The Trump administration has embarked on a comprehensive reshaping of the federal cybersecurity landscape, dismantling key oversight bodies while simultaneously pushing forward with stringent compliance requirements that are creating a complex web of obligations for American businesses. The simultaneous elimination of government support structures and acceleration of regulatory mandates represents a fundamental shift in how the United States approaches cybersecurity governance.
This regulatory transformation comes at a time when cyber threats continue to intensify, with ransomware attacks affecting 45% of organizations globally and nation-state actors increasingly targeting critical infrastructure. The disconnect between escalating threats and reduced federal oversight is forcing organizations to rethink their entire approach to cybersecurity strategy and compliance.
Cyber Safety Review Board Eliminated in Administration Overhaul
In January, the Trump administration dissolved the Cyber Safety Review Board, ending one of the few government bodies that provided aggressive oversight of corporate cybersecurity practices. Acting DHS Secretary Benjamin Huffman terminated all memberships on advisory committees within the Department of Homeland Security, citing a commitment to "eliminating the misuse of resources.”
The board's elimination removes a critical accountability mechanism that had gained respect from security professionals for its harsh assessments of major corporations. For instance, the CSRB's scathing critique of Microsoft's "inadequate security culture" following the Exchange Online breach had triggered significant changes at the world's largest software maker. These types of corporate accountability reviews will no longer occur under the current administrative structure.
The timing of the dissolution proved particularly problematic, as the board was actively investigating the Chinese government-linked Salt Typhoon attacks against multiple U.S. telecommunications companies. This investigation has since been transferred to the FBI, which is now offering a $10 million bounty for information leading to the arrest of the hackers.
CISA Faces Unprecedented Leadership Exodus
The Cybersecurity and Infrastructure Security Agency is experiencing what sources describe as a "historic shake-up," with virtually all top officials departing or scheduled to leave by the end of May 2025. Five of CISA's six operational divisions and six of its 10 regional offices have lost their top leaders, creating what agency insiders characterize as a "leadership vacuum.”
The departures include Steve Harris, acting head of the Infrastructure Security Division, Trent Frazier, acting head of the Stakeholder Engagement Division, and Matt Hartman, the No. 2 official in the Cybersecurity Division. Regional directors across the country have also left, including leaders from Regions 2, 4, 5, 6, 7, and 10.
CISA is simultaneously pursuing workforce reductions that could eliminate up to 1,300 positions, representing nearly 40% of its staff. The agency is offering voluntary resignation programs, early retirement authority, and separation incentive payments to reach these reduction targets. Industry leaders have expressed serious concerns about the potential impact on the nation's ability to mitigate cyber threats from nation-state and financially motivated actors.
"CISA is doubling down and fulfilling its statutory mission to secure the nation's critical infrastructure and strengthen our collective cyber defense," Executive Director Bridget Bean said in response to the workforce changes. However, former officials argue that reducing federal cybersecurity capabilities at a time when threats are increasing poses significant risks.
Salt Typhoon Investigation Reveals Infrastructure Vulnerabilities
These changes come as the nation’s critical infrastructure faces unprecedented stress from digital attacks. For instance, the FBI's investigation into the Chinese government-backed Salt Typhoon cyberattacks has exposed serious vulnerabilities in U.S. telecommunications infrastructure. The campaign compromised at least nine U.S. telecommunications companies and "resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests.”
The compromise of telecommunications companies' lawful intercept systems represents one of the most serious breaches of U.S. infrastructure in recent years. The attacks targeted the very systems that law enforcement uses to conduct court-authorized surveillance, giving Chinese intelligence unprecedented access to American communications data.
The FBI's request for public assistance in identifying the hackers, along with the substantial $10 million bounty, suggests the investigation has encountered significant challenges. The bureau's reliance on voluntary cyber-incident reporting reflects the broader difficulties in coordinating cybersecurity responses across the private sector.
Defense Contractors Face Accelerated CMMC Compliance Timeline
The Cybersecurity Maturity Model Certification program has moved forward aggressively despite expectations of regulatory relief under the Trump administration. The final CMMC rule became effective on December 16, 2024, launching a phased implementation that will require defense contractors handling controlled unclassified information to achieve appropriate certification levels.
Organizations that delayed CMMC preparation expecting regulatory freezes now face compressed timelines to achieve compliance. The program will enter contracts in four phases starting in Q2 2025, with each phase lasting a year and progressively increasing the number of contracts requiring Level 2 compliance.
"With the publication of this updated rule, DoD will allow businesses to self-assess their compliance when appropriate," the Pentagon announced. However, higher-risk scenarios will still require third-party assessments conducted by CMMC Third Party Assessor Organizations, maintaining significant compliance obligations for defense contractors.
The CMMC requirements apply to all DoD solicitations and contracts where contractors will process, store, or transmit Federal Contract Information or Controlled Unclassified Information. Any security requirements imposed by prime contractors will flow down to subcontractors that interact with sensitive information.
Financial Industry Mobilizes Against CIRCIA Implementation
Financial sector organizations have mounted significant resistance to the proposed implementation of the Cyber Incident Reporting for Critical Infrastructure Act. The American Bankers Association, Bank Policy Institute, Institute of International Bankers, and Securities Industry and Financial Markets Association formally requested that CISA "rescind and reissue" the proposed implementation rules.
These organizations argue that CISA's proposed rules would force companies to "divert resources from response and recovery" rather than focusing on addressing cyberattacks. The financial industry contends that the notice of proposed rulemaking departs from Congress's intent to "strike the balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”
CIRCIA requires covered entities to report major cybersecurity incidents within 72 hours and ransomware payments within 24 hours. The rules are expected to impact approximately 316,000 entities across 16 critical infrastructure sectors when they take effect. CISA must publish the final rule by October 2025, with implementation beginning 18 months later.
The tension reflects a broader challenge in the current regulatory environment where organizations face reduced federal support while confronting increased compliance obligations. The proposed rules would create extensive reporting requirements at precisely the time when federal cybersecurity agencies are experiencing significant workforce reductions.
National Resilience Strategy Shifts Security Responsibility to States
The Trump administration launched the National Resilience Strategy in March 2025, fundamentally altering the federal approach to cybersecurity governance. The strategy shifts primary responsibility for infrastructure protection to state and local governments while emphasizing "efficiency and reducing taxpayer burden.”
This decentralized approach creates new challenges for organizations operating across multiple jurisdictions, as they must navigate potentially divergent state and local cybersecurity requirements without clear federal coordination. The strategy's emphasis on "commonsense approaches" by local governments assumes capabilities and resources that may not exist at the state and local level.
The Executive Order "Achieving Efficiency Through State and Local Preparedness" calls for a review of all infrastructure, continuity, and preparedness policies to align them with the National Resilience Strategy. The policy premise holds that "commonsense approaches and investments by State and local governments across American infrastructure will enhance national security.”
Threat Environment Intensifies Amid Regulatory Upheaval
The cybersecurity threat landscape continues to escalate even as federal oversight capabilities diminish. Ransomware remains the top organizational cyber risk, with 45% of security professionals ranking it as their primary concern for 2025. The evolution of Ransomware-as-a-Service models has commoditized these attacks, making them more accessible to a broader range of criminals.
Nation-state actors are increasingly converging with financially motivated cybercriminals, with countries like Russia outsourcing cyber-espionage operations to criminal groups. Chinese state-linked APT groups are adopting ransomware techniques traditionally used by financially motivated actors, blurring the lines between different threat categories.
Critical infrastructure sectors face particular risks, with water facilities, communications infrastructure, and energy systems emerging as prime targets. A recent joint alert from CISA, FBI, EPA, and DOE warned of rising cyber threats to operational technology and industrial control systems within U.S. critical infrastructure.
Organizations Adapt to Self-Reliance
The regulatory transformation is forcing cybersecurity professionals to shift focus from regulatory compliance to fundamental security resilience. The frameworks that provide the foundation for effective cybersecurity—NIST SP 800-171, SP 800-53, and the NIST Cybersecurity Framework—remain stable reference points even as the regulatory superstructure changes.
NIST released updated Privacy Framework guidance in April 2025, aligning with the Cybersecurity Framework 2.0 and including new guidance on AI and privacy risk management. These foundational standards continue to provide organizations with reliable guidance for building robust security programs.
Healthcare cybersecurity leaders are already adapting to the new reality, with one CISO noting the need for backup plans as federal resources become less reliable. The emphasis on self-reliance reflects the broader trend toward organizational independence from federal cybersecurity support structures.
The current environment makes proactive security planning more critical than ever, as organizations can no longer depend on consistent federal guidance and support. Those that focus on building comprehensive security programs based on established frameworks will be better positioned to handle both evolving cyber threats and regulatory uncertainty.
