The past year in federal cybersecurity policy has been marked by uncertainty, driven by a change in administration, expiring authorities, and the burgeoning influence of artificial intelligence (AI). As policymakers and experts look ahead to 2026, there is an expectation for greater clarity, particularly regarding the integration of AI within the cybersecurity framework. Here are key developments to monitor as the new year unfolds.
The anticipated new national cyber strategy from the White House is expected to be unveiled early in the year. National Cyber Director Sean Cairncross, speaking at the Aspen Institute’s Cyber Summit in November, indicated that the strategy will be concise, consisting primarily of a statement of intent paired with actionable items and deliverables. “It’s going to be focused on shaping adversary behavior, introducing costs and consequences into the mix,” Cairncross noted. The strategy will be built on six pillars, addressing significant gaps in cybersecurity talent, with Cairncross emphasizing the need to fill over half a million job openings in the field.
Cairncross’s remarks reflect a shift towards what experts describe as “active defense.” Morgan Adamski, a former National Security Agency leader, highlighted that this approach emphasizes proactive measures rather than reactive ones, enabling organizations to shorten the time between intrusion and containment. The focus is on continuous monitoring and rapid detection to mitigate risks effectively, particularly as cyber threats evolve.
The incorporation of AI within cybersecurity strategies is another critical area of interest. Experts generally categorize this issue into three domains: securing AI systems, defending against AI-enabled cyber threats, and leveraging AI for cyber defense. Drew Bagley, Crowdstrike’s vice president for privacy and cyber policy, pointed out the increasing importance of applying established cybersecurity concepts to AI mechanisms. He noted that without adequate visibility into AI systems, new vulnerabilities could emerge, complicating the cybersecurity landscape.
Bagley anticipates that the Cybersecurity and Infrastructure Security Agency (CISA) will take a leadership role in guiding federal agencies on AI security standards. “CISA can provide guidance to those who are implementing AI in federal agencies,” he stated, emphasizing the need for stringent security measures to prevent AI from becoming a source of risk. Simultaneously, agency chief information security officers are exploring how to harness AI to enhance their cyber defenses. Adamski remarked that AI could serve as a crucial tool in security operations, helping teams manage the overwhelming volume of potential threats and improving detection and response times.
As Congress reconvenes post-holiday, the reauthorization of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) remains a priority, although political dynamics may complicate the path forward. The act lapsed on October 1 but received a temporary revival as part of a continuing resolution. Lawmakers must act before its authorities expire again on January 30. Bipartisan support exists for reauthorizing CISA 2015, but House Homeland Security Committee Chairman Andrew Garbarino acknowledged that differing views in the Senate may hinder a straightforward reauthorization.
Garbarino’s proposed Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG Act) aims to extend CISA 2015 for another decade, yet concerns from various factions within Congress complicate its passage. In the Senate, Chairman Rand Paul has voiced opposition to a “clean” reauthorization, raising issues surrounding the agency’s collaboration with social media companies on disinformation.
Another significant development is the anticipated cyber incident reporting rule from CISA, stemming from the Cyber Incident Reporting for Critical Infrastructure Act enacted in 2022. This legislation mandates that critical infrastructure sectors, such as energy and telecommunications, report significant cyber incidents within 72 hours. The proposed rule, which CISA released in 2024, is expected to impact approximately 316,000 entities. However, industry stakeholders have criticized it for being overly broad and have urged CISA to harmonize it with existing reporting mandates.
As 2026 begins, CISA operates without a Senate-confirmed leader, with Sean Plankey’s nomination stalled amid concerns about his previous role in the Coast Guard. Meanwhile, the National Security Agency and U.S. Cyber Command are also without permanent leadership. The dual role of NSA director and CYBERCOM commander is crucial, especially given the current administration’s focus on offensive cyber capabilities. Reports suggest that Army Lt. Gen. Joshua Rudd is being considered for the role.
Moreover, the political landscape is shifting, as Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters announced he will not seek re-election in 2026, marking the end of his influential tenure in cyber policy. As the cybersecurity landscape continues to evolve amid these developments, the interplay of emerging technologies and federal policy remains a focal point for stakeholders in the coming year.
