How much is CISA's budget being cut?: The Trump FY27 budget proposal published 7 April 2026 proposes cutting CISA by $707 million, eliminating 860 positions, and reducing the agency to approximately $2 billion in operating budget.Source: Trump FY27 budget / Lowdown
What does CISA do and why does it matter?: CISA (Cybersecurity and Infrastructure Security Agency) is the US federal lead for critical infrastructure protection and civilian network security. It maintains the Known Exploited Vulnerabilities catalogue, co-ordinates ransomware Incident Response and provides threat intelligence to the private sector.
What is CISA's Known Exploited Vulnerabilities catalogue?: The KEV catalogue lists software vulnerabilities confirmed as actively exploited in the wild. Federal civilian agencies must patch within the stated deadline; private organisations treat it as an urgent advisory signal.Source: CISA
How much is Trump cutting CISA's budget?: Trump's FY27 budget proposal published 7 April 2026 proposes cutting CISA by $707 million, eliminating 860 positions, and reducing the agency to approximately $2 billion in operating budget.Source: Trump FY27 budget
What happens when a CISA patch deadline comes before the vendor fix?: In May 2026, CISA set a 9 May federal deadline for CVE-2026-0300 in Palo Alto PAN-OS even though Palo Alto's own patches were not due until 13 May — the first documented case of a KEV deadline preceding the vendor patch. Federal agencies must apply mitigations or remove the affected product from the network.Source: CISA KEV / Palo Alto advisory
Does CISA only cover federal networks or private companies too?: CISA has mandatory jurisdiction over Federal Civilian Executive Branch (FCEB) agencies. For the private sector, its KEV catalogue, advisories and incident-response support are voluntary — but carry strong compliance and reputational weight, particularly for critical infrastructure operators.Source: CISA
What is CISA's role in election security?: CISA provides cybersecurity support, threat intelligence sharing, and Incident Response co-ordination to state and local election officials across all 50 states. It designates election infrastructure as critical infrastructure and co-ordinates with the Election Infrastructure Information Sharing and Analysis Centre (EI-ISAC).Source: CISA
How much is Trump proposing to cut CISA's budget?: The FY27 budget proposal published 7 April 2026 would cut CISA by $707 million and eliminate 860 positions, reducing its operating budget to approximately $2 billion.Source: Trump FY27 budget
Can CISA issue patch deadlines before a vendor fix is available?: Yes, since May 2026 CISA has twice issued KEV deadlines before a vendor patch existed, asserting that confirmed in-the-wild exploitation overrides vendor release timelines.Source: cyber-threats-and-defences
What does CISA do for election security?: CISA provides election infrastructure security support to all fifty US states, including threat intelligence, vulnerability assessments, and Incident Response co-ordination.Source: CISA
What is the Joint Cyber Defence Collaborative?: The JCDC is CISA's public-private partnership structure for sharing threat intelligence and co-ordinating Incident Response between federal agencies, critical infrastructure operators, and technology companies.Source: CISA

Background

The Cybersecurity and Infrastructure Security Agency (CISA) is the US federal lead for protecting critical infrastructure and federal civilian networks. Created by Congress in 2018, it runs the Known Exploited Vulnerabilities (KEV) catalogue, which issues mandatory patch deadlines for Federal Civilian Executive Branch agencies and voluntary urgency signals for private-sector organisations. The agency also leads the Joint Cyber Defence Collaborative, co-ordinates national counter-ransomware response, and provides election infrastructure security support to all fifty states. CISA operates within the Department of Homeland Security and works in formal partnership with the Five Eyes national CERTs, including the UK NCSC.

CISA's KEV catalogue has established a new enforcement posture in 2026: deadlines now precede vendor patches when exploitation is confirmed in the wild. In May 2026 alone the catalogue absorbed CVE-2026-0300 (PAN-OS captive-portal RCE, deadline four days before Palo Alto's own patch) , CVE-2026-42897 (Exchange OWA XSS, deadline issued before a patch existed) , and Emergency Directive ED 26-03 covering Cisco SD-WAN CVE-2026-20182 with a three-day federal remediation window. Later in the month CISA added CVE-2026-9082 (Drupal SQL injection) with a five-day federal deadline amid 15,000+ recorded attack attempts, and issued Alert AA26-148A covering the trojanised Nx Console extension that exfiltrated GitHub's internal repositories.

This operational tempo runs against a proposed $707 million budget cut in Trump's FY27 proposal published 7 April 2026, which would eliminate 860 positions and reduce the agency to approximately $2 billion in operating budget. The counter-ransomware initiative, co-ordinating responses to incidents such as Colonial Pipeline, has already been cancelled under earlier 2025-2026 staffing reductions. For private-sector organisations, a thinner CISA means reduced Joint Cyber Defence Collaborative engagement, narrower threat-intelligence sharing, and fewer co-ordinated incident responses at the federal layer while the adversary tempo it is tasked to monitor accelerates.

Source Material

About CISA Known Exploited Vulnerabilities Catalogue

How the World Sees Them

US Congress

The CISA cut is the most contested element of the FY27 cyber budget; appropriations committees face direct conflict between fiscal targets and publicly documented adversary capability.

Allied agencies (NCSC, ENISA)

CISA's reduced capacity affects Five Eyes intelligence-sharing intensity and EU coordination on joint advisories; allied agencies are watching the budget outcome closely.

Critical infrastructure operators

Reduced CISA capacity means fewer co-ordinated responses, less JCDC intelligence sharing, and a thinner federal backstop for CNI organisations facing state-linked threats.