Homeland Security Bill Slashes CISA Funding by $300 Million, Leaves State Cyber Grants in Limbo

Context The bill, stalled for months over immigration policy disputes, finally passed with funding for most DHS components. CISA, the agency that coordinates federal cyber defenses, now receives $2.6 billion for FY2025—$300 million less than the previous year’s request. Since early 2025, CISA’s workforce has shrunk by roughly one‑third, about 1,000 positions, as the administration continues to downsize the office.

Key Facts - Budget cut: $2.6 billion allocated to CISA, a $300 million reduction from FY2025. - Staffing decline: Approximately 1,000 employees have been eliminated since the start of 2025, representing a one‑third cut. - Grant program status: The State and Local Cybersecurity Grant Program (SLCGP), created in 2021 with a $1 billion, four‑year allocation, is reauthorized through 2033 under the PILLAR Act but receives no new appropriations. State CIOs and the National Association of State Chief Information Officers have urged Congress to fund the program, requesting $300 million for FY2027.

What It Means For federal defenders, the reduced budget and staff levels constrain CISA’s ability to issue timely vulnerability advisories, run large‑scale incident response exercises, and support critical infrastructure owners. Smaller teams may delay the rollout of mitigation guidance for high‑impact CVEs such as those affecting Microsoft Exchange (CVE‑2023‑23397) or Log4j (CVE‑2021‑44228).

State and local agencies face a different dilemma. The SLCGP has historically funneled federal money to municipalities for network segmentation, endpoint detection, and security awareness training. Without new appropriations, those funds will run out, forcing local IT leaders to rely on existing budgets or seek private‑sector partnerships. The uncertainty could stall planned upgrades to multi‑factor authentication and intrusion‑detection systems, widening the gap between federal and local cyber readiness.

Mitigations – What Defenders Should Do 1. Prioritize patching: Apply critical patches for known CVEs within 48 hours of release; use automated patch management tools to compensate for reduced advisory bandwidth. 2. Leverage threat‑intel feeds: Subscribe to free feeds from CISA, MITRE ATT&CK, and industry ISACs to stay informed about emerging tactics, techniques, and procedures. 3. Implement baseline controls: Enforce multi‑factor authentication, least‑privilege access, and network segmentation to reduce attack surface. 4. Seek alternative funding: Explore state‑level grant opportunities, public‑private partnerships, and federal cybersecurity assistance programs that do not rely on the SLCGP. 5. Conduct regular tabletop exercises: Simulate ransomware and supply‑chain attacks to test incident response plans, compensating for fewer federal-led drills.

Looking Ahead Watch for congressional action on the bipartisan Senate measure that could allocate $300 million to the grant program for FY2027, and monitor CISA’s staffing announcements for any further reductions that may affect national cyber‑defense coordination.