Congress Should Fund the Cybersecurity and Infrastructure Security Agency

Despite the importance of protecting critical infrastructure from a growing array of digital threats, some members of Congress want to cut funding for the federal agency responsible for cybersecurity in its upcoming budget. The opposition comes primarily from lawmakers concerned that the Cybersecurity and Infrastructure Security Agency’s (CISA) efforts to address mis- and disinformation during and after the 2020 election amounted to government overreach and infringed on free speech.

However, the Trump administration has already shut down these parts of CISA, and constraining the agency now would only weaken a key pillar of U.S. cybersecurity. As it seeks to cut government spending, Congress should continue to make targeted investments in CISA’s critical functions to bolster America’s national cybersecurity.

First, Congress should close the budget shortfall that prevents CISA from effectively analyzing cyber incident reports related to critical infrastructure and providing actionable insights. New rules created under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) require critical infrastructure entities to report cyber incidents within specific timeframes, which will require CISA to process an estimated 25,000 incident reports annually. CISA needs increased funding to manage these rising report volumes and deliver timely and meaningful insights to critical infrastructure sectors. Specifically, this funding is necessary to expand staff capacity, create a new eCrime team to combat ransomware, and develop a user-friendly incident report web app.

Second, Congress should fund CISA’s State and Local Cybersecurity Grant Program (SLCGP), which provides funding to reduce systemic cyber risks and strengthen the resilience of critical infrastructure, an essential step toward proactive cyber defense. Some critics believe this program is “wasteful” because of the administrative overhead it imposes on recipients, but 49 out of 50 states have applied for these funds. The obligations CISA imposes on sub-recipients, such as local governments, school districts, and water utilities, are that they use certain no-cost cybersecurity services, such as web application scanning, which checks the security of publicly accessible web applications, and vulnerability scanning, which identifies potential weaknesses in external networks and provides weekly alerts.

State and local governments must also participate in the nationwide cybersecurity review, an annual self-assessment tool used to evaluate their cybersecurity capacity. These services not only strengthen state and local cybersecurity but also provide policymakers with valuable insight into the ongoing challenges across the nation. With cyber adversaries like those responsible for China’s Salt Typhoon attack growing more aggressive—there was a 150 percent rise in Chinese government-linked intrusions across critical infrastructure in 2024 compared to 2023—funding CISA’s SLCGP program is essential to mitigate risks from future attacks on essential service sectors. Many state and local governments, especially in under-resourced areas, would otherwise lack the technical capabilities and services needed to defend against sophisticated threat actors.

Finally, Congress should fund the Common Vulnerabilities and Exposures (CVE) Program, which is sponsored by CISA and currently faces an uncertain future. The CVE Program provides a universal naming system for publicly known cybersecurity vulnerabilities, enabling defenders across governments and industries to communicate and coordinate responses effectively. Without it, coordination would break down, threat response efforts would slow, and attackers could exploit the confusion. As former CISA Director Jen Easterly put it, “Think of the CVE system like the Dewey Decimal System for cybersecurity... Without it, no one knows if they’re talking about the same problem.”

Within this program, CISA plays a critical operational role, not just as a funder, but as a CVE Numbering Authority (CNA), authorized to assign unique identifiers (CVE IDs) to newly discovered vulnerabilities. These standardized identifiers allow security professionals to quickly share and act on threat information. CISA also maintains the Known Exploited Vulnerabilities (KEV) catalog, which flags vulnerabilities actively being used in attacks and advises on urgent mitigation steps, particularly for government and critical infrastructure systems.

On April 16, 2025, MITRE, the nonprofit that maintains the CVE database, warned it would take the site offline due to a lapse in its CISA contract. Although the Department of Homeland Security granted a temporary 11-month extension, a lasting solution is urgently needed to preserve this foundational cybersecurity resource. To ensure the continuity of these vulnerability monitoring programs, Congress should commit to long-term funding through CISA.

The growing sophistication of cyberattacks by adversarial states exposes vulnerabilities within U.S. cybersecurity systems, posing serious threats to national security. Maintaining CISA’s funding is essential for safeguarding the United States’ digital future. As Congress shapes the federal budget, lawmakers should shift focus from debate over defunding CISA to a conversation about strategic investment across CISA's core cybersecurity and critical infrastructure functions.