Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

Trump proposes $707m CISA cut, 860 jobs

3 min read
11:00UTC

The FY27 budget would leave CISA on roughly $2bn with 860 fewer staff. The counter-ransomware initiative is already gone.

TechnologyDeveloping
Key takeaway

CISA is being asked to enforce a rising tempo of federal deadlines with one-third fewer people.

The Trump administration's FY27 budget proposal, published on 7 April 2026, proposes cutting the Cybersecurity and Infrastructure Security Agency (CISA) by $707 million, eliminating 860 positions and bringing the agency's operating budget to roughly $2 billion 1. The counter-ransomware initiative, which coordinated federal response to incidents including the 2021 Colonial Pipeline attack, had already been cancelled under earlier reductions. CISA lost roughly one-third of its staff through 2025-2026 cuts before the FY27 number landed. The FBI's cybercrime obligations would fall a further $560 million, with around 1,900 FBI staff affected across cyber and adjacent portfolios.

The National Institute of Standards and Technology (NIST), the US federal standards body for measurement and technology, is also inside the cuts envelope. NIST maintains the vulnerability-scoring baselines, Common Vulnerabilities and Exposures (CVE) enrichment and Software Bill of Materials work the private sector relies on to run any modern patch-management programme. Stripping budget from NIST at the same time as CISA removes both the agency that publishes the Known Exploited Vulnerabilities (KEV) deadlines and the agency that scores the CVEs those deadlines attach to.

The budget proposal is not law; Congressional appropriations can modify or reject it through markup and committee amendments. But the direction of travel is already set by prior reductions that cleared the appropriations process. For US private-sector Chief Information Security Officers, the federal KEV deadlines issued in April, CitrixBleed 3, the F5 reclassification, the 17-year-old Office bug, are now scheduled to be enforced by an agency with one-third fewer staff. The UK and EU, moving the opposite way on cyber regulation, are widening the transatlantic policy gap at exactly the point the threat cadence is tightest.

Deep Analysis

In plain English

CISA (the Cybersecurity and Infrastructure Security Agency) is the US government body that helps protect the country's critical infrastructure, businesses, and government systems from cyber attacks. It manages the Known Exploited Vulnerabilities list, which tells government and private organisations which security flaws need patching urgently. It also ran the programme that coordinated responses to major ransomware attacks. The Trump administration's FY27 budget, published in April 2026, proposes cutting CISA's budget by $707 million and eliminating 860 jobs. The counter-ransomware coordination programme has already been cancelled. The FBI's cybercrime budget would also be cut by $560 million, affecting around 1,900 staff. This is happening at the same time as the briefing is documenting multiple ongoing nation-state cyber campaigns against US infrastructure and a record level of ransomware attacks.

Deep Analysis
Root Causes

The FY27 budget proposal reflects the Trump administration's 'departments can handle their own cyber' position, which distributes cybersecurity responsibility to sector-specific agencies (Department of Energy, Department of Transportation, Department of Health and Human Services) rather than centralising it at CISA. This logic is coherent in theory but requires the sector agencies to have cyber capacity they currently lack.

NIST's inclusion in the cuts envelope is particularly consequential. NIST maintains the CVE enrichment and CVSS scoring standards that underpin the KEV catalogue's technical credibility. Reduced NIST capacity for vulnerability characterisation degrades the speed and quality of KEV additions, the exact mechanism that gives enterprises their patching priority signals.

What could happen next?
  • Risk

    The counter-ransomware initiative's cancellation removes the federal coordination function that organised responses to Colonial Pipeline and similar CNI ransomware incidents; the next equivalent attack will encounter a thinner federal response structure.

    Immediate · 0.8
  • Risk

    NIST cuts will slow CVE enrichment and CVSS scoring, degrading the quality and timeliness of KEV additions and the private-sector patch-prioritisation signals that depend on them.

    Short term · 0.75
  • Opportunity

    UK and EU-based cybersecurity vendors and service providers will find an expanded market among US enterprises seeking to replace federal threat-intelligence and compliance infrastructure with commercial equivalents.

    Medium term · 0.6
First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

UK Parliament· 17 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.