The Cybersecurity and Infrastructure Security Agency has seen a steady and marked increase in authorities, funding and personnel over the last four years.

But the outlook for CISA in 2025 is murky with a new administration and a potentially less supportive Congress.

CISA’s annual budget has increased from just over $2 billion in fiscal 2021 to $2.8 billion in fiscal 2024.

Likewise, CISA’s staff has nearly doubled over the last four years. Meanwhile, it has gained new authorities to hunt for threats on federal networks, issue binding cybersecurity directives, and require cyber incident reports from critical infrastructure owners and operators.

The agency has also been at the center of the Biden administration’s push to increase the cybersecurity responsibilities for private sector companies.

However, the incoming administration has its own ideas about how to approach national cyber issues, including at agencies like the Department of Homeland Security and CISA. President-elect Donald Trump has nominated South Dakota Gov. Kristi Noem to serve as secretary of the Department of Homeland Security. He has yet to announce his pick for CISA director.

Trump’s official platform, “Agenda 47,” highlights the need to protect critical infrastructure from cyber threats, one of the core missions for CISA. “This will be a national priority, and we will both raise the security standards for our critical systems and networks and defend them against bad actors,” the document states.

Agenda 47 provides little further detail on Trump’s plans for CISA.

However, Project 2025, a Heritage Foundation-backed policy proposal, calls for dismantling DHS and moving CISA to the Transportation Department. It also calls for reining in CISA, arguing that the agency has “rapidly expanded its scope into lanes where it does not belong, the most recent and most glaring example being censorship of so-called misinformation and disinformation.”

The document calls to end CISA’s programs to counter dis- and misinformation; move its emergency communications and chemical security programs to FEMA; transfer school security functions to other homeland security offices; and “refrain from duplicating” the cybersecurity functions of other agencies like the Defense Department and the FBI.

Trump disavowed Project 2025 on the campaign trail. But some of his key appointees, including for a top White House management post, were architects of Project 2025.

Congressional outlook on CISA

CISA also has a mixed outlook in Congress, where the agency has enjoyed bipartisan support.

House Homeland Security Committee Chairman Mark Green (R-Tenn.) has largely backed CISA and its current director, Jen Easterly, who is expected to step down on Jan. 20. Green has introduced bills that would, for instance, set up a new cyber scholarship-for-service program at CISA.

But in the Senate, incoming Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) has been one of the most vocal critics of CISA. Like the authors of Project 2025, Paul argues that CISA’s work with social media companies on mis- and disinformation amounts to “censorship” and violates the First Amendment.

Paul told Politico that he’d “like to eliminate” the agency if he could. “Everything is on the table,” he recently told the publication regarding reorganizing CISA.

While Paul acknowledges he likely can’t eliminate the agency, the lack of support from the HSGAC chairman means it will be difficult to move legislation that adds to CISA’s authorities and capabilities.

“That, coupled with an incoming administration that probably wants to see less, not more, of regulatory structures, government guidance to private sector and things of that nature, it really will put CISA in a tough spot in the early months,” Chris Cummiskey, a former DHS official, said in an interview.

CISA’s recent efforts

While some elements of CISA’s work has garnered controversy, policymakers have largely supported the agency’s efforts to better secure federal networks and to work with the private sector to combat cyber threats.

CISA’s signature efforts under the Biden administration include the establishment of the Joint Cyber Defense Collective, known as JCDC, and its campaign to ensure technology companies adopt “secure by design” and “secure by default” practices.

The agency also recently released a draft update to the National Cyber Incident Response Plan. And it has been working to identify “systemically important entities,” or organizations whose disruption, whether by cyber or other means, would have major consequences for national and economic security.

While the Trump administration is expected to focus on offensive cyber operations — as it did during Trump’s first term — CISA’s defensive efforts are also likely to continue as well.

“Part of going on the offensive is making sure you’re fully invested in your defense,” Mark Montgomery, executive director of the Cyber Solarium Commission 2.0, said in an interview.

The new administration is also going to be tasked with finalizing landmark cyber reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. CISA released the draft CIRCIA regulations last March. The rules will require some critical infrastructure owners and operators to report cyber incidents to the government within 72 hours.

Meanwhile, Congress has yet to pass new appropriations for fiscal 2025. But the House-passed 2025 Homeland Security Appropriations bill would allocate $2.93 billion for CISA, about $100 million more than the agency’s current budget.

While the Trump administration may change some aspects of CISA’s approach, recent cyber incidents have highlighted the critical role the agency will likely play well into the future. Even Project 2025, for instance, acknowledges CISA’s key roles in defending civilian agency networks and coordinating critical infrastructure security and resilience.

“There’s certainly some things that they could do better, but I think they’ve had strong leadership, and I hope that would continue in the new administration,” Cummiskey said.

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.