Congressional Cyber Priorities: Budget, Policy, Coordination Part 1 of 2 Artwork

HSDF THE PODCAST

The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.

All Episodes

HSDF THE PODCAST

Congressional Cyber Priorities: Budget, Policy, Coordination Part 1 of 2

October 15, 2025 • Homeland Security & Defense Forum

Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum

The clock is ticking on America's cybersecurity infrastructure. With just 69 days until the Cybersecurity Information Sharing Act (CISA) of 2015 expires, congressional leaders are navigating a critical juncture for our nation's digital defenses.

Featuring:
•Alexandra Jane Seymour, Staff Director (Majority), House Subcommittee on Cybersecurity & Infrastructure Protection
•Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection
•Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator)

This discussion took place July 23rd, 2025, at HSDF’s Cybersecurity Symposium, Navigating Cybersecurity Strategies in a Volatile World

Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 0:01

All right walk-up music. That was not. They didn't warn me we were getting that when we were talking about panel prep. It's great to see you all here. It's great to be back at the Homeland Security and Defense Forum.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 0:12

I don't know which number this is for me, but it is the first time when I get to ask the question, so I'm very excited about that.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 0:19

We have two of the best folks that you could imagine to talk cyber policy in the Hill with us, and it's an exciting time for that, because there are some deadlines coming up that I'm sure you are all tracking in terms of authorities that are expiring, so we're going to just dive right into questions.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 0:37

The one thing I'll say is we have time on the back end for questions from the audience as well, so I'll remind you of that later, but start thinking of them now, and I see some friends from the audience as well, so I'll remind you of that later, but start thinking of them now, and I see some friends from the press, so I'm sure we'll definitely have those at least. Maggie, I'm looking at you, all right. So, alexandra, you know we sort of talked about this at the outset. We have a new chairman, someone who is very, very familiar, I think, to many folks in this audience. He's got a history in cybersecurity. But can you talk to us a little bit about, with the new chairman of the House Homeland Security Committee, what the priorities are going to be for you all?

-Alexandra Jane Seymour, Staff Director (Majority), House Subcommittee on Cybersecurity & Infrastructure Protection: 1:14

Yeah, first of all, it's great to be here with you all, seeing many familiar faces. Also many familiar faces to Chairman Garbarino, a big friend of the cybersecurity community, since he's led the subcommittee for the past two congresses and has been on the subcommittee since the 117th in a leadership role. As you might imagine, many of the same priorities. When he ran for chairman of the full committee, he ran on his strong record for cybersecurity. He knows the issues, he cares about them deeply and, as you alluded to, nick has been very focused on some key reauthorizations for the community. We've had a pretty regular cadence of hearings that have covered a number of topics, so I think that's something that you can continue to expect as he shifts into this new role. Of course, he has been in the role for, I think, less than 48 hours now, so I think he's still settling in and shaping up what his full agenda is going to be, but I think you can definitely expect that cybersecurity will be a big part of it.

-Alexandra Jane Seymour, Staff Director (Majority), House Subcommittee on Cybersecurity & Infrastructure Protection: 2:19

I do want to touch on the reauthorizations because I know that this is something that he mentioned as he was going into his candidacy for full committee chairman, and it's something that he's been really focused on from the subcommittee level for this whole congress, very committed to getting CISA 2015 reauthorized and the state and local cyber security grant program.

-Alexandra Jane Seymour, Staff Director (Majority), House Subcommittee on Cybersecurity & Infrastructure Protection: 2:42

I'm happy to go into the details of how we're thinking about both of those pieces of legislation if that's helpful. But from also a topical perspective, I think other areas that you can see expect to see continued interest in cyber workforce. As you might remember, that was a big priority of Chairman Green, who just resigned, but has also been very near and dear to the heart of Chairman Garbarino. So I think, recognizing that people are at the core of solving a lot of the issues that we see in cybersecurity, we need the right people with the right skills in the right places to stay ahead of these threats. So I think that that's something you can expect to be a theme on the committee as well, and we're very focused in working with the administration and taking a look at CISA as it continues to shift back to its core mission.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 3:37

Great yeah. Knowing the general sophistication of this audience, I think it would be great to hear a little bit more details-wise about where we are with CISA 2015. I was working on the Hill when we spent four-ish years trying to get it across the finish line between 2011 and 2015. And with 69 days left to go, I think any sort of. I don't know if folks here have seen, but there's a clean tenure reauthorization in the Intelligence Authorization Act that came out of the Senate Select Committee on Intelligence last week. But just any more details there, I think would be really helpful for folks.

-Alexandra Jane Seymour, Staff Director (Majority), House Subcommittee on Cybersecurity & Infrastructure Protection: 4:17

Yeah, absolutely. I think I should say, first and foremost, we are committed to making sure that this authority does not lapse. We recognize the criticality that. It is how it underpins everything that we do in cybersecurity, all of the information sharing, whether it's private sector to private sector or private sector to government, and so we recognize that.

-Alexandra Jane Seymour, Staff Director (Majority), House Subcommittee on Cybersecurity & Infrastructure Protection: 4:40

Now, that said, I think Chairman Garbarino is interested in looking at some changes. It has been 10 years, and so that is a natural time where we're supposed to look in and reassess and reevaluate to see what has changed and if there is language that needs to be updated. Now I think we've heard resoundingly from industry that the law has worked. We've also heard that there are tweaks that would be helpful if we were able to clarify them. So that's something that we are exploring now, not at the expense of the law lapsing, so I just want to be very clear on that. But we have been wanting to and I leave this as an open invitation for those who might have changes that they might want to see. Please feel free to reach out to us. That's something that we're looking at actively and we are looking at all of the vehicles that might exist for us to make sure that CISA 2015 does not lapse.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 5:40

Great Thanks, maura. I want to bring you in on this. I know that ranking member Thompson was a huge part of getting CISA 2015 done in the first place. So any reflections there from how he's thinking about this 10 years in. And then I got a couple other questions on sort of the legislative front. But if you want anything you want to throw in there.

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 5:58

Yeah, I mean I'll be brief From the start. Ranking Member Thompson has said that he thinks the cleanest and most likely path forward is a clean extension. I think he's got concerns that if you open up the bill to edits, then everybody will have edits and everyone will have something that they want. I think he's concerned about inviting that process at this stage. That said, we have a new chairman who has said that he wants to consider edits, and so of course he has to carry the vehicle. At the end of the day, we're in the minority, we can't be the ones carrying the Rios, and so if he wants to consider edits, of course we'll consider what he would like to have considered. But I think Mr Thompson continues to believe pretty strongly that a clean extension is something that we must pass, and the sissy mark is sort of a bird in the hand.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 6:55

Yeah. So that's you know. I think the resounding thing I'm hearing is it's working and we need to ensure it's extended and then, potentially, whether or not there's changes down the road. It's like, at the very least, hopefully we can not take a step back, which is, I think, a decade in. Certainly, how I view it is, the problems that I hear about from CISO communities I was talking to a bunch of CISOs this morning are not the same as what I was hearing in 2014, where the first thing anyone came in was like, before I could even talk to you, I had to go and get seven sign-offs from seven different lawyers in my GC shop.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 7:29

That was to talk to you, a policymaker. Operationally it's 15 lawyers and that is less of a problem today and I think it speaks to Congress's work on this issue. One other thing more that's certainly interesting to those of us in civil society and, I imagine, several folks here that the ranking member and actually ranking member Lofgren from the science committee put forward in June was a letter to GAO about the CDE program, the Common Vulnerabilities Enumeration Program at MITRE. Looking at, hey, there were some funding questions about that in April. It's caused quite a stir, I think, in the cybersecurity policy community and in operators, something that we've spent a lot of time in civil society looking at. Can you talk to us a little bit about what that means from your perspective and any other things that are sort of on Mr Thompson, Mr Swallow's agendas?

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 8:22

Sure, and it's a kitchen table issue that I'm sure everyone talks about with their friends and family. So one of the things I will start broadly and then I'll get narrow Um, you know, as is, as happens with any transition from administration to another, there's a little bit of a people. People are changing what they're prioritizing. Um, they've got to, you know, get organized, and how contracts get renewed, how programs get extended, they take a refresh, look at programs. All of that is fair. Um, I think one of the concerns that both Mr Thompson and ranking member Swalwell have is that there has been a little bit of instability brought about by some of the changes that have happened since the transition, whether it's CISA staffing, cisa budget, cisa contracts, et cetera. There has been a lot of instability. I think what one of their goals is together is to bring some stability back to how the federal government approaches cybersecurity in terms of like, who are you dealing with at different agencies, not just CISA, but at your SRMAs, what programs can you rely on, how are you sharing information, et cetera? Which is once again why we're're advocating for a clean system extension once it's a stabilizing force.

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 9:33

When it comes to CVE, I think everyone was pretty jolted by the fire drill that happened earlier this year and the NVD. We also asked GAO to look at the NVD program, which had funding issues last year that resulted in a huge backlog. What our goal is is to stabilize these programs. We recognize the benefit of these programs. We want to make sure that there continues to be a standardized CVE database. It makes it easier for researchers, network defenders, everyone to act on the information and it's coming from a trusted source. But how can we make sure that this isn't a program that could die on a whim of a contract not being extended?

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 10:13

So we have asked GAO to take a look at both programs, to do an assessment of what's working, what's not working. That is running at a GAO pace, which I love. Gao. That is not enough. It's because they are so thorough and we don't want them to be too fast, we don't want them to short circuit anything.

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 10:30

So we have, we are working with GAO. At the same time, we are in the process of working with our science committee colleagues Alan McQuinn lovely person if you would like to engage with him more on NBD to develop legislation to stabilize both of the programs. Our goals are to ensure that the programs are stable, that there is appropriate engagement, that there is transparency and that it continues to be what network defenders need it to be, and that we don't see a segmenting of different CVE programs across, you know, continents or even within the United States. So that is our goal. We are in the process of doing it. If anyone would like to discuss it, please come on in. We are happy to discuss and we're open to ideas, but I think what we want to direct both CISA and NIST to do is to develop a plan to stabilize the program and do so in a way that takes into consideration the input of stakeholders and the end users of those products.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 11:36

Yeah, so thanks for that. Really appreciate the congressional leadership here because I certainly say, when I was at the White House, when I was on the Hill, cve was what I would call a two month away problem. We see, seems to have some challenges all the way up until fire drills in 2024, last year about the National Vulnerability Database and the funding snafu earlier in April. So really appreciate Congress stepping in to here. One of the things you mentioned too, maura, was challenges with transitions. There are always challenges with transitions. One thing that I'll say personally right, I wrote a blog piece when the new administration's executive order on cyber came out at the beginning of June.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 12:30

That said essentially, like it's great to see continuity, I worked on the 2023 National Cybersecurity Strategy. It was very important to me that in that, we say quite explicitly this is built on the 2018 national cyber strategy the Trump administration's one because there has been continuity. This has been a bipartisan area for a long time and if you look at the 20, there the June EO from the administration there is a lot of continuity. That makes sense because what we were doing in the Biden administration was building on the Trump administration. That said, there have been some challenges, I think, with the administration and some of their administration, their actually execution of cyber programs. We'd love to hear sort of we'll start with you, maura of what that looks like from a congressional oversight perspective right now. What things are kind of on your mind when you look at the administration?

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 13:31

I'd say a lot is on my mind and I think it's on the mind of our members, so I will start broadly. I think you know our committee looks predominantly at CISA, but we also care about CIO and CISO shops and SRMA shops across the federal government and I think at a high level federal government and I think at a high level our first concern was the fork effort, the deferred resignation, that I think we still have not gotten from CISA actual data on the number of people that took one of those options. But press reports indicate about a thousand, which is about a third of their workforce. So we know that they've lost a third. We haven't gotten data yet on what programs are impacted most. Where did they lose the most people? So even if we wanted to I appreciate that a new administration it's their prerogative to decide to prioritize or deprioritize different programs. That's how elections work. We don't even know what programs they could or could not boost or what programs are winding down, because we don't know where the staff is. So I think that's one of our biggest concerns is we don't even know what cards we're playing with at this point because we don't have good data about what staff they have. We don't have good data about the staff at SRMAs and we don't have good data about the staffing at CIO shops, which has consequences for federal network security. So, just like basic information about who's working in the government is like our first piece of the first thing that we're really trying to get to the bottom of, particularly when, in a bipartisan way, we have focused so much on hiring cyber talent into the government, and to see it eroded is discouraging I would also then.

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 15:09

So that's one level. Then there's the level of how does the private sector engage with the government, and we've saw the erosion of different advisory committees and coordination groups. So where is CPAC? We've been told it's going to be reconstituted. It has not been reconstituted yet. How is the industry going to have the opportunity to influence government and policy and share information with each other? Stronger direction to the administration. About reconstituting they have the authority to do it, to establish advisory committees in the Homeland Security Act, but maybe they need to be directed to reconstitute something that looks like CPAC.

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 15:52

I think we can appreciate trying to streamline advisory committees, but eliminating something that everyone said was really valuable and then not having a way to replace it is not wise. I think the same can be said for CSAC. At CISA. I think I'm hopeful that once Sean Plakey is confirmed, he will renominate people to CSAC, but that remains to be seen. And then, of course, the Cyber Safety Review Board has also been disbanded. Their work on Salt Typhoon halted no indication that anyone in government is really investigating it the same way that CSRB was supposed to. So that's another thing that we are taking a look at legislatively and seeing that there's other ways that we can sort of spur some momentum there.

-Moira Bergin, Staff Director (Minority), House Subcommittee on Cybersecurity & Infrastructure Protection: 16:35

Those are our initial high level. I mean, they're also time consuming oversight initiatives because there's just so much change happening. But both of the people I work for, mr Swalwell and Mr Thompson, do want to bring stability to these. What I'd argue are basically foundational authorities and programs across the government. And I would also just point out if you don't have people in CIO shops and CISO shops, cisa can't engage with them. The value of CISA's federal network security programs is diminished. And if you don't have people in SRMAs, the sector-specific guidance that you're supposed to get no longer exists. And that's incredibly problematic as well, because we were really trying to build those up. And why we would let them be diminished is something I do not understand.

Nick Leiserson, Senior VP, Policy, Institute for Security & Technology (moderator): 17:24

Yeah, I think the CPAC point is just really well taken. One of the things that's impressed me, looking across any sort of cyber hearing that you've seen on the Hill in the last four months there was one on HIPAA in Senate help last week where this was the first thing that everyone said was where this was the first thing that everyone said was we want to have a forum where we can engage with the government on policy matters and ways to manage the risk, and that seems like it would be useful. And I think looking to get those convenings reconstituted as quickly as possible is again something that I've just been impressed by how much I've seen in any sort of venue on the Hill.