Donald Trump’s sprawling tax bill, which he signed on July 4, contained a few noteworthy cyber funding items, including $250 million for US Cyber Command to spend on “artificial intelligence lines of effort.”
But the administration’s next and more significant funding effort is to shepherd the White House’s proposed FY2026 discretionary budget request through the House and Senate, an appropriations task that has to be completed before the end of the federal government’s FY2025 funding year on Sept. 30.
This year, in an unprecedented development for any White House, Trump’s budget request calls for a reduction in cybersecurity spending across civilian agencies, amounting to a $1.23 billion cut or a 10% drop in cyber expenditures for 2026 when compared to 2024 levels.
Moreover, in a little-noted development, the administration’s numbers show the White House has already cut $300 million in government cybersecurity spending for the current fiscal year, FY2025. The White House wants to cut cyber expenditures even further by an additional 7% next year.
“It’s extremely unprecedented,” Michael Daniel, CEO of the Cyber Threat Alliance, tells CSO. “We haven’t seen an example of where a major corporation has done that either, and it’s hard to argue that we needed to be spending less on cybersecurity anywhere.”
Cybersecurity spending cuts make even less sense given that the proposed budget cuts are coming at a time of increased cybersecurity threats from criminal and nation-state adversaries, which the Trump administration itself has repeatedly noted.
“This budget reflects a lack of seriousness about cybersecurity,” Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies, tells CSO. “The administration’s rhetoric is strong, but their resources are weak. There has been no alteration in the threat that would justify this reduction in resources.”
Reversing the trend of annual cyber spending increases
From 2017 through 2024, US government civilian agencies spent more on cybersecurity in each successive year than they did the prior year.
Cynthia Brumfield / CSO
(The chart is based on White House data provided for 2017, 2018, 2019, 2020, 2021, 2022, and 2023. Numbers for 2024, 2025, and 2026 reflect adjustments that Trump’s OMB made for 2024 and 2025.)
The administration’s cybersecurity budget cuts are not evenly distributed among federal agencies. In fact, according to crosscut tables released by the Trump administration, some civilian agencies are getting funding boosts for cybersecurity, as shown in the table below.
Cynthia Brumfield / CSO
Other government agencies are experiencing significant cybersecurity budget cuts, with a few slated to have their entire cyber budgets wiped out, as the table below indicates.
Cynthia Brumfield / CSO
Without further explanation or elaboration of what is driving the cyber budget numbers, it is difficult to tell whether the increases or decreases reflect legitimate funding needs or efficiencies.
CISO and former government cybersecurity official Amélie Koran thinks the administration’s budget is heavily influenced by the Heritage Foundation’s Project 2025, a supposed blueprint that Trump has sporadically followed thus far in his administration. Project 2025 takes a dim view of science in general, and argues that some of the commercial technology innovations proposed by the NSF were “ill-advised.”
“If you look at things like National Science Foundation just being zeroed out, the idea of throwing no money at that is just kind of sending a signal,” Koran tells CSO. “We don’t want you as an agency overall.”
However, it is possible that the administration did not apply real thought or analysis when deriving the cyber budget. “If you look at the way that this administration has gone about making reductions, I would not use the words strategic or thought out,” Cyber Threat Alliance’s Daniel says.
“It aligns with the philosophical approach of ‘we just want to reduce stuff that the federal government is doing,’” he adds. “To ascribe a larger strategic sort of plan behind it would be wrong if only because there haven’t been a lot of cybersecurity people in place for long enough to drive the budget.”
Munish Walther-Puri, former director of cyber risk at New York City’s Cyber Command and now faculty member of NYU’s Center for Global Affairs, thinks that from a broader perspective the budget does reflect the priority the administration places on cybersecurity risk management.
“If you want to know how an organization thinks about its own risk, look at where it allocates resources,” Walther-Puri tells CSO. “If we shift the conversation there, it becomes less about they’re spending less money on cybersecurity and more about how they think about cybersecurity as part of the risk management of the federal government.”
The potential impact of reduced cyber spending
Without an articulated cyber strategy, another uncertainty about the budget is what it might do to the security posture of the federal government.
“There’s no question in my mind that we’re increasing our cyber risk in a way that’s hard to quantify,” Daniel says. “If I were a nation-state adversary, I would be joyous at what’s going on inside the US government. Decreased funding is only going to fuel that.”
Walther-Puri points out that the less the government spends on cybersecurity, the greater the shift there will be in threat actors’ calculus to attack the US. “This might change the prioritization for some adversaries to where they’re more likely to target organizations with known budget or staffing constraints.”
For those agencies experiencing even modest budget cuts, the ripple effects on other stakeholders can be substantial. Montgomery, for example, worries about the zeroing out of the cyber budget for the National Science Foundation, which has provided cyber resources not only for the government but also the private sector. “I’m worried about the Scholarship for Service program at NSF,” he says. “That’s how we hire good people into cyber.”
He’s also concerned about the future of the National Institute of Standards and Technology (NIST), an arm of the Commerce Department. Commerce faces a 14% budget cut for 2026, and the Trump administration has elsewhere proposed slashing NIST’s budget by $325 million for 2026 because it has pursued a “radical climate agenda.”
“NIST was under-resourced even during the Biden administration,” Montgomery says. “I have to be concerned about the NIST Cybersecurity Division, although we don’t have the facts yet.”
Finally, the federal cyber budget cuts could create problems for state and local governments and other entities that rely on federal cyber grants. “One of the things about the crosscut is that it incorporates spending on the cybersecurity of federal networks themselves, plus programs that do outreach and grants and support state and local governments,” Daniel says.
“This is going to have a downstream effect for those who receive federal grants,” Koran says. “It’s the cybersecurity budgets that are there for local and state programs that are going to see a big hit.”
Congress and cyber leadership could turn things around
As the various committees of Congress begin to pass their own appropriations budget, they might reverse some of Trump’s proposed cuts. For example, the House Homeland Security Committee advanced its appropriations bill on June 3, appropriating $2.74 billion for the Cybersecurity and Infrastructure Security Agency (CISA), which reflects a budget cut of $146 million or 5% reduction from CISA’s 2025 budget, far lower than the $500 million CISA budget cut Trump had advocated.
Daniel, however, worries that the piecemeal approach represented by the committee process might allow many agencies’ budget cuts to sail through. “I’m not surprised that the House Homeland Security Committee added back some of CISA’s funds because cybersecurity remains a relatively bipartisan issue,” he says. “Now, will the Commerce, Justice, and Science Committee add back the NSF funding? What you’re going to see is once you have politics and proclivities on top of cyber, it’s going to get even more fractured in terms of not being a strategic approach to managing the funding for cybersecurity.”
What might help is allowing the Office of the National Cyber Director, which now has a confirmed director in Sean Cairncross, and the head of CISA, which still lacks confirmation for its nominated director leader, Sean Plankey, to weigh in on these budgetary matters.
“How this can get rectified in the long term is through skilled bureaucratic leaders who advocate effectively in the budgeting process. Sean Cairncross and Sean Plankey are exactly those kinds of leaders,” Montgomery says.
Daniel agrees, although he thinks both officials will still face constraints. “If spending is coming down across the board and the administration wants to target things like that, it’s often hard to protect cybersecurity spending from that,” he says.
Whatever happens, Montgomery thinks the cybersecurity community shouldn’t let these funding cuts slide. “When you don’t spend enough on cybersecurity, people need to call you on it,” he says. “Resources are policy, and a failure to implement resources, with a failure to align resources, will lead to a failure to implement policy.”
No Responses