The recently approved “Big Beautiful Bill” is making waves across the cybersecurity landscape, promising sweeping changes for federal agencies, the Department of Defense, and civilian infrastructure. While the bill delivers major funding boosts for federal IT modernization and defense cybersecurity, it also slashes budgets for key civilian programs, raising concerns among experts about the nation’s ability to respond to evolving cyber threats.
Major Investments in Federal and Defense Cybersecurity
A centerpiece of the bill is a $500 million allocation through 2034 dedicated to modernizing federal IT and AI systems. This funding aims to address longstanding vulnerabilities in government networks and equip agencies with state-of-the-art tools to combat increasingly sophisticated cyberattacks. Key initiatives include the adoption of Zero Trust Architecture, real-time threat detection, automated incident response, and enhanced identity management, all in alignment with leading NIST cybersecurity standards.
The Department of Defense is also a major beneficiary, with over $150 billion earmarked for defense-related technology, including significant investments in cybersecurity and artificial intelligence. Notably, the bill provides $20 million for DARPA to pursue advanced research in quantum-resistant cryptography and AI-driven threat modeling. An additional $350 million is set aside for AI-enabled business system modernization, supporting predictive maintenance and cyber risk scoring across all military branches.
Cuts to Civilian Cybersecurity Programs Spark Concern
While federal and defense agencies see their cybersecurity capabilities bolstered, the bill delivers a blow to civilian efforts. The Cybersecurity and Infrastructure Security Agency (CISA) faces a nearly 30% budget cut, amounting to a $495 million reduction. This move will eliminate more than 1,000 positions and scale back or defund several critical programs, including cyber defense, continuous diagnostics and monitoring, federal vulnerability assessments, and election security initiatives.
These cuts have drawn criticism from cybersecurity professionals and lawmakers alike, who warn that the reductions could leave civilian infrastructure and local governments more vulnerable to cyberattacks at a time when threats are on the rise.
AI Regulation and State Authority
The bill’s approach to AI regulation has also generated debate. An initial provision sought to impose a 10-year moratorium on state-level AI regulation, centralizing authority at the federal level. After bipartisan pushback, this moratorium was removed, allowing states to retain some regulatory power—particularly in areas affecting children and intellectual property. However, the ongoing uncertainty could lead to a patchwork of cybersecurity standards as AI becomes increasingly integrated into critical infrastructure.
Uncertain Future for Vulnerability Coordination
The future of key cybersecurity coordination efforts, such as the MITRE CVE database and the Cyber Security Review Board (CSRB), is now in question due to ambiguous or reduced funding. These programs are vital for tracking software vulnerabilities and coordinating responses to cyber incidents, and their potential downsizing could hamper national cyber defense efforts.
Expansion of AI in Surveillance and Border Security
The bill also authorizes billions for AI-driven surveillance systems at the border and within federal agencies. While these investments promise enhanced detection and automation, they also introduce new cybersecurity and privacy risks. Experts warn that without robust security measures, these advanced systems could become attractive targets for sophisticated cyberattacks.
Limits on Judicial Oversight
A controversial provision in the bill restricts federal courts’ ability to enforce contempt actions against the government in cybersecurity and privacy cases, requiring plaintiffs to post a bond before enforcement. Critics argue that this change could weaken judicial oversight and reduce accountability for government data practices.
