The Cybersecurity and Infrastructure Security Agency’s acting director testified that CISA is “getting back on mission,” but he provided few specifics after the agency lost nearly a third of its staff over the past year.
Acting Director Madhu Gottumukkala testified in front of the House Homeland Security Committee on Wednesday. Asked by Chairman Andrew Garbarino (R-N.Y.) about reports of plans for a reorganization at CISA, Gottumukkala said there are no plans to reorganize the cyber agency.
“We do have a lot of changes in the last year, but we have not planned any organizational changes,” Gottumukkala said. “But we are continuing to look at how we rescope our existing work that we have so that we can get back on our mission of protecting the critical infrastructure. And if there is any organizational changes, I will assure that we will communicate with you.”
CISA has gone from roughly 3,400 staff at the start of last year to 2,400 employees at the end of December. Most of those who left departed under the Trump administration’s workforce reduction programs, with many leaving government service earlier than planned due to uncertainty at CISA under the Trump administration.
Gottumukkala is leading CISA as the Senate has yet to approve Sean Plankey to serve as director. During Wednesday’s hearing, Gottumukkala declined to provide details on recent reports that he failed a polygraph exam needed to access a sensitive cyber program and that he had worked to oust CISA’s chief information officer.
Gottumukkala also said multiple times that CISA was “getting back on mission.” But he said little about what the agency was doing differently with markedly less staff.
“The way we are supporting back on mission is to make sure that we are protecting our critical infrastructure from physical and cyber threats, and our divisions are properly equipped, and we are making sure that we are aligning our existing resources,” he said.
Asked by Ranking Member Bennie Thompson (D-Miss.) about potential vacancies at CISA after the mass wave of departures, Gottumukkala said, “we have the required staff that is supporting the mission we do.”
Thompson said that was contrary to a November memo CISA shared with the committee. Lawmakers are advancing a homeland security spending bill that would provide CISA with funding to fill some “critical” positions. It would also stipulate that CISA “not reduce staffing in such a way that it lacks sufficient staff to effectively carry out its statutory missions.”
Gottumukkala was also asked by Rep. Tony Gonzales (R-Texas) how many cyber intrusions CISA expects from foreign adversaries as part of the 2026 midterm elections.
“We look at it as incident by incident, and we look at what the risks are. I don’t have a specific number in mind,” Gottumukkala said.
“Well, we should have that number,” Gonzales shot back. “It should first start by how many intrusions that we had last midterm and the midterm before that. I don’t want to wait. I don’t want us waiting until after the fact to be able to go, ‘Yeah, we got it wrong, and it turns out our adversaries influenced our election to that point.’”
CISA’s budget request for fiscal 2026 would eliminate its election security program. But the appropriations agreement released this week would continue funding CISA’s election security work.
Rep. James Walkinshaw (D-Va.) pressed Gottumukkala on whether CISA had analyzed if it could meet its mission with current staffing levels.
“The work that we do is mission focused, which means capability is measured by outcomes, not headcount,” Gottumukkala said.
Walkinshaw also asked about threats to state and local governments after CISA pulled funding for the Multi-State Information Sharing and Analysis Center in September. But Gottumukkala didn’t address the question head on, frustrating the Virginia lawmaker.
“You’ve managed to answer none of my questions. You haven’t answered a single question. But thank you for coming,” Walkinshaw said.
Lawmakers are moving to extend key cybersecurity information authorities and grant programs, while also providing funds for the Cybersecurity and Infrastructure Security Agency to fill “critical” positions.
The “minibus” appropriations agreement released by House and Senate negotiators on Tuesday includes fiscal 2026 funding for the Department of Homeland Security. DHS funding could be a sticking point in moving the bill forward, as some Democrats want more restrictions around the Trump administration’s immigration enforcement operations.
The bill also extends the Cybersecurity Information Sharing Act of 2015 (CISA 2015) and the State and Local Cybersecurity Grant Program through the end of fiscal 2026. Both laws are set to expire at the end of this month.
Ross Nodurft, executive director of the Alliance for Digital Innovation, also applauded the extension of the Technology Modernization Fund included in the minibus.
“Reauthorizing the Technology Modernization Fund and the State and Local Cyber Grant Program for the rest of the fiscal year allows the government to invest money in new technology modernization and cyber security projects at the federal and state level while we work on more permanent, longer term reauthorizations and funding,” Nodurft said. “I am encouraged to see Congress put forward these stop gap measures and will continue to work with members to reauthorize these critical programs beyond 2026.”
CISA funding
The bill would include a cut for the agency CISA, with fiscal 2026 funding level set at $2.6 billion, about $300 million less than its current annual budget.
The appropriations agreement would specifically provide $20 million for CISA to hire additional staff to “critical positions,” according to the joint explanatory statement on the DHS appropriations measure.
That funding would be evenly split across five CISA programs: Threat Hunting; Vulnerability Management; Continuous Diagnostics and Mitigation; Security Programs; and Security Advisors.
The bill would also require CISA to “not reduce staffing in such a way that it lacks sufficient staff to effectively carry out its statutory missions.” Both Democrats and Republicans have expressed concerns about CISA losing roughly one-third of its staff over the past year.
Secret Service burnout
Appropriators are also taking aim at burnout within the Secret Service’s ranks. The funding measure provides $3.3 billion for the Secret Service as it embarks on a major recruiting initiative over the next two years.
That total would allow the Secret Service to “maintain ‘zero-fail’ mission by funding aggressive recruitment and retention to eliminate officer burnout, while modernizing high-tech training facilities and armored fleets to stay ahead of evolving threats
to our nation’s leaders,” according to a DHS spending bill summary provided by Senate appropriators.
The bill includes an increase of $46 million for Secret Service hiring in fiscal 2026. It also provides the agency with advance funding to prepare for the 2028 Olympic and Paralympic Games in Los Angeles.
But appropriators also want updates on the Secret Service’s recruitment and retention efforts. The explanatory statement directs the agency to provide briefings on its employee resiliency program and hiring projections, respectively.
“The briefing shall also include ongoing efforts to decrease the time to hire and increase yield rates from applicants to hires, as well as the impact that these hiring efforts will have on overtime costs,” lawmakers wrote.
FEMA staffing
The spending agreement also includes a “rejection” of staffing cuts made at the Federal Emergency Management Agency in fiscal 2025, according to the joint explanatory statement. The bill would provide $32 billion for FEMA, including $26.4 billion for the Disaster Relief Fund.
FEMA lost more than 2,000 employees to workforce reduction programs last year. And the agency has undertaken further staff reductions by not renewing Cadre of On-Call Response/Recovery Employees (CORE) in recent weeks. FEMA headquarters officials have also contemplated cuts totaling up to 50% of its workforce as part of a planning exercise shared with agency leaders in December.
Now, appropriators want FEMA to provide monthly briefings on the agency’s staffing levels and workload requirements.
“Such briefings shall also include projected staffing levels for the remainder of the fiscal year in light of the agreement’s rejection of the position reductions implemented in fiscal year 2025,” the joint explanatory statement reads.
The bill also requires FEMA to maintain staff “necessary to fulfill the missions” required of the agency by six separate laws and various other authorities. That staffing requirement, lawmakers emphasize, also applies to FEMA reservists and CORE staff.
The Trump administration has moved to shift more emergency management responsibilities to state and local governments. FEMA staffing reductions and policy changes over the last year have sparked concerns that the administration is implementing that plan despite there being no changes in the agency’s lawful responsibilities.
FEMA team members in Martin County, Florida, canvas with local residents to help register them for assistance and help disaster survivors after Hurricane Milton. (Photo source: FEMA/Patrick Moore)
Terry Gerton There’s been a lot of controversy around polygraphs in government over the past few months. So let’s start with some of the basics. Why do agencies like CISA and DoD continue to rely on polygraphs for certain positions?
Dan Meyer So that’s a great starting point. The first thing we have to recognize is that polygraph technology is so questionable that it’s generally not admissible in courts. So as evidence, it’s pretty thin, and that’s been a generational trend. It used to be accepted far more back in the 1930s and 40s than it is now. So we use polygraphs in the United States for counterintelligence. That’s what it’s for, reliability of the workforce. We want to be able to test and employ statements, various questions against some empirical basis of truth. The challenge with the polygraph is that it measures not truth, but physiology. It measures the way the body reacts. And science, over the years, has started to show that women and men, for instance, don’t react the same. They don’t have the same physiology. That’s why we have to do different types of medical research now, because women were traditionally ignored, because we always thought that men were the baseline, and everybody would be the same as men. Well, that turned out not to be true. The same situation exists with polygraphs, and there can be differences across the board which polygraphers can never accept, and they can’t accept because that starts to undermine their position within the professional community. So that’s the challenge, is that it measures physiology and not actual truth or veracity of the individual. At some point we’ll be out of this problem because we’ll have a tool that’s better than the polygraph and I do think that artificial intelligence will create it, but we in the United States use the polygraph to catch spies, other countries don’t. And that’s our only tool we really have. We’re not good at actually doing assessment of human potential from other types of analysis. So we’re stuck with it. It’s the only tool that we’ve got and it’s the one we use. And if you’re in the intelligence community or if you are in law enforcement, the chances are you’re going to be under a polygraph at some point in your career, if not your entire career.
Terry Gerton There was a recent controversy around the acting CISA director’s failure of a polygraph test. Can you fill us in a little bit on what went on there?
Dan Meyer I’m not privvy to the exact details of his particular case, but the alarming part of that is it was CISA. CISA is the heart of our cyber defense, and for much of the Biden administration, it was under very, very close scrutiny from a variety of congressional oversight authorities. Senator Grassley, at one point, was doing an inquiry. So there was concerns that CISA was being used politically. So on top of that concerns, the Trump administration came in with a commitment to reform it. And then you have this problem. And the problem seems to have developed around two questions. One is, did the individual fail a polygraph? You really don’t fail a polygraph, either there’s a detection or a non-detection. It’s really not like a test you can fail. But clearly did not pass, to use the vernacular, according to the reports. And then there’s the open question about whether that individual should have been under a polygraph, and there’s this allegation out there in the press that somehow he was set up. And so those are the two concerns there. The second one is kind of unique in that polygraphs are given based on the position and what’s called the criticality of the position. So it’s really about the classification of one’s job that determines whether you get a polygraph. So there really should be no question as to whether a person should have a polygraph or not have a polygraph, so if there was an open question, that should have been elevated to the appropriate authority to decide that. My understanding is that’s the DNI, is the DNI is in charge of reliability issues, security clearance issues across the board for the president in her capacity as the DNI, but not as the spymaster in the United States. It’s a collateral duty. That should have been resolved and it should not be at the point now where employees are being accused and somebody who’s now being seen as a victim of a wrongful polygraph process, that’s ugly. We should have never gotten to that point. That should have been raised and clarified before the polygraph went forward. The second use goes back to my original comment about physiology. People can fail polygraphs for a variety of reasons. There’s the famous guilt-grabber complex, which is that an individual is very at attention in their thoughts, very self-reflective, very self-aware. People who are that way about events in their lives may start to have feelings of guilt. Feelings of guilt can trigger physiology. And sometimes your feeling of guilt that you didn’t feed the cat on time this morning can bleed over into a question that when you were asked whether you committed an act of terrorism against the United States. Well, let’s put it this way. If you’re a sociopath, the chances are you’re going to pass a polygraph because the way you’re constructed in your behavioral mental health diagnosis is ideally suited to not triggering the physiology cues that exist for the polygraph. But if you’re a deeply religious person or spiritual person, it’s in the community, this is known as the Jewish and Catholic issue. People who are Jewish and Catholic all had a Jewish or a Catholic mother. You were taught to always think you were doing something wrong. I’m laughing because I was raised by a Catholic mother, and so I was always looking at my behavior and always questioning my behavior. That can be a disaster on a polygraph.
Terry Gerton I’m speaking with Dan Meyer, he’s an equity partner at Tully Rinckey. With all of the challenges with the polygraph that you’ve just articulated for us, if an employee or a contractor is facing one for their position, what are the best practices to prepare and protect themselves?
Dan Meyer Okay, so on the big picture, let’s talk about from the administration perspective. We ought not to have separate rules for separate people about polygraphs, we’ve got to stick with the structure. If the position requires it, it has to be performed. There should not be special exceptions. I know you always want to have special exceptions, but that’s a bad idea. For the individual, the first thing you do is do not watch videos and do not study the polygraph because you are going to be asked questions that ask you if you did that, and then you’re going to be in the awkward situation of trying to explain whether you adopted countermeasures to make it look like you’re telling the truth when you’re not telling the truth. Do not try to game the polygraph because if the polygraph has trouble figuring out truth or falsity, it does not have trouble figuring it out whether you’re gaming it, and that’s a huge reason why people fail polygraphs. It’s good to retain a law firm to get advice on your security profile to help you understand where your liabilities are and how to accurately report them. The whole key to the security paradigm is you’ve got to be comfortable with the way you resolve the issues in your life so that when you talk to security officials and you talk about those issues, you’re open and candid and there’s a complete and transparent flow of information between those people about that situation. Then you won’t fail the polygraph, then you’re going to do fine on your security review. The challenge we have in American culture at this point in time is everybody thinks you have to withhold information to game the process. Game the process in our commercial lives as consumers, game the process in our private lives as family members. This is an evil that has drifted into American culture, and it really is harmful on the polygraph. So you’ve got to think through about whether you’re open and honest about your life, and you’ve got to incorporate that principle into your job application.
The Department of Homeland Security’s inconsistent hiring practices present major challenges at a time when DHS is surging recruitment across its law enforcement components, according to the department’s watchdog.
The DHS inspector general, in an annual report on top management and performance challenges, flagged “fragmented law enforcement hiring” as one of the department’s top three issues.
The IG warns that those longstanding issues have been amplified by a recent influx of funding from the One Big Beautiful Bill Act passed last year. Immigration and Customs Enforcement, Customs and Border Protection, and the Secret Service have all embarked on major hiring initiatives over the past year, backed by billions of dollars in funding.
“There is overlapping, competitive, law enforcement hiring among ICE, CBP, and USSS,” the report warns. “These competing interests can undermine the hiring process when conducted without departmentwide planning. Law enforcement hiring will endure additional stresses in the coming years due to the OBBBA, which funds an increase in departmental law enforcement personnel.”
DHS recruiting is “further complicated by inconsistent vetting requirements and application processes” across law enforcement agencies, according to the report.
“These inconsistencies make it difficult to implement a more centralized, efficient hiring process, resulting in duplication of effort, higher costs, and slower onboarding across the department,” the IG states.
The report comes as the Trump administration touts ICE’s hiring of 12,000 new employees in less than a year. However, the vetting and training of ICE officers has come under increasingscrutiny amid the rapid hiring blitz.
Cyber and AI hiring
The IG report also highlights challenges with DHS’s hiring of cybersecurity, IT and artificial intelligence specialists. For instance, DHS’s Office of Intelligence and Analysis and the Coast Guard, respectively, face administrative challenges in recruiting personnel with AI-related skillsets, according to the IG.
Those types of challenges could delay key DHS AI projects, the report states.
“These challenges are magnified by inconsistent hiring practices across components, pay disparities with the private sector, and complex clearance requirements,” it continues.
Meanwhile, DHS’s Cyber Talent Management System has not met its original goal to help recruit thousands of cyber experts. Hiring using CTMS has reached just several hundred staff since the system was launched in 2021.
“Although there has been some success using CTMS, the department continuously improves it in partnership with hiring managers to make it a more effective tool,” the IG report states.
Furthermore, the Cybersecurity and Infrastructure Security Agency last year terminated many probationary staffers who were part of CTMS, further shaking confidence in the novel talent system.
Still, the IG report recommends DHS deepen centralized hiring efforts like CTMS to address its tech talent gaps.
“These centralized hiring efforts are a step in the right direction,” the report states. “However, it is unclear that these hiring efforts are sufficient to meet the hiring surges required by the OBBBA or keep pace with evolving Department needs as AI and machine learning are integrated into all operations. Since previous hiring surges did not achieve intended outcomes, DHS should pivot to more successful recruitment methods.”
FILE - Customs and Border Patrol agents question occupants of a vehicle they pulled over, during an immigration crackdown in Kenner, La., Dec. 5, 2025. (AP Photo/Gerald Herbert, File)
As the Defense Department moves to meet its 2027 deadline for completing a zero trust strategy, it’s critical that the military can ingest data from disparate sources while also being able to observe and secure systems that span all layers of data operations.
Gone are the days of secure moats. Interconnected cloud, edge, hybrid and services-based architectures have created new levels of complexity — and more avenues for bad actors to introduce threats.
The ultimate vision of zero trust can’t be accomplished through one-off integrations between systems or layers. For critical cybersecurity operations to succeed, zero trust must be based on fast, well-informed risk scoring and decision making that consider a myriad of indicators that are continually flowing from all pillars.
Short of rewriting every application, protocol and API schema to support new zero trust communication specifications, agencies must look to the one commonality across the pillars: They all produce data in the form of logs, metrics, traces and alerts. When brought together into an actionable speed layer, the data flowing from and between each pillar can become the basis for making better-informed zero trust decisions.
The data challenge
According to the DoD, achieving its zero trust strategy results in several benefits, including “the ability of a user to access required data from anywhere, from any authorized and authenticated user and device, fully secured.”
Every day, defense agencies are generating enormous quantities of data. Things get even more tricky when the data is spread across cloud platforms, on-prem systems, or specialized environments like satellites and emergency response centers.
It’s hard to find information, let alone use it efficiently. And with different teams working with many different apps and data formats, the interoperability challenge increases. The mountain of data is growing. While it’s impossible to calculate the amount of data the DoD generates per day, a single Air Force unmanned aerial vehicle can generate up to 70 terabytes of data within a span of 14 hours, according to a Deloitte report. That’s about seven times more data output than the Hubble Space Telescope generates over an entire year.
Access to that information is bottlenecking.
Data mesh is the foundation for modern DoD zero trust strategies
Data mesh offers an alternative answer to organizing data effectively. Put simply, a data mesh overcomes silos, providing a unified and distributed layer that simplifies and standardizes data operations. Data collected from across the entire network can be retrieved and analyzed at any or all points of the ecosystem — so long as the user has permission to access it.
Instead of relying on a central IT team to manage all data, data ownership is distributed across government agencies and departments. The Cybersecurity and Infrastructure Security Agency uses a data mesh approach to gain visibility into security data from hundreds of federal agencies, while allowing each agency to retain control of its data.
Data mesh is a natural fit for government and defense sectors, where vast, distributed datasets have to be securely accessed and analyzed in real time.
Utilizing a scalable, flexible data platform for zero trust networking decisions
One of the biggest hurdles with current approaches to zero trust is that most zero trust implementations attempt to glue together existing systems through point-to-point integrations. While it might seem like the most straightforward way to step into the zero trust world, those direct connections can quickly become bottlenecks and even single points of failure.
Each system speaks its own language for querying, security and data format; the systems were also likely not designed to support the additional scale and loads that a zero trust security architecture brings. Collecting all data into a common platform where it can be correlated and analyzed together, using the same operations, is a key solution to this challenge.
When implementing a platform that fits these needs, agencies should look for a few capabilities, including the ability to monitor and analyze all of the infrastructure, applications and networks involved.
In addition, agencies must have the ability to ingest all events, alerts, logs, metrics, traces, hosts, devices and network data into a common search platform that includes built-in solutions for observability and security on the same data without needing to duplicate it to support multiple use cases.
This latter capability allows the monitoring of performance and security not only for the pillar systems and data, but also for the infrastructure and applications performing zero trust operations.
The zero trust security paradigm is necessary; we can no longer rely on simplistic, perimeter-based security. But the requirements demanded by the zero trust principles are too complex to accomplish with point-to-point integrations between systems or layers.
Zero trust requires integration across all pillars at the data level –– in short, the government needs a data mesh platform to orchestrate these implementations. By following the guidance outlined above, organizations will not just meet requirements, but truly get the most out of zero trust.
Chris Townsend is global vice president of public sector at Elastic.
The Cybersecurity and Infrastructure Security Agency is on the verge of going a full year without a permanent leader, as cyber experts say the void is preventing CISA from moving forward on key issues and leaving an already reeling workforce in the lurch.
The Senate earlier this month returned Sean Plankey’s nomination to the White House after lawmakers failed to vote on it during last year’s session. President Donald Trump formally nominated Plankey in March of last year.
Plankey is a widely respected official whose nomination had broad backing from industry and bipartisan support on Capitol Hill.
But his nomination was placed under multiple holds, some of them unrelated to CISA or cybersecurity. Most recently, Sen. Rick Scott (R-Fla.) had reportedly placed a hold on Plankey after the Department of Homeland Security terminated a Coast Guard cutter contract with a shipyard in Florida. Plankey has been serving as a senior advisor in the Coast Guard while he awaits confirmation.
On Tuesday, Trump re-nominated Plankey to lead the cyber agency. CISA is currently being led in an acting capacity by Deputy Director Madhu Gottumukkala, who was chief information officer for the state of South Dakota when Homeland Security Secretary Kristi Noem was governor there.
Mark Montgomery, the executive director of the Cyberspace Solarium Commission 2.0, said the uncertainty comes at a time when CISA “desperately needs strong leadership.”
“I think they can’t focus,” Montgomery said. “They can’t come up with a strategic plan that’s going to drive a four-year administration. They’ve already lost a year. Every day, every week, every month, that you don’t have your Senate confirmed person, you take risk. This is the civilian cyber defense agency. It needs strong, focused leadership.”
Senate-confirmed leaders are typically more capable of advocating for their agencies, both within the administration and on Capitol Hill in front of lawmakers. Plankey’s nomination fell by the wayside as cyber threats to U.S. critical infrastructure continued to rise last year, noted Bob Ackerman, a venture capitalist who founded AllegisCyber Capital.
“CISA owns the essential national security mission of protecting the homeland from such society-crippling cyber-attacks,” Ackerman said. “Yet, while we wouldn’t charge the U.S. Marines with executing their missions without a leader, CISA’s mission to block and deter our adversaries has been left leaderless at this urgent moment of need.
Over the past year, Montgomery said CISA has not advanced public-private collaboration “in any meaningful way.”
For instance, he said the cyber agency has yet to take significant actions to address Volt Typhoon. U.S. officials have accused the China-linked group of hacking into critical infrastructure networks, like power and water systems. In January 2024, then-FBI Director Chris Wray said the goal of the hacks was to “destroy or degrade” those systems during a future conflict.
“We’re 24 months since [Director] Wray laid out the Volt Typhoon challenge, and we still don’t have an integrated policy to address it,” Montgomery said. “That should come from CISA. It should have come from the Joint Cyber Defense Collaborative, the Joint Cyber Planning Office, and we haven’t gotten it. And the reason is it takes interagency leadership, which you’re not going to get from an acting director.”
Cyber experts also pointed to stalled efforts like the reinstatement of the Critical Infrastructure Partnership Advisory Council (CIPAC) as an example of where Plankey could make a difference.
The Department of Homeland Security disbanded CIPAC last spring as part of a broader purge of federal advisory councils. CIPAC had provided authorities for government officials and industry to collaborate on cybersecurity issues through various sector coordinating councils.
Industry officials had been encouraged by Noem’s speech at the RSA Conference in late April 2025, during which she said CIPAC would be reinstated and “will bring more people to the table and be much more action oriented.”
But since then, DHS has not acted to revive CIPAC or any related authorities. Since the council was disbanded, there has been “less engagement and less communication,” Ari Schwartz, coordinator of the Cybersecurity Coalition, told Federal News Network.
“I do think we do need to see some action on that,” Schwartz said. “I don’t think that that can really wait around at this point.”
CISA’s workforce, meanwhile, has experienced deep cuts under the Trump administration, driven by deferred resignation and early retirements. Many who left were experienced staff that led CISA programs.
Office of Personnel Management data shows CISA’s headcount has gone from a high of 3395 employees in 2024 to 2376 staff at the start of this year.
One CISA employee, who requested anonymity to speak candidly, said the last year at the agency was “extremely difficult.”
“From the onslaught of policy changes targeting us – like return-to-office, standard hours, contract delays and cuts – to the huge amounts of departures and the lack of new leadership in place, we as an agency made little to no progress and in some instances went backwards in my opinion,” the employee said. “For 2026, I was expecting to finally get some concrete leadership direction and priorities, but with the CISA director still not in place and another possible shutdown looming, I’m expecting another year of chaos and little progress.”
Both Montgomery and Schwartz said one positive at CISA over the last year has been Nick Andersen, who joined the agency in August as a political appointee leading CISA’s cybersecurity division. Andersen has spoken at multiple public events, briefed the media on agency cyber directives, and met with industry groups.
But Montgomery noted that doesn’t outweigh not having a Senate-confirmed director.
“You lead CISA from the top and to go fight battles within DHS for the restoration of manpower, to lead interagency work to develop and execute an integrated defense plan against Volt Typhoon’s operational preparation of the battlefield,” he said.
The past year in federal cybersecurity policy was full of uncertainty, as a change in administration, expiring authorities and the emergence of artificial intelligence converged and led to plenty of questions about the future of the cybersecurity landscape.
Going into 2026, cyber policymakers and experts are expecting some clarity, especially around the interplay of AI and cyber. Here are five things to watch when it comes to federal cyber issues as the new year gets underway:
New national cyber strategy
The White House is expected to issue a new national cyber strategy early in the new year. During an appearance at the Aspen Institute’s Cyber Summit in November, National Cyber Director Sean Cairncross said the strategy won’t be a lengthy document.
“It’s going to be a short statement of intent and policy and then it will be paired very quickly with action items and deliverables under that,” Cairncross said. “As a topline matter, it’s going to be focused on shaping adversary behavior, introducing costs and consequences into the mix.”
Cairncross said the strategy will feature six pillars. And he said the Office of the National Cyber Director is also working on a “workforce initiative” to address cyber talent gaps.
“There’s over half a million cyber jobs just on the decks now that need filling and there will be a need for more,” Cairncross said. “We need to align industry incentives, academic incentives, vocational school incentives, [venture capital] and bring them together collaboratively to better the workforce for the country.”
Morgan Adamski, a former National Security Agency leader and executive at PWC, said the cyber strategy’s expected focus on influencing adversarial behavior and offensive cyber operations points toward a shift toward “active defense.”
“Active defense is essential because it shifts security from a passive, reactive posture to a proactive one that actively reduces risk,” Adamski told Federal News Network. “Instead of waiting for threats to materialize and cause damage, active defense emphasizes continuous monitoring, rapid detection, and timely response. This approach shortens the window between intrusion and containment, limits the attacker’s ability to escalate, and protects critical assets before harm spreads. In an environment where threats evolve quickly and adversaries adapt, relying solely on static controls is insufficient.”
AI and cyber
Industry will be closely reading the strategy for what it says about the multifaceted issue of AI. Cyber experts generally divide the issue into three broad categories: securing AI systems and data; defending against AI-enabled cyber attacks; and using AI for cyber defense.
Drew Bagley, Crowdstrike’s vice president for privacy and cyber policy, pointed to how federal agencies have embraced the “zero trust” concept in recent years, as well as technologies like endpoint detection and response, and log management.
“Now it’s going to be increasingly important to think about how those same concepts are applied to AI,” Bagley told Federal News Network. “If AI is going to continue to be embraced at this rapid speed without there being visibility into what’s going out the door with AI, then you have a problem. You have another attack surface.”
Bagley said he’s watching for the Cybersecurity and Infrastructure Security Agency to provide the federal government with leadership on AI security.
“CISA can provide guidance to those who are implementing AI in federal agencies as far as what the security standards need to be to make sure that that AI is secure and that AI is not introducing a security threat in and of itself,” he said.
Meanwhile, agency chief information security officers are also considering how they can use AI to improve cyber defenses. Adamski said CISOs will have to focus on both securing AI systems and harnessing AI for cybersecurity at the same time.
“AI is becoming a genuine force multiplier for defense, especially in security operations where teams are overwhelmed and attackers move fast,” she said. “It can improve detection, speed up investigation, enhance threat hunting, and help prioritize what matters most. In many environments, that kind of leverage is the difference between containing an incident quickly and getting buried by volume.”
CISA 2015 reauthorization
While Congress typically doesn’t move major pieces of legislation during an election year, the reauthorization of cybersecurity information sharing authorities remains a pressing priority when lawmakers return from their holiday recess.
The Cybersecurity Information Sharing Act of 2015 lapsed on Oct. 1. Congress gave it a temporary revival as part of the continuing resolution to reopen the government, but the CISA 2015 authorities are set to expire again on Jan. 30.
Reauthorizing the law has broad bipartisan support, including from the White House. But House Homeland Security Committee Chairman Andrew Garbarino (R-NY) has acknowledged the path to reauthorizing CISA 2015 remains murky at best.
In the House, lawmakers have advanced Garbarino’s bill, the Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG Act), through the committee. The bill would extend CISA 2015 for another decade and provide key definitional updates.
“Our colleagues in the Senate have different ideas. Some of them want to do a 10-year clean [reauthorization]. I don’t know if I can get that passed in the House, with concerns from the Freedom Caucus,” Garbarino said at an event hosted by Auburn University’s McCrary Institute in December.
Meanwhile, Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) also opposes a “clean” reauthorization due to his concerns about agencies working with social media companies on disinformation, which occurred under separate authorities from CISA 2015.
“I don’t know how it gets done on its own,” Garbarino said. “I feel like we have to attach it to another piece of legislation, whether that’s government funding. But we need it passed and unfortunately I don’t think we’re close enough with the discussions on the Senate to figure out which bill will pass and what will get done.”
The upshot, Garbarino continued, is another possible short-term extension of CISA 2015.
“Which is unfortunate because we worked very hard to get our bill out of committee,” he added. “It took a lot of requests or advice from the private sector on updates. So we love our piece of legislation that we got done. When you get the trial attorneys to not object to your bill giving liability protection, that’s a pretty good thing.”
CIRCIA rule
CISA the agency, meanwhile, is set to issue a landmark cyber incident reporting rule that will apply to vast swaths of the 16 U.S. critical infrastructure sectors.
Congress passed the Cyber Incident Reporting for Critical Infrastructure Act in 2022. The law generally requires critical infrastructure organizations – in sectors like energy, water and telecommunications – to report significant cyber incidents to CISA within 72 hours.
The law represents the most far-reaching federal cybersecurity regulation ever passed by Congress.
Industry has criticized the proposed rule for being overly broad and is also encouraging CISA to “harmonize” the rule with many existing cyber incident reporting mandates.
The Trump administration has delayed the release of the final rule until May 2026, providing CISA with more time to respond to those concerns.
Cyber leader gaps
Meanwhile, CISA also heads into 2026 without a Senate-confirmed leader. Trump nominated Sean Plankey to serve as CISA director in March. But Plankey’s nomination has been held up in the Senate for various reasons.
Most recently, Sen. Jacky Rosen (D-Nev.) has placed a hold on Plankey’s nomination due to concerns about the Coast Guard’s implementation of a new hate speech policy. Plankey has been serving as a senior advisor in the Coast Guard.
Meanwhile, the National Security Agency and U.S. Cyber Command is also still under acting leadership at the start of the new year.
The dual-hat role of NSA director and CYBERCOM commander is a key cybersecurity post, especially with the Trump administration’s emphasis on offensive cyber operations. The role had been held by Air Force Gen. Timothy Haugh, but Trump ousted Haugh in April, reportedly at the behest of far-right influencer Laura Loomer.
According to multiple reports, Trump now intends to nominate Army Lt. Gen. Joshua Rudd to lead the NSA and CYBERCOM.
And in Congress, Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) announced that he will not seek re-election in 2026, meaning he will retire effective January 2027. Peters has been one of the most influential members of Congress on cyber policy over the last decade.
At the Department of Homeland Security, where you stand at the end of 2025 depends on where you sit.
With the Trump administration emphasizing border security and mass deportations as top priorities, DHS components that work in those areas saw both major funding increases and workforce boosts.
Meanwhile, other DHS components were swept up in the administration’s workforce reduction efforts. Some of those components were also in the crosshairs of new political leadership for program and funding cuts.
The “One Big Beautiful Bill Act” tax and reconciliation measure passed in July only deepened those differences.
The legislation provided billions in additional funding for select DHS components like Customs and Border Protection and Immigration and Customs Enforcement. Meanwhile, other offices such as the Cybersecurity and Infrastructure Security Agency have been hit by workforce reductions and funding cuts, ending support for programs and services like CISA’s Multi-State Information Sharing and Analysis Center.
Workforce fluctuates
DHS is one of the only departments to gain a net increase in employees over the last two years, according to an analysis of agency shutdown contingency plans compiled by the Partnership for Public Service.
While most agencies saw staffing reductions driven by the Department of Government Efficiency, DHS’s workforce grew by 6%, to 271,927 employees listed in its 2025 contingency plan.
The Trump administration’s high-profile focus on immigration enforcement operations brings with it more funding and personnel for agencies like ICE and CBP. According to shutdown contingency plans, ICE’s workforce increased by more than 500 employees between June 2024 and September 2025. CBP’s workforce grew by more than 1,500 employees over the same period.
The Coast Guard’s workforce has swelled by nearly 2,000 as part of a recruiting campaign started by the Biden administration and further boosted under the Trump administration through the “Force Design 2028” initiative.
Many positions at DHS, including law enforcement positions, were exempt from workforce reduction efforts like deferred resignations and earlier retirements.
But some components, including CISA and the Federal Emergency Management Agency, underwent stark staff reductions driven by program cuts and voluntary departures.
CISA’s workforce has dropped by nearly one-third, from 3,400 employees in June 2024 to 2,500 staff as of May 31, 2025, according to the contingency plans. More CISA employees may have departed since the latest tally.
FEMA, meanwhile, has seen the number of active employees decrease from roughly 25,800 at the start of the year to 23,350 as of June 1, according to the Government Accountability Office. That includes 24 FEMA senior executives, “widely respected agency leaders who departed voluntarily given the uncertainty around the agency’s future,” GAO noted.
The Trump administration has also proposed some cuts to the Transportation Security Administration. Homeland Security Secretary Kristi Noem is further moving to eliminate TSA employees’ collective bargaining rights.
It includes $4.1 billion for CBP to hire 5,000 customs officers and 3,000 border patrol agents over the next four years, and $8 billion for ICE to hire 10,000 new officers. DHS says ICE has already reached that goal as 2025 comes to a close.
The bill also includes billions in funding for new immigration detention facilities, border security infrastructure, training facilities, vehicles, Coast Guard ships and more.
Industry will be watching closely as DHS’s spend plans for the reconciliation bill come together.
Senior leaders
With Year 1 of the second Trump administration nearly complete, many presidentially appointed, Senate-confirmed positions at DHS remain vacant or filled by acting personnel. Trump has yet to nominate a FEMA administrator, a TSA administrator or a DHS under secretary for management, among other positions.
Meanwhile, Deputy Homeland Security Secretary Troy Edgar will soon depart DHS after being nominated to serve as U.S. ambassador to El Salvador. The administration has not yet named a replacement.
CISA has been without a permanent director since January. Sean Plankey was nominated to serve as CISA director in March, but his nomination has been held up in the Senate over multiple issues unrelated to concerns about his appointment.
FILE - Police officers block a street as demonstrators march at a protest opposing "Operation Midway Blitz" and the presence of ICE, Sept. 9, 2025, in Chicago. (AP Photo/Erin Hooley, File)
The vendor demo looks flawless, the script even cleaner. A digital assistant breezes through forms, updates systems and drafts policy notes while leaders watch a progress bar. The pitch leans on the promised agentic AI advantage.
Then the same agents face real public-sector work and stall on basic steps. The newest empirical benchmark from researchers at the nonprofit Center for AI Safety and data annotation company Scale AI finds current AI agents completing only a tiny fraction of jobs at a professional standard. Agents struggled to deliver production-ready outcomes on practical projects, including an explorer for World Happiness data, a short 2D promo, a 3D product animation, a container-home concept, a simple Suika-style game, and an IEEE-formatted manuscript. This new study should help provide some grounding on what agents can do inside federal programs today, why they will not replace government workers soon, and how to harvest benefits without risking mission, compliance or trust.
Benchmarks, not buzzwords, tell the story
Bold marketing favors smooth narratives of autonomy. Public benchmarks favor reality. In the WebArena benchmark, an agent built on GPT-4 achieved low end-to-end task success compared with human performance on real websites that require navigation, form entry and retrieval. The OSWorld benchmark assembles hundreds of desktop tasks across common apps with file handling and multi-step workflows, and documents persistent brittleness when agents face inconsistent interfaces or long sequences. Software results echo the same pattern. The original SWE-bench evaluates real GitHub issues across live repositories and shows that models generate useful patches, but need scaffolding and review to land working changes.
Duration matters. The H-CAST report correlates agent performance with human task time and finds strong results on short, well-bounded steps and sharp drop-offs on long, multi-hour work. That split maps directly to government operations. Agents can draft a memo outline or a SQL snippet. They falter when the job spans multiple systems, requires policy nuance, or demands meticulous document hygiene.
Building a public dashboard, as in the study run by researchers at the Center for AI Safety and Scale AI, is not a single chart; it is a reliable pipeline with provenance, documentation and accessible visuals. A 2D promo is not a storyboard alone; it is consistent assets, rights-safe media, captions and export settings that pass accessibility checks. A container-home concept is not a render; it is geometry, constraints and safety considerations that survive a technical review.
Federal teams must also contend with rules that raise the bar for autonomy. The AI Risk Management Framework from the National Institute of Standards and Technology gives a shared vocabulary for mapping risks and controls. These guardrails do not block Gen AI in government, they just make unsupervised autonomy a poor bet.
What this means for mission delivery, compliance and the workforce
The near-term value is clear. Treat agents as accelerators for specific tasks inside projects, not substitutes for the people who own outcomes. That approach matches field evidence. A large deployment in customer support showed double-digit gains in resolutions per hour when a generative assistant helped workers with suggested responses and knowledge retrieval, with the biggest lift for less-experienced staff. Translate that into federal work and you get faster first drafts, cleaner queries, more consistent formatting, and quicker starts on visuals, all checked by employees who understand policy, context and stakeholders.
Compliance reinforces the same division of labor. To run in production, systems must pass FedRAMP authorization, recordkeeping requirements and privacy controls. Content must meet Section 508 standards for accessibility. Security teams will lean on the joint secure AI development guidelines from the Cybersecurity and Infrastructure Security Agency and international partners to push model and system builders toward stronger practices. Auditors will use the Government Accountability Office’s accountability framework to probe governance, data quality and human oversight. Every one of those checkpoints increases the value of staff who can judge quality, interpret rules and stitch outputs into agency processes.
The fear that the large majority of federal work will be automated soon does not match the evidence. Agents still miss long sequences, stall at brittle interfaces, and struggle with multi-file deliverables. They produce assets that look plausible but fail validation or policy review. They need context from the people who understand stakeholders, statutes, and mission tradeoffs. That leaves plenty of room for productivity gains without mass replacement. It also shifts work toward specification, review and integration, roles that exist across headquarters and field offices.
A practical playbook federal leaders can use now
Plan for augmentation, not substitution. When I help government agencies adopt AI tools, we start by mapping projects into linked steps and flag the ones that benefit from an assistive agent. Drafting a response to a routine inquiry, summarizing a meeting transcript, extracting fields from a form, generating a chart scaffold, and proposing test cases are all candidates. Require a human owner for every deliverable, and publish acceptance criteria that catch the common failure modes seen in the benchmarks, including missing assets, inconsistent naming, broken links and unreadable exports. Maintain an audit trail that shows prompts, sources and edits so the work is FOIA-ready.
Ground the program in federal policy. Adopt the AI Risk Management Framework for risk mapping, and scope pilots to systems that can inherit or achieve FedRAMP authorization. Treat models and agents as components, not systems of record. Keep sensitive data inside authorized boundaries. Validate accessibility against Section 508 standards before anything goes public. For procurement, require vendors to demonstrate performance on public benchmarks like WebArena, OSWorld or SWE-bench using your agency’s constraints rather than glossy demos.
Staff and labor planning should reflect the new shape of work. Expect fewer hours on rote drafting and more time on specification, review and integration. Upskill employees to write good task definitions, evaluate model outputs, and enforce standards. Track acceptance rates, rework and defects by category so leaders can decide where to expand scope and where to hold the line. Publish internal guidance that explains when to use agents, how to attribute sources, and where human approval is mandatory. Share outcomes with the AI.gov community and look for common building blocks across agencies.
A brief scenario shows how this plays out without wishful thinking. A program office stands up a pilot for public-facing dashboards using open data. An agent produces first-pass code to ingest and visualize the dataset, similar to the World Happiness example. A data specialist verifies source URLs, adds documentation, and applies the agency’s color and accessibility standards. A policy analyst reviews labels and context language for accuracy and plain English. The team stores prompts, code and decisions with metadata for audit. In the same sprint, a communications specialist uses an agent to draft a 30-second script for a social clip and a designer converts it into a simple 2D animation. The outputs move faster, quality holds steady, and the people who understand mission and policy remain responsible for the results.
AI agents deliver lift on specific tasks and stumble on long, cross-tool projects. Public benchmarks on the web, desktop and code back that statement with reproducible evidence. Federal policy adds governance that rewards augmentation over autonomy. The smart move for agencies is to put agents to work inside projects while employees stay accountable for outcomes, compliance and trust. That plan banks real gains today and sets agencies up for more automation tomorrow, without betting programs and reputations on a hype cycle.
The Defense Department is expanding secure methods of authentication beyond the traditional Common Access Card, giving users more alternative options to log into its systems when CAC access is “impractical or infeasible.”
A new memo, titled “Multi-Factor Authentication (MFA) for Unclassified & Secret DoD Networks,” lays out when users can access DoD resources without CAC and public key infrastructure (PKI). The directive also updates the list of approved authentication tools for different system impact levels and applications.
In addition, the new policy provides guidance on where some newer technologies, such as FIDO passkeys, can be used and how they should be protected.
“This memorandum establishes DoD non-PKI MFA policy and identifies DoD-approved non-PKI MFAs based on use cases,” the document reads.
While the new memo builds on previous DoD guidance on authentication, earlier policies often did not clearly authorize specific login methods for particular use cases, leading to inconsistent implementation across the department.
Individuals in the early stages of the recruiting process, for example, may access limited DoD resources without a Common Access Card using basic login methods such as one-time passcodes sent by phone, email or text. As recruits move further through the process, they must be transitioned to stronger, DoD-approved multi-factor authentication before getting broader access to DoD resources.
For training environments, the department allows DoD employees, contractors and other partners without CAC to access training systems only after undergoing identity verification. Those users may authenticate using DoD-approved non-PKI multi-factor authentication — options such as one-time passcodes are permitted when users don’t have a smartphone. Access is limited to low-risk, non-mission-critical training environments.
Although the memo identifies 23 use cases, the list is expected to be a living document and will be updated as new use cases emerge.
Jeremy Grant, managing director of technology business strategy at Venable, said the memo provides much-needed clarity for authorizing officials.
“There are a lot of new authentication technologies that are emerging, and I continue to hear from both colleagues in government and the vendor community that it has not been clear which products can and cannot be used, and in what circumstances. In some cases, I have seen vendors claim they are FIPS 140 validated but they aren’t — or claim that their supply chain is secure, despite having notable Chinese content in their device. But it’s not always easy for a program or procurement official to know what claims are accurate. Having a smaller list of approved products will help components across the department know what they can buy,” Grant told Federal News Network.
DoD’s primary credential
The memo also clarifies what the Defense Department considers its primary credential — prior policies would go back and forth between defining DoD’s primary credential as DoD PKI or as CAC.
“From my perspective, this was a welcome — and somewhat overdue — clarification. Smart cards like the CAC remain a very secure means of hardware-based authentication, but the CAC is also more than 25 years old and we’ve seen a burst of innovation in the authentication industry where there are other equally secure tools that should also be used across the department. Whether a PKI certificate is carried on a CAC or on an approved alternative like a YubiKey shouldn’t really matter; what matters is that it’s a FIPS 140 validated hardware token that can protect that certificate,” Grant said.
Policy lags push for phishing-resistant authentication
While the memo expands approved authentication options, Grant said it’s surprising the guidance stops short of requiring phishing-resistant authenticators and continues to allow the use of legacy technologies such as one-time passwords that the National Institute of Standards and Technology, Cybersecurity and Infrastructure Security Agency and Office of Management and Budget have flagged as increasingly susceptible to phishing attacks.
Both the House and Senate have been pressing the Defense Department to accelerate its adoption of phishing-resistant authentication — Congress acknowledged that the department has established a process for new multi-factor authentication technologies approval, but few approvals have successfully made it through. Now, the Defense Department is required to develop a strategy to “ensure that phishing-resistant authentication is used by all personnel of the DoD” and to provide a briefing to the House and Senate Armed Services committees by May 1, 2026.
The department is also required to ensure that legacy, phishable authenticators such as one-time passwords are retired by the end of fiscal 2027.
“I imagine this document will need an update in the next year to reflect that requirement,” Grant said.
Republicans on the Senate Appropriations Committee have put forward a 2026 homeland security spending bill that would staunch some workforce cuts at the Department of Homeland Security.
The committee released a draft version of the fiscal 2026 homeland security appropriations measure on Friday. Lawmakers will return to Capitol Hill after the holidays with a deadline to pass annual spending bills for most federal agencies by Jan. 30, when the current continuing resolution expires.
Lead appropriators in the House and Senate reached an agreement on funding allocations for the remainder of fiscal 2026 over the weekend. While they did not release specific numbers, House Appropriations Committee Chairman Tom Cole (R-Okla.) said the allocations would fall below projected spending levels under the CR.
“This pathway forward aligns with President Trump’s clear direction to rein in runaway, beltway-driven spending,” Cole said in a statement. “We will now begin expeditiously drafting the remaining nine full-year bills to ensure we are ready to complete our work in January.”
What’s the topline Senate DHS funding package?
Senate appropriators’ draft homeland security spending bill includes $92.3 billion for DHS in fiscal 2026, including nearly $66 billion in discretionary spending and $26.3 billion for the Disaster Relief Fund.
However, Senate Appropriations Committee Vice Chairwoman Patty Murray (D-Wash.) slammed the Senate committee’s draft proposal, calling it a “partisan bill” and saying Republicans didn’t work with Democrats to finalize a negotiated bill.
“We need more accountability from President Trump’s out-of-control Department of Homeland Security, and as we proceed to conference negotiations on this bill and the remainder of our bills, I am going to keep working to produce the strongest possible legislation,” Murray said. “American families should be able to count on their own government to support them through serious natural disasters and to enforce our immigration laws humanely and in accordance with the law.”
FEMA staffing concerns
The report on the draft homeland security spending bill, however, shows committee Republicans have some concerns about workforce cuts at the Federal Emergency Management Agency.
Roughly 2,500 FEMA staff have left the agency since the spring. The Trump administration has also expressed a desire to move more of FEMA’s responsibilities to state and local governments.
“The committee is concerned that staffing levels are insufficient to effectively and efficiently execute FEMA’s statutory missions,” the report on the draft bill states.
The bill would provide an additional $40 million for FEMA to hire staff to critical positions in its regional operations, and response and recovery divisions, respectively.
The report on the draft bill also stipulates that FEMA “shall maintain a workforce consistent with the personnel and full-time equivalents funded by the pay and non-pay amounts provided in this act.”
“FEMA shall not reduce staffing in such a way that it lacks sufficient staff to issue guidance, provide payments, and provide technical assistance and operational support to grantees in a timely manner; review and approve plans for obligating and expending Federal funds; review expenditures and reports for waste, fraud, and abuse; and perform all other necessary duties to allow recipients to proceed without unnecessary interruption,” the report continues.
CISA cut softened
Like their House counterparts, Senate appropriators are also looking to shore up funding at the Cybersecurity and Infrastructure Security Agency, rejecting steeper CISA cuts proposed by the Trump administration.
The draft Senate bill includes roughly $2.8 billion for CISA in fiscal 2026, just below 2025 funding levels for the cyber agency.
The bill would also reject proposed cuts at CISA’s National Risk Management Center. It would provide $126 million for the NRMC to maintain fiscal 2024 service and staffing levels.
Lawmakers direct CISA to provide a briefing “on the NRMC’s strategic engagement with election stakeholders, including engagement progress to date, future engagement plans and priorities, and information regarding any identified election security risks and shortfalls that should be mitigated in the near-, mid-, and long-terms.”
CISA has lost one-third of its workforce, roughly 1,000 staff, since the spring through a combination of voluntary departures, early retirements and terminations.
Like with FEMA, Senate appropriators also include language in their bill that CISA “shall maintain a workforce consistent with the personnel and full-time equivalents funded by the pay and non-pay amounts provided in this act.”
“CISA shall not reduce staffing in such a way that it lacks sufficient staff to effectively carry out its statutory missions,” the bill states, pointing to the agency’s efforts to secure federal civilian executive branch agencies, work with state and local governments, other sector risk management agencies, international partners and other stakeholders.
It further stipulates that CISA should maintain “no fewer” than 10 regional field offices across the country and directs CISA to employ at least one cybersecurity advisor per state.
FILE - The seal of U.S. Department of Homeland Security is seen before the news conference with Acting director of U.S. Immigration and Customs Enforcement (ICE) Todd Lyons at ICE Headquarters, in Washington, on May 21, 2025. (AP Photo/Jose Luis Magana, File)
Government cybersecurity leaders know all too well that traditional pentesting is complex and doesn’t scale. The need to quickly resource up in order to effectively identify, triage and remediate vulnerabilities has become increasingly critical and, for most, a compliance requirement.
Synack empowers government agencies with on-demand, continuous pentesting, pairing the platform’s vulnerability management and reporting capabilities with a diverse community of vetted and trusted researchers to find the vulnerabilities that matter.
Synack also helps government security teams achieve the most effective vulnerability management possible to satisfy Binding Operational Directive (BOD) 22-01’s identification, evaluation and mitigation/remediation steps. The Synack approach also facilitates detailed vulnerability reporting that the agency can easily hand off to CISA if desired.
Let’s quickly review what BOD 22-01 mandates, and how federal agencies can achieve compliance with help from Synack.
CISA Binding Operational Directive 22-01—Reducing the Significant Risk of Known Exploited Vulnerabilities
Recent data breaches, most notably the 2020 cyber attack by Russian hackers that penetrated multiple U.S. government systems, have prompted the federal government to improve its efforts to protect the computer systems in its agencies and in third-party providers doing business with the government. As part of the process to improve the security of government systems, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01.
CISA Directive 22-01 directs federal agencies and contractors to what they are required to do regarding the detection of and remediation for known exploitable vulnerabilities. The scope of this directive includes all software and hardware found on federal information systems managed on agency premises or hosted by third parties on the agency’s behalf. Required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.
Directive 22-01 Compliance Requirements
In addition to establishing a catalog of known exploited vulnerabilities, Directive 22-01 establishes requirements for agencies to remediate these vulnerabilities. Required actions include:
Establishment of 1) a process for ongoing remediation of vulnerabilities and 2) internal validation and enforcement procedures
Setting up of internal tracking and reporting
Remediation of each vulnerability within specified timelines
Identify reports on vulnerabilities that are actively exploited in the wild.
Evaluate the system to determine if the vulnerability exists in the system, and if it does, how critical it is. If the vulnerability exists, determine if it has been exploited by said system.
Mitigate and Remediate all exploited vulnerabilities in a timely manner. Mitigation refers to the steps the organization takes to stop a vulnerability from being exploited (e.g. taking systems offline, etc.) and Remediation refers to the steps taken to fix or remove the vulnerability (e.g. patch the system, etc.).
Report to CISA. Reporting how vulnerabilities are being exploited can help the government understand which vulnerabilities are most critical to fix.
Evaluating Vulnerabilities with Synack
Synack finds exploitable vulnerabilities for customers through its unique blend of the best ethical hackers in the world, specialized researchers, a managed VDP, and the integration of its SmartScan product. SmartScan uses a combination of the latest tools, tactics and procedures to continuously scan your environment and watch for changes. It identifies potential vulnerabilities and engages the Synack Red Team (SRT) and Synack Operations to review suspected vulnerabilities. The SRT is a private and diverse community of vetted and trusted security researchers, bringing human ingenuity to the table and pairing it with the scalability of an automated vulnerability intelligence platform.
If a suspected vulnerability is confirmed as exploitable, the SRT generates a detailed vulnerability report, with steps to reproduce and fix the vulnerability. Vulnerabilities are then triaged so that only actionable, exploitable vulnerabilities are presented – with severity information and priority information.
Mitigating and Remediating Vulnerabilities with Synack
Once the Synack team of researchers has verified the exploitability of the vulnerability, it leverages its expertise in understanding your applications and infrastructure. From that point, and in many cases, the SRT is able to recommend a fix with accompanying remediation guidance for addressing the vulnerability. And Synack goes one step further, verifying that the remediation, mitigation, or patch was implemented correctly and is effective.
Reporting to CISA
Synack’s detailed vulnerability reporting and analytics offer insight and coverage into the penetration testing process with clear metrics that convey vulnerability remediation and improved security posture.
Comply with CISA Directive 22-01 with Help from Synack
CISA continues to add exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, and federal agencies are expecting urgent CVEs to pop up in the not-too-distant future. The recent rush to address the log4j vulnerability will come to mind for many. The Synack Red Team can aid organizations by rapidly responding to such situations.
To secure your agency’s attack surface and comply with the CISA Directive 22-01, a strong vulnerability management strategy is essential. The Synack solution combines the human ingenuity of the Synack Red Team (SRT) with Disclose (the Synack-managed VDP), along with the scalable nature of SmartScan, to continuously identify and triage exploitable vulnerabilities across web applications, mobile applications, and host-based infrastructure. Synack takes an adversarial approach to exploitation intelligence to show the enterprise where their most business-critical vulnerabilities are and how those vulnerabilities can be exploited by adversaries.
Login
