This year, staffing at the Cybersecurity and Infrastructure Security Agency (CISA) has already been cut by nearly one third. With further proposed reductions in CISA’s 2026 budget, it’s essential for organizations to prepare for diminished access to free federal cybersecurity services, including fewer vulnerability scans, slower advisories, and limited on-site support.
The final approved cut was $135M (about 4.6%) instead of the proposed $495M, but even this smaller reduction comes on top of attrition and position eliminations, and will still have substantial effects on the agency. Programs supporting election security, K-12 coordination, and state/local cyber response are likely to be affected, even if not explicitly targeted by name in the bill. Despite the smaller budget reduction, core CISA services remain uncertain.
Why does this matter? Since its founding in 2018, CISA has played an essential role in providing free, coordinated cybersecurity services to critical infrastructure sectors. The agency’s narrower reach will hit smaller operators and regional governments especially hard. Meanwhile, cybercriminals and nation-state actors are likely to identify and exploit any resulting weaknesses in U.S. critical infrastructure.
It’s time to build self-reliance
With the future funding and mission of CISA uncertain, organizations must act now. It’s time to harden cyber defenses, reduce reliance on federal responders, and ensure that your controls align with globally respected frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST Special Publication (SP) 800-53, and International Organization for Standardization (ISO) 27001. The checklist below lays out how to stay prepared and able to prove alignment to auditors and cyber insurance providers.
7 steps to improve cybersecurity resilience
1. Tighten up the basics
- Patch critical systems within days, prioritizing critical vulnerabilities and those with the greatest potential operational impact.
- Maintain an offline backup and test it quarterly to ensure operational resilience.
- Implement and require multi-factor authentication (MFA) on every external login.
- Build a comprehensive asset inventory to ensure nothing slips the patch cycle.
(NIST CSF PR.IP‑12 | ISO 27001 A.12.6)
2. Watch your logs
- Centralize logs from firewalls, servers, cloud, and SaaS apps.
- Store at least 90 days of log data, but aim to retain 12 months of data if you can.
- Create alerts for odd spikes, failed logins, and large outbound transfers.
- Hunt weekly for any unusual activity.
(NIST SP 800‑53 AU‑6 | ISO 27001 A.12.4)
3. Share with your sector
- Join your Information Sharing and Analysis Center (ISAC), for example Energy, Automotive, Aviation, Communications, Electricity, Emergency Management and Response, Financial Services, Space, Water, and many others.
- Automate indicator feeds into your Security Information and Event Management (SIEM) so your blocklists will update in minutes, not days.
- Hold quarterly intel calls with peer companies to compare notes on what they’re seeing and what to look out for.
(NIST CSF ID.RA‑2 | ISO 27001 A.6.1.4)
4. Drill your incident plan
- Run a tabletop exercise every six months and time how long it takes to detect, decide, and contain.
- Verify your contact lists, backup procedures, and legal notifications regularly.
- Update playbooks and close any gaps after every exercise.
(NIST SP 800‑53 IR‑3 | ISO 27001 A.17.1)
5. Scrutinize your supply chain
- Send concise security questionnaires and require timely completion.
- Demand annual penetration testing (and carefully review the results) or System and Organization Controls 2 (SOC 2) reports and track remediation of findings.
- Require a Software Bill of Materials (SBOM) for all critical software.
- Enforce the principle of least‑privilege on all vendor access and monitor accounts for anomalies.
(NIST SP 800‑161 | ISO 27036)
6. Train your people
- Run monthly phishing simulations, track click rates, and follow up with short, role‑based lessons.
- Implement a simple one‑click “suspicious email” button to make reporting easier.
- Celebrate staff who spot threats, both real and simulated.
(NIST CSF PR.AT‑1 | ISO 27001 A.7.2)
7. Set aside budget for key tools
- Invest in commercial vulnerability scanning.
- Subscribe to paid threat‑intel feeds to ensure you’re always up to date.
- Implement cloud‑managed endpoint security that can isolate infected endpoints in seconds.
- Calculate the cost of your tools and compare that to the expenses incurred by breach recovery efforts.
- Review your budgets and tools annually in response to changing threats and business priorities.
(NIST CSF DE.DP‑4 | ISO 27001 A.18.2)
Make your future more secure
The reduction in CISA’s budget and workforce comes at a time when cyber threats are increasing in volume and sophistication. Private sector teams and state and local agencies must now take the lead in defending their assets. Following the seven steps outlined above will support your compliance efforts, ensure audit-readiness, and improve insurability. It’s also the best way to fill the void left by uncertain federal cyber support and to protect your part of America’s critical assets and infrastructure.
