Skip to content
Cybersecurity: Threats and Defences
17APR

Trump proposes $707m CISA cut, 860 jobs

3 min read
13:56UTC

The FY27 budget would leave CISA on roughly $2bn with 860 fewer staff. The counter-ransomware initiative is already gone.

← Back to Stryker MDM wipe exposes identity perimeterJump to analysis ↓
TechnologyDeveloping
Key takeaway

CISA is being asked to enforce a rising tempo of federal deadlines with one-third fewer people.

The Trump administration's FY27 budget proposal, published on 7 April 2026, proposes cutting the Cybersecurity and Infrastructure Security Agency (CISA) by $707 million, eliminating 860 positions and bringing the agency's operating budget to roughly $2 billion 1. The counter-ransomware initiative, which coordinated federal response to incidents including the 2021 Colonial Pipeline attack, had already been cancelled under earlier reductions. CISA lost roughly one-third of its staff through 2025-2026 cuts before the FY27 number landed. The FBI's cybercrime obligations would fall a further $560 million, with around 1,900 FBI staff affected across cyber and adjacent portfolios.

The National Institute of Standards and Technology (NIST), the US federal standards body for measurement and technology, is also inside the cuts envelope. NIST maintains the vulnerability-scoring baselines, Common Vulnerabilities and Exposures (CVE) enrichment and Software Bill of Materials work the private sector relies on to run any modern patch-management programme. Stripping budget from NIST at the same time as CISA removes both the agency that publishes the Known Exploited Vulnerabilities (KEV) deadlines and the agency that scores the CVEs those deadlines attach to.

The budget proposal is not law; Congressional appropriations can modify or reject it through markup and committee amendments. But the direction of travel is already set by prior reductions that cleared the appropriations process. For US private-sector Chief Information Security Officers, the federal KEV deadlines issued in April, CitrixBleed 3, the F5 reclassification, the 17-year-old Office bug, are now scheduled to be enforced by an agency with one-third fewer staff. The UK and EU, moving the opposite way on cyber regulation, are widening the transatlantic policy gap at exactly the point the threat cadence is tightest.

Deep Analysis

In plain English

CISA (the Cybersecurity and Infrastructure Security Agency) is the US government body that helps protect the country's critical infrastructure, businesses, and government systems from cyber attacks. It manages the Known Exploited Vulnerabilities list, which tells government and private organisations which security flaws need patching urgently. It also ran the programme that coordinated responses to major ransomware attacks. The Trump administration's FY27 budget, published in April 2026, proposes cutting CISA's budget by $707 million and eliminating 860 jobs. The counter-ransomware coordination programme has already been cancelled. The FBI's cybercrime budget would also be cut by $560 million, affecting around 1,900 staff. This is happening at the same time as the briefing is documenting multiple ongoing nation-state cyber campaigns against US infrastructure and a record level of ransomware attacks.

Deep Analysis
Root Causes

The FY27 budget proposal reflects the Trump administration's 'departments can handle their own cyber' position, which distributes cybersecurity responsibility to sector-specific agencies (Department of Energy, Department of Transportation, Department of Health and Human Services) rather than centralising it at CISA. This logic is coherent in theory but requires the sector agencies to have cyber capacity they currently lack.

NIST's inclusion in the cuts envelope is particularly consequential. NIST maintains the CVE enrichment and CVSS scoring standards that underpin the KEV catalogue's technical credibility. Reduced NIST capacity for vulnerability characterisation degrades the speed and quality of KEV additions, the exact mechanism that gives enterprises their patching priority signals.

What could happen next?
  • Risk

    The counter-ransomware initiative's cancellation removes the federal coordination function that organised responses to Colonial Pipeline and similar CNI ransomware incidents; the next equivalent attack will encounter a thinner federal response structure.

    Immediate · 0.8
  • Risk

    NIST cuts will slow CVE enrichment and CVSS scoring, degrading the quality and timeliness of KEV additions and the private-sector patch-prioritisation signals that depend on them.

    Short term · 0.75
  • Opportunity

    UK and EU-based cybersecurity vendors and service providers will find an expanded market among US enterprises seeking to replace federal threat-intelligence and compliance infrastructure with commercial equivalents.

    Medium term · 0.6
Sources:UK Parliament
Mentions:Donald Trump →CISA →FBI →NIST →United States →Heritage Foundation →DHS →Prima →RAND Corporation →Citrix →NCSC →Known Exploited Vulnerabilities →Trump administration →CitrixBleed 3 →Iran →SolarWinds →Common Vulnerability Scoring System →
First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

UK Parliament· 17 Apr 2026
Read original
Different Perspectives
CISA and FBI (US government)
CISA and FBI (US government)
CISA added nine KEV CVEs, confirmed Volt Typhoon in US CNI, and lost its counter-ransomware initiative under prior cuts; the FY27 budget proposes a further $707m cut and 860 jobs. An FBI official confirmed Salt Typhoon at 200+ companies across 80 countries is 'still very, very much ongoing'.
NCSC (UK)
NCSC (UK)
NCSC published attribution-backed advisories naming GRU Unit 26165 for SOHO router DNS hijacking and co-issued warnings with Dutch AIVD on FSB, APT31, and IRGC messaging-app targeting, in the same month the UK Cyber Security and Resilience Bill cleared its Public Bill Committee. The ICO's £14m Capita fine now treats NCSC guidance as the enforceable GDPR technical baseline.
European Commission
European Commission
The Commission published draft Cyber Resilience Act implementation guidance on 3 March with manufacturer reporting obligations beginning 11 September 2026, while running infringement proceedings against EU member states that have not transposed NIS2. Only 14 of 27 states had fully transposed by mid-2025; Germany's post-transposition registration compliance sat at roughly one-third.
Russian foreign ministry (GRU posture)
Russian foreign ministry (GRU posture)
The Russian foreign ministry has issued no formal response to the NCSC advisory attributing the SOHO router DNS-hijacking campaign to GRU Unit 26165; its standard position is that Western attribution claims are politically motivated fabrications. Russia denies state sponsorship of any offensive cyber operations against NATO infrastructure.
People's Republic of China
People's Republic of China
Tsinghua University's Center for International Security and Strategy characterised US Volt Typhoon 'sabotage pre-positioning' assessments as misrepresenting standard state signals intelligence, framing the attribution narrative as a US strategic communication exercise rather than a conclusion grounded in confirmed adversary intent. Beijing formally denies state involvement in Salt Typhoon and Volt Typhoon.
Handala
Handala
Handala publicly claimed the Stryker MDM wipe as retaliation for a February 2026 Iranian school missile strike, asserting 200,000 devices wiped and 50 terabytes exfiltrated. The public framing positions the operation as proportionate non-lethal retaliation, a characterisation no Western agency has formally attributed to IRGC command-and-control.