How much is CISA's budget being cut?: The Trump FY27 budget proposal published 7 April 2026 proposes cutting CISA by $707 million, eliminating 860 positions, and reducing the agency to approximately $2 billion in operating budget.Source: Trump FY27 budget / Lowdown
What does CISA do and why does it matter?: CISA (Cybersecurity and Infrastructure Security Agency) is the US federal lead for critical infrastructure protection and civilian network security. It maintains the Known Exploited Vulnerabilities catalogue, co-ordinates ransomware Incident Response and provides threat intelligence to the private sector.
What is CISA's Known Exploited Vulnerabilities catalogue?: The KEV catalogue lists CVEs that CISA has confirmed are actively exploited in the wild. Federal civilian agencies must patch within the stated deadline; private-sector organisations receive it as a strong urgency signal. In May 2026, CISA issued a KEV deadline for a PAN-OS flaw four days before the vendor's own patch was available.Source: CISA
How much is Trump cutting CISA's budget?: Trump's FY27 budget proposal published 7 April 2026 proposes cutting CISA by $707 million, eliminating 860 positions, and reducing the agency to approximately $2 billion in operating budget.Source: Trump FY27 budget
What happens when a CISA patch deadline comes before the vendor fix?: In May 2026, CISA set a 9 May federal deadline for CVE-2026-0300 in Palo Alto PAN-OS even though Palo Alto's own patches were not due until 13 May — the first documented case of a KEV deadline preceding the vendor patch. Federal agencies must apply mitigations or remove the affected product from the network.Source: CISA KEV / Palo Alto advisory
Does CISA only cover federal networks or private companies too?: CISA has mandatory jurisdiction over Federal Civilian Executive Branch (FCEB) agencies. For the private sector, its KEV catalogue, advisories and incident-response support are voluntary — but carry strong compliance and reputational weight, particularly for critical infrastructure operators.Source: CISA
What is CISA's role in election security?: CISA provides cybersecurity support, threat intelligence sharing, and Incident Response co-ordination to state and local election officials across all 50 states. It designates election infrastructure as critical infrastructure and co-ordinates with the Election Infrastructure Information Sharing and Analysis Centre (EI-ISAC).Source: CISA

Background

The Cybersecurity and Infrastructure Security Agency (CISA) is the US federal lead for protecting critical infrastructure and federal civilian networks. Created by Congress in 2018, it runs the Known Exploited Vulnerabilities (KEV) catalogue, which issues mandatory patch deadlines for Federal Civilian Executive Branch agencies and voluntary urgency signals for private-sector organisations. The agency also leads the Joint Cyber Defence Collaborative, co-ordinates national counter-ransomware response, and provides election infrastructure security support to all fifty states. CISA operates within the Department of Homeland Security and works in formal partnership with the Five Eyes national CERTs, including the UK NCSC.

CISA's KEV catalogue reached a structural milestone in May 2026 when it added CVE-2026-0300 (Palo Alto PAN-OS captive-portal RCE) with a 9 May federal deadline — four days before Palo Alto's own first patches were scheduled to ship. This is the first documented occasion a KEV deadline precedes the vendor patch, establishing a new posture: CISA now asserts that exploited-in-the-wild severity overrides vendor release timelines. In the same update window CISA added CVE-2026-6973 (Ivanti EPMM) with a 10 May deadline, and separately added the cPanel CVE-2026-41940 zero-day disclosed by WatchTowr Labs.

This operational tempo runs against a proposed $707 million budget cut in Trump's FY27 proposal published 7 April 2026, which would eliminate 860 positions and reduce the agency to approximately $2 billion in operating budget. The counter-ransomware initiative, co-ordinating responses to incidents such as Colonial Pipeline, has already been cancelled under earlier 2025–2026 staffing reductions. For private-sector organisations, a thinner CISA means reduced Joint Cyber Defence Collaborative engagement, narrower threat-intelligence sharing, and fewer co-ordinated incident responses at the federal layer — while the adversary tempo it is tasked to monitor accelerates.

How the World Sees Them

US Congress

The CISA cut is the most contested element of the FY27 cyber budget; appropriations committees face direct conflict between fiscal targets and publicly documented adversary capability.

Allied agencies (NCSC, ENISA)

CISA's reduced capacity affects Five Eyes intelligence-sharing intensity and EU coordination on joint advisories; allied agencies are watching the budget outcome closely.

Critical infrastructure operators

Reduced CISA capacity means fewer co-ordinated responses, less JCDC intelligence sharing and a thinner federal backstop for CNI organisations facing state-linked threats.