The Cybersecurity and Infrastructure Security Agency would take less of a budget hit under an annual funding measure currently advancing in the House.
The House Appropriations Committee’s homeland security subcommittee approved a fiscal 2026 spending bill on Monday that includes $2.7 billion for CISA, $134 million below the current year’s budget.
However, that represents a far smaller cut to CISA than the $495 million cut proposed by the Trump administration.
The House subcommittee’s fiscal 2026 homeland security spending bill includes $808.6 million for CISA for the “operation and improvement of cybersecurity defense technology and services for federal, state, local, tribal, and territorial agency networks and critical infrastructure partners,” according to a summary of the bill.
According to the language, the funding also includes $758.2 million for “cyber operations, including vulnerability management, capacity building, and threat hunting,” and enacts some “strategic reductions to redundant, unauthorized, or duplicative programs” at CISA.
The 2026 White House budget request’s much larger CISA cut, meanwhile, would reduce the agency’s workforce by more than 1,000 positions. Sources say the agency has already lost that many people through voluntary resignations and layoffs of probationary workers.
The administration’s budget request would include particularly deep cuts to CISA’s risk management operations division and its stakeholder engagement and requirements division.
House Appropriations homeland security subcommittee chairman Mark Amodei (R-Nev.) previously criticized the Homeland Security Department for its scant details on the proposed CISA cuts.
“When somebody goes, ‘Hey, you guys presided over cutting a half a billion dollars in CISA to do other stuff. What was that based on?’ Clearly, we don’t want to be in the position, and won’t be in the position of, ‘well, I don’t know. That’s what they said they needed,’” Amodei said during a May 6 hearing with Homeland Security Secretary Kristi Noem. “We need some building blocks.”
The Trump administration also plans to reprogram $144 million out of CISA’s 2025 budget. The money would instead be used for Immigration and Customs Enforcement operations. Sen. Chris Murphy (D-Conn.) objected to the transfer in a May 30 letter to Noem, stating DHS “has failed to provide my staff sufficient details on the impacts” of moving the money out of CISA’s budget.
CISA cyber program reviews
Lawmakers increasingly are scrutinizing the specific impact of the ongoing cuts at CISA.
In a June 6 letter to Comptroller General Gene Dodaro, House Homeland Security Committee Ranking Member Bennie Thompson (D-Miss.) and Science Space and Technology Committee Ranking Member Zoe Lofgren (D-Ca.) called for a review of CISA’s Common Vulnerabilities and Exposures (CVE) program, as well as the National Institute of Standards and Technology’s National Vulnerability Database (NVD).
The NVD, the lawmakers pointed out, is suffering from a yearslong backlog. Meanwhile, CISA nearly allowed its CVE contract to lapse this spring, calling into question the future of the program.
“Given the programs’ important role in ensuring our nation’s cybersecurity, we request that the Government Accountability Office conduct a study of the federal programs designed to support vulnerability management for discovered vulnerabilities and weaknesses in information technology systems,” the lawmakers wrote.
Meanwhile, House Homeland Security cybersecurity subcommittee chairman Andrew Garbarino (D-N.Y.) is pressing DHS for details on CISA’s plans for overseeing security in the communications sector. In a letter to Noem last week, Garbarino pointed to the threat posed by the China-linked Salt Typhoon group, which has infiltrated multiple U.S. telecommunications networks.
Garbarino specifically called out DHS’s reported plan to terminate CISA’s Mobile App Vetting program this month. The MAV program provides agencies with a free service to evaluate potential vulnerabilities and cyber risks in applications used on government mobile devices.
“The termination of mobile device security programs would not only create a void in the ability to assess vulnerabilities on mobile devices, but also send the wrong signal to [Federal Civilian Executive Branch] agencies, which are currently on heightened alert about the cybersecurity posture of their mobile devices due to Salt Typhoon,” Garbarino wrote.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
