From Compute to Congress: To Address CISA's Authority Gap, Reauthorize CISA 2015 and SLCGP
.png)
A note from the author: Welcome back to “From Compute to Congress,” a Dreadnode policy series that aims to bridge the divide between engineers and policymakers, particularly as the AI-enabled cyber domain becomes increasingly complex.
At Dreadnode, we believe the AI capabilities we're building sit atop the foundation of the digital world—and cyber resilience is essential to the sturdiness of that foundation. Without robust cybersecurity infrastructure, the transformative potential of AI becomes a liability rather than an asset. This is why we're committed to ensuring policymakers understand both the technical realities of cyber defense and the policy mechanisms needed to secure the digital infrastructure on which our technological future depends.
As Congress debates a continuing resolution to keep the government funded, two critical pieces of cybersecurity legislation hang in the balance: the Cybersecurity Information Sharing Act of 2015 (CISA 2015) and the State and Local Cybersecurity Grant Program (SLCGP). Both programs expire on September 30, 2025, threatening to dismantle foundational elements of America's relatively young cyber defense infrastructure.
There are two other tools for cyber dominance that also deserve our undivided attention: the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which grants CISA the power to mandate cyber incident reporting from industry; and Title 32 of the U.S. Code, which provides the National Guard with the federal funding mechanism and authority to defend against foreign cyberattacks on critical infrastructure. These two authorities are the untapped keys to transforming CISA from a coordination body into an integrated defensive command.
The looming expiration of these programs exposes a deeper challenge facing the Cybersecurity and Infrastructure Security Agency (CISA)—America's cyber defense agency. CISA has demonstrated success at operationalizing threat intelligence, publicly messaging vulnerabilities, coordinating stakeholders, and building frameworks that elevate the security strategies of participating organizations. Yet this excellence occurs within fundamentally constrained authorities: CISA can issue informed recommendations and facilitate voluntary cooperation, but beyond the Federal Civilian Executive Branch, it cannot compel action when organizations ignore critical security guidance.
CISA’s limitations are increasingly problematic as cyber threats are evolving to include AI-powered attack capabilities that operate at machine speed and scale. When adversaries use AI to automate reconnaissance, coordinate distributed attacks, and adapt exploitation techniques faster than human defenders can respond, voluntary cooperation models become structurally inadequate. CISA has built sophisticated partnership frameworks, but without enforcement authority, and critical gaps remain when coordinated defensive response is required against systematic infrastructure attacks.
Modern cyber conflict straddles both civilian and military domains: when Chinese state actors target American water utilities or Russian groups attack power grids, these aren't simply criminal enterprises but systematic campaigns against national resilience. The solution requires immediate and sustained action. Congress must immediately reauthorize CISA 2015 and SLCGP before they expire September 30 to preserve existing capabilities. Beyond this urgent deadline, federal agencies must operationalize authorities Congress has already provided: finalizing CIRCIA regulations for mandatory incident reporting and implementing Title 32 to give CISA operational capabilities through the National Guard.
America's Cyber Defense: Expiring Authorities and Delayed Rules
CISA 2015: The Foundation at Risk
Since passing into law ten years ago, CISA 2015 has established the foundation for voluntary cybersecurity information sharing between government and industry. The legislation provides crucial protections—liability shields, antitrust exemptions, and disclosure protections—that incentivize organizations to share threat intelligence despite traditional concerns about competitive disadvantage and customer trust.
Without these protections, some experts project that voluntary information sharing could drop by as much as 80-90 percent. House Homeland Security Chairman Andrew Garbarino (R-NY) demonstrated CISA 2015’s operational value, noting that "just this year, a major organization shared 84 formal reports, reaching thousands of partner organizations.” Former Acting National Cyber Director Kemba Walden has warned that failure to renew CISA 2015 would undermine the government's ability to interface with industry, including through the Joint Cyber Defense Collaborative. The expiration would also fragment the legal framework that enables information sharing across federal agencies, undermining coordination mechanisms like CISA's Critical Infrastructure Partnership Advisory Council.
Major industry stakeholders have voiced strong support for reauthorization, including USTelecom's CEO, who called it "critical for telecommunications providers, who often serve as the first line of defense against malicious cyber activity." In the absence of this framework, as the Congressional Research Service states, “the federal government may find itself in the same position that drove passage of the act—not knowing the extent of current cyber threats and lacking the information necessary to mitigate those threats.”
Despite broad bipartisan and industry consensus supporting reauthorization, political deadlock threatens to let this foundational authority lapse.
SLCGP: State and Local Capabilities Under Threat
The State and Local Cybersecurity Grant Program has appropriated $1 billion over the last four years to help State, Local, Tribal, and Territorial (SLTT) governments improve their cybersecurity posture. This program addresses a critical vulnerability as state and local governments operate much of America's critical infrastructure, yet often lack resources for effective cybersecurity.
A recent Government Accountability Office investigation found that most state agencies had positive feedback about the program. However, facing the program's pending expiration, state officials expressed serious concerns, with some noting they would have to rely on less adequate funding sources like the Homeland Security Grant Program (HSGP) if SLCGP expires. The main reason for this is that HSGP is constrained by mandatory spending requirements across National Priority Areas (NPA). Cybersecurity has recently been included as an NPA, but it lacks the same minimum spend requirement, and is therefore easier to skim over. This is where SLCGP filled a gap, by providing a dedicated fund for state- and local-level cybersecurity investments.
The program has demonstrated concrete results in improving baseline cybersecurity across thousands of local government entities. Industry stakeholders have advocated for the reauthorization of SLCGP funding, as well as a funding increase up to $4.5 billion over two years, recognizing that SLTT cyber defense is imperative for national security and the defense industrial base.
The potential expiration creates a stark policy contradiction. The March 2025 Executive Order on "Achieving Efficiency Through State and Local Preparedness" emphasized that cybersecurity preparedness is primarily the responsibility of state and local governments themselves. Yet by allowing SLCGP to expire, Congress would be eliminating the dedicated federal funding that enables those same governments to meet that responsibility. The program's renewal remains uncertain, caught in broader political divisions.
CIRCIA: Enforcement Delayed Again
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 would provide CISA with meaningful enforcement authority, requiring organizations to report significant cyber incidents and ransom payments within specified timeframes. Originally scheduled for implementation by October 2025, the rule has been delayed until May 2026—continuing a pattern where regulatory mechanisms are consistently kicked down the road.
Given ongoing leadership transitions and the contentious nature of mandatory reporting requirements impacting more than 300,000 entities, this delay may be tactically wise. However, it reinforces the broader challenge: CISA remains constrained to voluntary cooperation models while adversaries conduct systematic attacks requiring coordinated defensive response.
Tapping Into Interagency Authorities
While enforcement mechanisms remain trapped in regulatory delays, the most promising path forward lies not in waiting for new authorities, but in operationalizing the cyber defense capabilities Congress has already authorized across independent agencies: CISA and the National Guard.
CISA, which operates under the Department of Homeland Security (DHS), has built sophisticated threat intelligence sharing mechanisms but lacks operational enforcement authority. By contrast, the National Guard, operating under the Department of War (DOW), possesses both operational cyber capabilities and extensive state and local networks that CISA has not been able to replicate. Crucially, the Guard is the only military component that can operate in both state and federal status, utilizing tools like State Active Duty (SAD) for governor-directed crises and the Emergency Management Assistance Compact (EMAC) for interstate support.
The National Guard already operates under Title 32 of the U.S. Code, which allows state-controlled units to receive federal funding for "homeland defense activities." While states have historically funded their own Guard cyber operations, the statutory authority for federal support already exists. Congress has specifically defined these activities as those undertaken for "military protection of the territory or domestic population of the United States, or of infrastructure or other assets of the United States determined by the Secretary of Defense as being critical to national security." When foreign adversaries target American water systems or power grids, these attacks clearly fall within this homeland defense mandate. While state governors also use SAD for immediate, state-funded cyber crisis response, the federal funding and statutory language of Title 32 make it the designated status for continuous operational collaboration between CISA and the National Guard.
Importantly, DOW and DHS have operated under a 2010 Memorandum of Agreement on cybersecurity that established frameworks for personnel exchanges and operational collaboration. This existing foundation could be expanded to formalize CISA-National Guard coordination protocols without requiring new Congressional authorization.
The Title 32 Implementation Gap
Title 32 already authorizes fundamental cyber defense structures, yet the steps to implementation remain incomplete. For years, Congress has repeatedly mandated that the DOW clarify when cyber incidents qualify as homeland defense activities and establish clear protocols for National Guard cyber response under Title 32. Most recently, the FY-2026 NDAA mandates a comprehensive report by August 2026 addressing fundamental questions that should have been resolved years ago: how to integrate National Guard cyber capabilities under Title 32 and what barriers prevent effective DOW-civilian cyber coordination.
Similarly, Congress has authorized pilot programs for National Guard units to "remotely provide cybersecurity technical assistance to National Guards of other States, without the need to deploy outside its home State." This capability demonstrates exactly the kind of interstate National Guard cyber coordination that could support CISA's mission, but it remains limited to small-scale pilots rather than systematic implementation across the homeland defense structure.
Funding Stability Advantage
The CISA-National Guard coordination model under Title 32 would also offer crucial funding stability. National Guard cyber operations would likely be considered "essential homeland defense activities" and continue even during government shutdowns, making them more reliable than civilian cyber programs that face complete funding cuts during political impasses.
The Dual-Track Solution
The choice before Congress is straightforward: preserve foundational authorities that enable civilian cyber coordination while supporting agencies to operationalize defensive capabilities Congress has already provided. This isn't about expanding government power—it's about matching America's cyber defense capabilities to the sophistication and coordination of the threats we face.
Immediate Legislative Track:
- Reauthorize CISA 2015 to preserve voluntary information sharing frameworks
- Renew SLCGP to maintain state/local capability building
Regulatory Implementation Track:
- Optimize and finalize CIRCIA to provide mandatory incident reporting and enforceable standards
- Formalize CISA-National Guard coordination under Title 32 to give CISA operational capabilities when cyber incidents qualify as homeland defense activities
The Choice Before Congress
America faces a fundamental decision about its future in cyberspace. The repeated delays and political battles surrounding cybersecurity legislation reveal strategic confusion. While there tends to be bipartisan agreement that cybersecurity is a national security priority, the protection of critical infrastructure—even across the defense industrial base—is continuously treated as collateral in civilian political disputes.
When threat actors compromise state services, they hold the keys to knock down phone services, water systems, hospitals, and other pillars of critical infrastructure, as demonstrated by the most recent ransomware attack targeting St. Paul, Minnesota. We can continue treating cyber defense as a political bargaining chip, watching our defensive capabilities fragment while adversaries execute coordinated campaigns against our infrastructure. Or we can recognize that cyber superiority is essential for defense of the homeland. The same infrastructure failures that threaten civilian safety also undermine nearby military installations' operational readiness.
We are witnessing a cyber identity crisis that undermines national defense. Cybersecurity threats don't discriminate between civilian and military sectors—a threat to one is a threat to all. As sophisticated adversaries systematically target American infrastructure, our defensive response must match their level of coordination and persistence. Between CISA's threat intelligence frameworks, the National Guard's operational capabilities, and established Congressional authorities, the tools for cyber dominance already exist. The missing piece is implementation.
The September 30 deadline represents a test of whether America's political system can rise to meet 21st-century threats, which increasingly operate at the speed and scale of artificial intelligence rather than human decision-making. Adversaries are already deploying AI to automate attacks, identify vulnerabilities across millions of systems simultaneously, and adapt their techniques faster than traditional defenses can counter. Every day we delay implementing these solutions is a day our competitors advance their vision of cyberspace at our expense. Congress must reauthorize expiring authorities immediately to preserve existing authorities while agencies operationalize the defensive capabilities already at their disposal. The alternative will result in a strategic decline in the very domain where American innovation and coordination should guarantee supremacy. In cyber conflict, there is no neutral ground. We either establish and maintain superiority, or we cede it to those who will use it against us.