Trump administration priorities.
Federal News Network spoke with five CyberCorps scholars about their experience with the program and the challenges they’ve encountered this year. They were granted anonymity because they fear retaliation for speaking out.
Scholar 1 is graduating with a master’s degree in 2026; Scholar 2 is graduating with a bachelor’s degree in December 2025; Scholar 3 is graduating with a master’s degree in December 2025; Scholar 4 graduated in May 2024 with a cybersecurity degree; and Scholar 5 is graduating with a master’s degree in August 2026.
(These conversations were edited for length and clarity.)
FNN: Why did you join CyberCorps, and what do you hope to do as far as government service?
Scholar 1:“The principal investigator of CyberCorps at my school told me about CyberCorps while I was finishing my undergrad degree. I wanted to pursue cybersecurity and data privacy. My PI pitched it to me as, get a free degree and get excellent work experience, and actually do stuff I think is valuable, rather than just working in industry. . . .
I wanted to work with CISA. I’m really interested in critical infrastructure and passionate about securing rural infrastructure, making people conscious of cybersecurity and how it affects them.”
Scholar 2: “I have experience working with the government. I served in the Air National Guard in a technical role. . . . I also had the opportunity to work in an internship with the federal government, and that’s when I discovered programs like CyberCorps.
Having that familiarity with the hands-on experience inspires me and encourages me to keep learning . . . I’m not specifically interested in any particular agency, but anywhere there’s an opportunity in the federal government . . . more or less keeping the bad guys out. I view it as a puzzle.”
Scholar 3: “I chose my entire university based on this scholarship. . . . I’ve been looking for ways to break into cybersecurity for a few years. The CyberCorps program was heavily recommended online. And I also had relatives who worked in government. I just wanted to give back to my community.
I worked an internship at CISA in the summer of 2024. . . . I wanted to work at CISA. I had verbal offers to come back. In my internship, I got full marks. . . . I wanted to find work in protecting critical infrastructure and just wanted to serve my country.”
Scholar 4: “For me it was a chance to serve my country outside of active duty service. I was consistently encouraged to apply by another military-affiliated student. . . I did research while I was in the program. I’m interested in secure software engineering and embedded systems security. I appreciate the ability to blend two different fields together.
I went in with the mindset of, I’m going to be open to all the possibilities that are coming my way. I didn’t want to pigeonhole myself with a specific agency. I wanted to get an interview with an agency and see how their culture worked. I was open to computer science roles, as well as cybersecurity roles.”
Scholar 5: “Initially, I had entered college with medical school in mind. . . . Ultimately, I was able to finish a bachelor’s in computer science, and helping people was still at the forefront of my mind. At the end of the day, that’s why I joined CyberCorps – I thought it would be a gateway to a fulfilling, lifelong career in public service.
I’ve had my eyes set on a position with the Air Force Civilian Service. To me, there isn’t a job in this field that would be more meaningful than working alongside our troops to protect American interests.”
FNN: What challenges have you encountered with the CyberCorps program over the past year?
Scholar 1: “I had interviews with CISA and MITRE for internships. . . Everything was looking fantastic from my perspective. This all happened prior to the January 2025 job fair. That was the first week of January, right before the inauguration.
Afterward, there was no contact. Most of my applications and things I had applied for, they still say it’s in processing or being reviewed. They haven’t been rejected. They’ve been permanently paused.”
(OPM in a recent email told CyberCorps scholars to “get creative” with their job search.)
Scholar 1: “The NSF doesn’t really communicate. It’s mostly through OPM – they just said keep trying, keep looking. They’ve even encouraged us to look out for non-federal agencies. In the ‘get creative’ email, they specifically say to widen our search to state and local governments and nonprofits, when just months prior, they were all but forbidding us from doing that.”
Scholar 2: “Everybody is suffering, because not only are there barely any jobs … but if there are any, we now have to compete with people who are displaced from the shutdown or got let go. All that has made it hard.
It’s very sad to me, because when people are curious about this program, I’m telling them to not do it, because I don’t want to feel like I’m screwing them over by having them sign a contract and then if they can’t find a job, they’re on the hook for hundreds of thousands of dollars in debt.”
Scholar 3: “Getting any kind of response at all has been difficult, even before the government shutdown. When the hiring freeze went into action, the 250 to 300 of us now in same situation couldn’t get any responses. We were emailing OPM and SFS – we either got no response, or a response that said, ‘get scrappy.’
I got two tentative offers. I had the first offer come in just before the freeze, and I accepted it. When freeze started, my would-be supervisor at CISA said, ‘Hey, hold on.’ . . . But then the supervisor told me they were probably leaving CISA. The other offer was with another agency. That tentative offer is still there, for an internship last summer.”
Scholar 4: “I had been proactive in securing two tentative job offers before I graduated. I made my choice and got started on the clearance process as soon as I could. . . . I kept checking in with the agency for updates. When I asked for guidance on the timeline with OPM, they told me it could take up to a year. . . . I was told by sponsoring agency that they wouldn’t send a firm job offer or interim until my clearance was fully determined.
Around January of this year, they ceased all communications with me.”
Scholar 5: “Communication has been infrequent, lackluster and untimely. . . . Historically, OPM has not allowed private internships to count towards our summer internship requirement. They decided to bend the rules this summer. Sounds great, but my cohort wasn’t informed until late spring. By that time, it was entirely too late to secure an internship with a private company for that summer.”
FNN:How have those challenges changed your career outlook and view of public service? And with OPM recently announcing plans for a ‘mass deferment’ of SFS deadlines, what questions or concerns do you continue to have about the future of CyberCorps and your prospects for finding approved work after graduation?
Scholar 1: “We appreciate the rapid response, especially in light of the shutdown, and are thankful for the first piece of substantial information that’s come out of the SFS office in months. Although we are grateful for the acknowledgement from OPM, their statement has still left hundreds of people concerned about their future. Post-shutdown deferments will do little to help our situation – our biggest blocker is the crusade against federal hiring and public sector cybersecurity overall. We have legitimate concerns and reservations, that are validated by the lack of communication and support that’s been received over the past ten months. Thank you for the response. Please, let’s keep this conversation going.”
Scholar 2: “We would be more comfortable if there were more flexibility. There are a lot more opportunities working the same role, but as a private contractor working for the government. In the past, they’d say no, you can’t be a private contractor. They’d want you to be a federal employee. But with the job freeze, it feels like that’s the only way.
If there are no jobs, they’re not upholding their end of the contract. . . The general consensus is that there needs to be more transparency. We just want to have a simple conversation with OPM to see what they can do, not just with the deferment but with flexibility.”
Scholar 3: “We should be doing everything we can to encourage and attract talent. I’ve met some of the smartest people I had ever met in my life through this program, who don’t know what to do and are looking at going private rather than doing what they originally intended.”
(Federal job applications now include essay questions asking how candidates would “advance the President’s executive orders and policy priorities.” Federal employee unions are suing the Trump administration over those questions.)
Scholar 3: “I used to say I don’t care what administration I serve. I wanted to serve my neighbors. But these questions aren’t framed around serving the country. It’s serving a person.
I saw one role I wanted to apply to two weeks ago. When I saw those loyalty questions, I sat there and thought, I don’t have the ability to go through this right now. I didn’t want to put that on my plate.”
Scholar 4: “The first question a lot of us would have is, what’s the time frame? How much time are they actually allotting us? Even if we’re given additional time, if I can’t get a clearance or we get another freeze and they’re not able to process that, it further puts a halt on this process, and I’m left in the same situation.
Even once you secure a job, you have to maintain the job. That goes for a new hire when you’re in the probation period, assuming you don’t get laid off then. I think it just puts additional stress and strain on us mentally.
I don’t think people are considering that factor and OPM hasn’t provided any true reassurance.”
Scholar 5: “I have now started the process of commissioning as an officer with the Navy. My family worries that I’m choosing this path because I feel like I have no other way out — and truthfully, it’s hard for me to parse through my own thoughts on the matter; however, I am choosing to remain excited about the prospect.”
Corporate security manager identifies a potential insider threat in a line-up of eight white collar workers. Hacker or spy icon lights up purple. Cybersecurity and human resources challenge concept.
Federal employees are picking up flexible gig jobs and investing more time in their side hustle to help make ends meet through the longest government shutdown on record.
And with many missing their second full paycheck this week, more feds are likely to explore back up sources of income while navigating a patchwork of rules that govern outside work for federal employees.
Federal employees are generally allowed to accept outside employment, so long as the job doesn’t conflict with their official position. The Office of Government Ethics maintains general standards on outside activities for federal employees. OGE has also published guidance specific to employees who are in non-pay status during a shutdown.
But each agency also has its own rules and processes for staff seeking outside employment. Most agencies advise employees to consult with an agency ethics officer before taking a second job.
“What it comes down to is that you can’t work for anybody that does any business with your agency, that wants to do business with your agency, that’s regulated by your agency, that has interests that might be affected by what your agency does, or in particular, what you do,” Erik Snyder, a federal employment attorney, told Federal News Network.
“The safest thing to do is to ask your ethics officer what is and what is not OK,” he added.
But ethics officials may also be furloughed during the shutdown, making it difficult to clear an outside job in advance. The Defense Department’s furlough guidance advises employees to consult with their agencies on any outside jobs once the shutdown is over.
“Once employees return to their federal employment, they should consult with agency ethics officials to discuss whether their outside employment during the lapse would require them not to work on matters involving their former employer for a period of one year,” the DoD guidance states. “If an employee is going to continue outside employment after returning to federal service, it is vital that the employee meet with an ethics official to ensure that the outside employment does not create a conflicting interest with the employee’s federal duties.”
Still, most rank-and-file employees are unlikely to run afoul of ethics rules by, for instance, taking a second job driving for Uber or pet sitting on Rover. The job site Indeed Flex surveyed 1,000 U.S. adults impacted by the shutdown last month and found 30% are using gig app platforms to quickly make money.
Even excepted employees, such as air traffic controllers, have started exploring gig work during their off-hours.
“People are finding they’re having to supplement their income by any means necessary, and what flexible work does, what these gig apps do, it allows people to maintain their full-time job, but be able to pick up gigs, pick up work that fits around their work life schedules to enable to earn more money,” Novo Constare, CEO and co-founder of IndeedFlex, told The Federal Drive with Terry Gerton in a recent interview.
Meanwhile, 43% of those surveyed by Indeed Flex said they were seeking remote or freelance opportunities, while 30% are looking for administrative, clerical, customer service, or call center work.
“They were looking for flexible work that suited or match their current skill set,” Constare said.
Meanwhile, some furloughed feds have also delved into side projects during the shutdown. A furloughed IRS attorney, for instance, had intended to run a hot dog cart on the weekends. But once the shutdown hit, he took it full time.
But even passion projects come with ethics rules. A DoD official, who for years has run a craft business during nights and weekends, described the detailed financial disclosure requirements and ethics training that comes with a side hustle. Senior government officials are subject to more rigorous requirements and restrictions around outside employment.
“They take it very seriously,” the official, who requested anonymity, told Federal News Network.
While hot dog carts and wood crafting are unlikely to trip ethics restrictions, feds should be more careful about side hustles that are more closely related to their official job duties. For instance, some furloughed feds may be exploring doing consulting in their area of expertise.
Michael Fallings, managing partner at law firm Tully Rinckey, said there isn’t any blanket prohibition on such work. But feds should be mindful of any potential conflicts of interest.
“If you’re an attorney representing the government, and you start a business representing individuals that may compete against the government, then that could be a conflict” Fallings said. “It could be allowable. It does depend on what the nature of the second business or the consulting is, but it’s always best to disclose that to your employer, rather than the employer finding out after the fact.”
Democrats in Congress are pressing Immigration and Customs Enforcement to restore oversight staff who were furloughed at the start of the government shutdown.
In a Nov. 6 letter to Homeland Security Secretary Kristi Noem, the lawmakers said that staff at the Office of Detention Oversight are crucial to ensuring safety at ICE detention centers. Staff at ODO were furloughed at the outset of the shutdown.
“Without ODO staff actively performing these duties, there is a heightened risk that detention facilities fail to meet required standards, compromising detainee safety, access to medical care, and legal protections,” the lawmakers wrote to Noem.
The lawmakers also point out that the Department of Homeland Security’s shutdown contingency plan includes exceptions for the safety of human life and protection of property.
“This is not hypothetical – ICE has publicly reported that at least twenty people have died in its custody since January,” they added.
The letter points to reports of overcrowding and other unsafe conditions at ICE detention facilities, as immigration enforcement operations have continued through the shutdown.
“Given these developments, we are deeply concerned about the health and safety of detainees and staff at ICE facilities during the ongoing lapse in appropriations,” the letter states. “The decision to furlough the entire ODO is a clear attempt to sabotage oversight into the conditions of ICE facilities and the wellbeing of detainees.”
The letter was led by Rep. James Walkinshaw (D-Va.) and also signed by Sen. Mark Warner (D-Va.) and Reps. Don Beyer (D-Va.) and Suhas Subramanyam (D-Va.).
In a separate Oct. 31 letter to Noem and acting ICE Director Todd Lyons, Rep. Maxine Dexter (D-Ore.) pointed out that ICE furloughed ODO staff despite receiving an influx of funding under the One Big Beautiful Bill Act.
“I recognize that certain nonessential functions must pause during a lapse in appropriations,” Dexter wrote. “However, a lack of funding cannot be used as justification to strip away any measure of accountability. To safeguard the health, safety, and dignity of my constituents, I urge you to reinstate necessary staff for the Office of Detention Oversight, immediately restore communication channels between ICE and congressional offices, and ensure Members of Congress have access to all ICE facilities.”
In an Oct. 17 letter, Rep. Raja Krishnamoorthi (D-Ill.) said DHS furloughing ODO employees while retaining all press and communications staffers raises “serious questions about the department’s priorities during this shutdown.”
“ODO’s inspectors are responsible for ensuring that facilities meet federal health, safety, and humane treatment standards,” Krishnamoorthi wrote. “With detention levels now among the highest in more than a decade, suspending this critical oversight function while enforcement operations proceed uninterrupted is indefensible and represents a profound failure of priorities.”
The ODO furloughs come as the number of ICE detainees reach record high levels. As of Sept. 21, there were nearly 60,000 people in ICE custody.
ODO was created in 2009 to inspect ICE detention facilities. The office conducts a separate set of inspections independent from inspections run by ICE Enforcement and Removal Operations’ Custody Management Division.
The reductions-in-force at those offices – the Office for Civil Rights and Civil Liberties, the Office of the Immigration Detention Ombudsman, and the Office of the Citizenship and Immigration Services Ombudsman – are now at issue in an ongoing lawsuit.
Login
