CISA
US federal cybersecurity agency that maintains the KEV catalogue; facing a proposed $707m cut and elimination of 860 positions under Trump's FY27 budget.
Last refreshed: 17 April 2026 · Appears in 1 active topic
How can CISA enforce its own KEV catalogue with 860 fewer staff?
Timeline for CISA
Added CVE-2026-3055 to the Known Exploited Vulnerabilities catalogue on 28 March with 2 April FCEB patch deadline
Cybersecurity: Threats and Defences: CitrixBleed 3 lands on SAML brokerAdded CVE-2025-53521 to KEV on 28 March 2026
Cybersecurity: Threats and Defences: F5 reclassifies DoS bug to 9.8 RCEAdded CVE-2009-0238 to the KEV catalogue on 14 April 2026 marking it as actively exploited
Cybersecurity: Threats and Defences: 17-year-old Office RCE back on KEVAssessed with high confidence that Volt Typhoon was pre-positioning in US CNI IT networks for OT lateral movement
Cybersecurity: Threats and Defences: FBI: Salt Typhoon still very much liveTrump proposes $707m CISA cut, 860 jobs
Cybersecurity: Threats and Defences- How much is CISA's budget being cut?
- The Trump FY27 budget proposal published 7 April 2026 proposes cutting CISA by $707 million, eliminating 860 positions, and reducing the agency to approximately $2 billion in operating budget.Source: Trump FY27 budget / Lowdown
- What does CISA do and why does it matter?
- CISA (Cybersecurity and Infrastructure Security Agency) is the US federal lead for critical infrastructure protection and civilian network security. It maintains the Known Exploited Vulnerabilities catalogue, co-ordinates ransomware Incident Response and provides threat intelligence to the private sector.
Background
The Cybersecurity and Infrastructure Security Agency (CISA) maintained active KEV obligations throughout this update window, adding nine CVEs including CitrixBleed 3, F5 BIG-IP APM's reclassified RCE, a 17-year-old Microsoft Office bug, a Fortinet SQL injection and a SharePoint spoofing zero-day. Against that operational tempo, the Trump FY27 budget proposal published on 7 April 2026 proposes cutting CISA's budget by $707 million, eliminating 860 positions, and reducing the agency to approximately $2 billion in operating budget.
CISA was established in 2018 as the federal lead for protecting critical infrastructure and federal civilian networks. Its Known Exploited Vulnerabilities catalogue is the primary operational mechanism for communicating mandatory patch obligations to Federal Civilian Executive Branch agencies and voluntary urgency signals to private-sector organisations. The counter-ransomware initiative, which coordinated federal response to Colonial Pipeline and other Major incidents, has already been cancelled under earlier 2025-2026 CISA staffing reductions.
The structural tension is acute: CISA's KEV catalogue is growing, the adversary tempo documented in this update (Salt Typhoon confirmed ongoing, BRICKSTORM 393-day dwell, CitrixBleed 3) is accelerating, and the proposed budget would reduce CISA to roughly two-thirds of its current capacity. For private-sector organisations, a thinner CISA means fewer co-ordinated incident responses, reduced JCDC engagement and a narrower threat-intelligence sharing infrastructure at the federal layer.