Reading the New U.S. Cyber Strategy: What It Gets Right, What It Gets Wrong, and What It Doesn't Address at All

By Amy S. Hamilton, PhD

March 9, 2026

On March 6, 2026, the White House released President Trump's Cyber Strategy for America. At seven pages — more than half of which is preamble — it is the shortest national cyber strategy any administration has produced. The administration has said, explicitly, that it is a high-level vision document and that more detailed implementation guidance will follow. I accept that framing and will hold the administration to it.

But a strategy document is not simply a placeholder. It establishes the posture from which all downstream implementation, resource allocation, and interagency coordination flows. What a strategy names, agencies fund. What a strategy omits, agencies deprioritize. What a strategy leaves ambiguous, budget offices ignore. Read in that light — as the document that will shape how every agency with a cyber mission organizes itself and spends its money — this strategy has real strengths and real gaps. The gaps, in the context of what I described in my piece this week about the federal cyber apparatus's failure to defend critical infrastructure against active threats, are not abstract. They are consequential.

What the Strategy Gets Right

The offensive posture is the strongest part of this document and deserves credit. Pillar 1 — Shape Adversary Behavior — commits to deploying the full suite of U.S. government defensive and offensive cyber operations, eroding adversary capacity and capability, and using all instruments of national power to raise the cost of aggression. This is not rhetorical. Cyber Command's documented role as a first mover in Operation Epic Fury demonstrates that the offensive infrastructure exists, that it works, and that this administration is willing to use it publicly. The strategy's offensive orientation is grounded in operational reality, and it sends a credible deterrent signal to adversaries.

The deregulatory thrust of Pillar 2 — Promote Common Sense Regulation — reflects a legitimate frustration with compliance frameworks that have become costly checklists disconnected from actual security outcomes. Streamlining regulations so that the private sector can move at the speed of threats is a defensible principle, and one that many serious practitioners across the political spectrum would agree with.

Pillar 3 — Modernize and Secure Federal Government Networks — is also substantive. The commitment to zero-trust architecture, post-quantum cryptography, cloud transition, and AI-powered defenses for federal networks reflects current best practice and represents genuine direction that agencies can act on. These are not new ideas, but naming them in a strategy document matters because it gives CIOs and CISOs across the federal enterprise a mandate to prioritize them in their budget requests.

These are real contributions. This strategy is not without value. The question is what it leaves out — and in the domain that matters most right now, it leaves out a great deal.

Where the Strategy Falls Short

Pillar 4 — Secure Critical Infrastructure — is where this strategy most significantly underperforms the moment. The pillar commits to identifying, prioritizing, and hardening critical infrastructure and its supply chains. It names the right sectors: energy grid, financial systems, telecommunications, data centers, water utilities, hospitals. It says the U.S. will deny adversaries initial access and recover quickly when incidents occur. All of this is correct in direction.

What it does not do is provide any basis for implementation. There is no named lead agency or coordination mechanism. There is no reference to sector risk management agencies — the departments designated by law as the federal leads for each critical infrastructure sector. The Department of Energy leads for energy. EPA leads for water. The Department of Treasury leads for financial services. These agencies exist precisely to translate national strategy into sector-specific action, and they are not mentioned once. Without a strategic mandate naming them and their roles, there is no basis for holding them accountable or aligning their budgets with the strategy's stated priorities.

More critically: the words "operational technology" do not appear in this strategy. "ICS" does not appear. "OT" does not appear. "Industrial control systems" does not appear. This is not a minor editorial gap. OT and ICS are the systems that run the physical processes in water treatment plants, power substations, and natural gas pipelines. They require specialized security frameworks, dedicated expertise, and sector-specific coordination that is categorically different from IT cybersecurity. As I documented this week, Iranian actors exploited exactly this attack surface — Unitronics programmable logic controllers in water treatment facilities — in 2023. A critical infrastructure pillar that does not name the specific security domain most relevant to the sectors it claims to protect has a foundational gap that no amount of implementation guidance can easily retrofit.

There is also a structural tension in the strategy that experts have already flagged: Pillar 2 calls for deregulating the private sector to promote agility, while Pillar 4 calls for hardening critical infrastructure. In practice, many of the regulations being streamlined or delayed are the ones that mandate critical infrastructure security. The Cyber Incident Reporting for Critical Infrastructure Act — CIRCIA — was supposed to be finalized in October 2025. The administration delayed it to May 2026. The Critical Infrastructure Partnership Advisory Council — CIPAC, the primary mechanism for government-industry collaboration on infrastructure security — was disbanded by DHS last year with no confirmed replacement. The strategy calls for a "new level of relationship between the public and private sectors" without acknowledging that the existing architecture for that relationship was dismantled and has not been rebuilt. These tensions are not resolved in the document, and without an implementation plan that addresses them directly, they will produce incoherence downstream.

Pillar 6 — Build Talent and Capacity — correctly identifies the cyber workforce pipeline as a strategic asset and calls for eliminating bureaucratic barriers between academia, industry, and government. The talent shortage is real and persistent, and elevating it to a named pillar with a strategic commitment is the right call.

But Pillar 6 cannot be read in isolation. At the same moment this strategy commits to building the federal cyber workforce, the federal cyber workforce has been leaving the government at unprecedented rates since January 2025 — and the strategy does not acknowledge this, let alone address it. This is not a rhetorical criticism. It is a factual condition that the implementation guidance will have to confront whether the strategy names it or not, and the failure to name it produces a document that is strategically incomplete in a way that no amount of well-crafted implementation language can fully repair.

The numbers are documented and not in dispute. CISA — the nation’s primary civilian cyber defense agency, founded by the first Trump administration in 2018 — lost roughly one-third of its workforce between January and mid-2025, approximately 1,000 people, through a combination of deferred resignation offers, buyouts, early retirements, and layoffs. That workforce had grown from 1,000 employees in 2018 to nearly 3,200 by January 2025, a growth commensurate with the documented expansion of the threat landscape over that period. As of March 2026, Shelly Hartsook, acting associate director in CISA’s cybersecurity division, resigned — the latest in a steady drumbeat of senior departures that has left nearly all of the agency’s operational divisions and at least half its regional bureaus without permanent leaders. The associate director for threat hunting departed for the private sector. The chief AI officer resigned. The No. 2 official in the cybersecurity division left. The proposed FY2026 budget calls for an additional $491 million cut to CISA’s funding. Even if the administration wanted to rebuild, the proposed budget makes it nearly impossible.

The losses extend beyond CISA. The Department of Homeland Security’s Chief Information Security Officer and Deputy CISO both departed in early 2025, part of what FedScoop reported as a broader effort to consolidate IT and security leadership functions at DHS headquarters — with career professionals replaced by politically-directed appointees in critical component roles. CISA’s acting Director was reassigned, triggering further personnel turmoil within the agency’s IT and human capital shops. The Department of Defense’s CISO position turned over. CTIIC — the Cyber Threat Intelligence Integration Center, which served as the focal integration point between federal cyber intelligence and the private-sector operators of critical infrastructure — was eliminated as part of ODNI 2.0 restructuring.

One former DHS official described the situation plainly: “The brain drain at DHS is dangerous.” Nextgov reported that former officials described it as “the first time in the digital era that the government’s cyber defense has grown worse rather than better.”

The workforce that has departed is not replaceable on any short timeline. Federal cyber professionals carry specialized institutional knowledge — knowledge of agency systems, threat actor behavioral patterns, interagency relationships, sector-specific vulnerabilities, and the hard-won operational familiarity that comes only from years of working in cleared environments with classified threat data. Phil Reitinger, former DHS cyber official and current CEO of the Global Cyber Alliance, described the structural problem directly: “People work for the government because of mission and, in some cases, because the government provides more stability.

Both those reasons have been undercut.” Former NSA Cybersecurity Director Rob Joyce testified to the same conclusion at Black Hat in August 2025: “The number one thing we’ve got to do is restore the capacity and capability in the government.” Multiple former officials have noted that the likely replacement for lost federal talent — contractors — will be both costlier and less effective, because contractors rotate through positions more frequently and cannot replicate the institutional depth that career professionals build. Bob Costello, CISA's own CIO with twenty-three years of government service and eighteen at DHS, departed in early 2026 following an internal leadership dispute that resulted in the acting CISA director seeking his suspension. The Cyber Strategy's Pillar 6 speaks of building the talent pipeline for the next generation of cyber professionals. It does not speak to the generation that was already here.

The losses extend well beyond CISA. Since January 2025, the federal government has shed experienced cyber and technology leadership at the agency level with a consistency that defies the explanation of normal transition-year turnover. Melvin Brown, OPM's newly appointed CIO, was removed from the role on the second day of the administration and reassigned to a non-technology position. James Saunders, who had served as OPM's CISO and then deputy CIO, left federal service entirely by May 2025 and is now Maryland's state CISO — taking institutional knowledge built across OPM and the Small Business Administration with him. Melinda Rogers, who had served the Department of Justice for fifteen years and rose to CIO, departed in late May 2025; DOJ operated without a permanent CIO for months before elevating her deputy. Paul Blahusch, the Labor Department's CISO for six years and a twenty-five-year agency veteran, accepted a deferred resignation in April 2025, leaving Labor simultaneously without a permanent CIO, a deputy CIO, and a CISO. This is only the top tier, the layers of cyber workforce professionals beneath have been decimated across the federal government over the past year.

A strategy pillar that calls for building the cyber workforce talent pipeline while the existing workforce is being dismantled is not a coherent plan — it is a vision statement disconnected from operational reality. A pipeline that produces new talent five or ten years from now does not address the fact that the people who were defending federal networks and advising critical infrastructure operators on January 19, 2025 are largely gone, that some of them have been reassigned to immigration enforcement duties, and that those who remain are, by documented accounts, down thirty to forty percent in mission-critical areas.

Pillar 6 is right about the strategic importance of the cyber workforce. It is silent about the strategic crisis that is the current state of that workforce. The implementation guidance that follows will either acknowledge and address that reality — with specific retention commitments, rehiring authorities, and honest accounting of where the losses have been most severe — or it will not. That choice will determine whether Pillar 6 is a plan or an aspiration.

The Convergence of Pillar 4 and Pillar is 6 is the devastation to many key teams that crossed these two thresholds. The damage extends to the standards and advocacy infrastructure that the broader cybersecurity community depends on, not just the agencies themselves. At NIST, the Computer Security Division — the group responsible for the Cybersecurity Framework, the NIST SP 800-series, and the post-quantum cryptography standardization effort — has lost more than 20 percent of its federal workforce since January 2025. The departures include Matthew Scholl, the division's chief for over two decades; Tim Hall, who led the Security Testing and Validation Group; and David Ferraiolo, who led the Secure Systems and Applications Group, along with roughly ten additional staff. As of January 2026, NIST's Information Technology Laboratory had shed more than 700 positions in total, and the agency is now working to automate its cryptographic validation backlog because it no longer has the junior staff that work previously required.

Meanwhile at CISA, the Secure by Design initiative — the program that convinced more than 250 technology companies to sign security pledges and began shifting the burden of cybersecurity from end users to software manufacturers — lost all three of its senior architects. Bob Lord and Lauren Zabierek accepted deferred resignations in April 2025; Jack Cable had already departed at the end of the Biden administration. CSO Online summarized the situation plainly: Secure by Design is likely dead at CISA.

At the Department of Energy, the office responsible for Cyber-Informed Engineering — the methodology developed with Idaho National Laboratory to bake security into critical infrastructure design from the earliest engineering stages — was structurally preserved in the DOE reorganization but not from budget cuts: its FY2026 funding request is down 25 percent overall, with the division that houses CIE and the CyTRICS vulnerability testing program taking a 35 percent reduction. The person who built those programs — Cheri Caddy, the Senior Technical Advisor for Cybersecurity at CESER who created CIE, launched DOE's cyber vulnerability testing program, and managed a $50 million annual R&D portfolio at the National Laboratories — left federal service and is now a senior fellow at Auburn University's McCrary Institute. The strategy calls for Cyber-Informed Engineering principles by name. The architect of those principles is gone, and the funding for the people who carry them forward is being cut by a third.

The Cyber Strategy's Pillar 3 calls for modernizing federal networks with zero-trust architecture and AI-powered defenses. The people who built the frameworks those defenses depend on are gone.

What Is Missing Entirely

Beyond the gaps in Pillar 4, there are categories of critical importance to national cyber defense that do not appear in this strategy at all.

There is no treatment of intelligence sharing with critical infrastructure operators. The Information Sharing and Analysis Centers — the sector ISACs — are the primary conduit through which threat intelligence reaches the owners and operators of critical infrastructure. A strategy serious about securing those sectors would establish the federal government's role in that pipeline, direct the relevant agencies to maintain active intelligence-sharing relationships through it, and provide a basis for resourcing that coordination. The strategy does not mention ISACs. It does not describe the mechanism through which federal threat intelligence reaches a water utility in rural Ohio or a municipal power authority in Texas.

There is no treatment of state and local government capacity. The strategy mentions state, local, tribal, and territorial authorities once — in a single sentence stating they should "complement" rather than "substitute for" national cybersecurity efforts. This is a correct principle stated without any content behind it. As I wrote this week, the Senate Environment and Public Works Committee hearing on February 4 — twenty-four days before Operation Epic Fury launched — established that fewer than a quarter of water utilities conduct annual cyber risk assessments, that many share single logins across multiple staff, and that default passwords remain unchanged across systems nationwide. State and local entities own and operate the vast majority of the critical infrastructure this strategy claims to protect. A strategy that addresses their specific capacity gaps only in a subordinate clause has not taken them seriously.

There is no named adversary. A strategy document is not the place to name operational targets, and I am not arguing it should be. But prior national cyber strategies have identified the categories of state-sponsored threat — nation-state actors with persistent access to critical infrastructure networks, for instance — in terms that give implementation planners a basis for prioritizing resources. This strategy's preamble references offensive operations against Iran and Venezuela but does not, anywhere in its six pillars, characterize the nature or severity of state-sponsored threats to the sectors it claims to defend. That leaves sector risk management agencies, budget offices, and implementation planners without a strategic rationale for prioritizing the most dangerous threat categories over less serious ones.

And there is no treatment of the current state of the defensive cyber apparatus. This matters because strategy must be honest about the gap between current posture and desired end state. As I documented this week, the federal cyber defense apparatus — from NSA Cybersecurity to CISA to the sector risk management agencies — is operating with significantly reduced capacity at precisely the moment its mission is most urgent. A strategy that describes a desired future state without acknowledging where the apparatus actually stands today provides no basis for the resource decisions needed to close that gap.

Where the Cyber Strategy Sits in the Broader Architecture: The NSS Problem

The 2026 Cyber Strategy for America is not a stand-alone document. It is subordinate to the National Security Strategy — the overarching framework that defines America’s national interests, priorities, and the role of every instrument of national power in advancing them. Cyber strategies, like defense strategies and economic strategies, derive their mandate, their resourcing rationale, and their strategic logic from the NSS that precedes them. That relationship matters here, because the 2025 NSS is itself extraordinarily thin on cyber — and that thinness has cascading consequences for everything built on top of it.

The contrast with prior strategies is instructive. The 2017 Trump NSS contained a dedicated subsection titled “Keep America Safe in the Cyber Era” within its first pillar. It named specific sectors — energy, banking, health, transportation, communications, and national security systems — as prioritized critical infrastructure and framed cyberspace as a domain integrated throughout the full range of national security concerns. Analysts described the 2017 document as a more thorough treatment of cybersecurity as a core national security concern than prior strategies had achieved. The first Trump administration then followed it with a standalone 35-page National Cyber Strategy in 2018 that explicitly structured its four pillars around the four pillars of the NSS — a deliberate, architecturally coherent nesting that gave the cyber strategy both its mandate and its strategic logic.

The 2022 Biden NSS went further still. It devoted substantial text to cyber as a domain of great-power competition, framed it as inseparable from the contest between democratic and authoritarian governance systems, and explicitly committed to advancing foundational cybersecurity for critical sectors from pipelines to water. It established cyber resilience as a pillar of the broader national resilience framework and called for strengthening public-private partnerships as a core national security instrument. That NSS provided the strategic rationale for the 35-page Biden National Cybersecurity Strategy released in 2023 — a document that named responsible parties, established liability frameworks, addressed OT and ICS systems by name, and created a coordinated implementation structure across sector risk management agencies. The architecture was coherent from top to bottom.

The 2025 NSS, released in November, is a different kind of document. It is oriented primarily around the Western Hemisphere, economic sovereignty, and great-power competition framed through trade and military deterrence. Cyber appears in it largely as a technology domain to be led and won — placed alongside AI, biotech, and quantum computing as areas where the United States must maintain competitive advantage — rather than as a defense domain requiring a dedicated posture. The NSS states that the United States wants a resilient national infrastructure that can withstand natural disasters and thwart foreign threats. That sentence is accurate but generic. It says nothing about the specific mechanisms, agencies, or threat actors relevant to critical infrastructure cyber defense.

There is no dedicated cyber section. There is no characterization of adversary cyber posture — no treatment of Chinese pre-positioning in U.S. critical infrastructure networks, no acknowledgment of Iranian OT targeting, no discussion of Russian hybrid operations. The 2025 NSS acknowledges cyber broadly while treating it as a technology competition problem rather than a homeland defense problem.

The Foundation for Defense of Democracies noted this directly in December 2025, writing that the administration had left one significant homeland security vulnerability unaddressed: a national critical infrastructure that is dangerously exposed in cyberspace, with both Russia and China actively working to exploit it. Brookings observed that the NSS’s framing treats cyber as one element of technology competition rather than as a domain with distinct defense requirements. These assessments reflect a structural reality: the 2025 NSS does not provide a sufficient strategic foundation for critical infrastructure cyber defense, because it does not establish that as a named, resourced, threat-driven priority.

This matters for evaluating the 2026 Cyber Strategy on its own terms. A cyber strategy can only do what its parent NSS authorizes it to do. When the NSS does not establish critical infrastructure cyber defense as a national security priority in specific, threat-based, resourced terms, the cyber strategy built on top of it is left to assert that priority without the foundational authorization to back it. Pillar 4 of the 2026 Cyber Strategy calls for hardening critical infrastructure — but the NSS that frames its strategic mandate does not characterize the adversary threat to that infrastructure, does not name the agencies responsible for defending it, and does not provide the threat-based rationale that drives resource allocation in future budget cycles. The result is a cyber strategy trying to build a second floor on a foundation that was not designed to support it.

The implementation guidance that follows will be the test. If the National Security Presidential Memoranda, Office of Management and Budget Memoranda, and agency-level implementation plans that come next supply the threat characterization, named responsible parties, and resourcing logic that neither the NSS nor the Cyber Strategy currently provides, the thinness at the top of this hierarchy may prove to be deliberate architecture rather than strategic neglect. If they do not, the gap compounds: a cyber strategy with insufficient specificity, nested within a national security strategy with insufficient cyber depth, producing implementation guidance with no coherent mandate to anchor it. That is not a theoretical concern. It is a description of how strategic incoherence translates into operational failure when the attack comes.

A New Dimension the Cybersecurity Community Needs to Be Aware Of

There is one more dimension of this strategy that warrants direct attention — one the cybersecurity community needs to be aware of because it represents a new dimension that has not been part of previous national cyber strategies. The strategy's preamble commits to fighting "the curtailment of free speech" and countering technologies that carry "ideological bias," while Pillar 1 directs the government to "unveil and embarrass" not just espionage and propaganda, but "cultural subversion" — a term that appears nowhere in prior national cyber strategies and has no defined meaning, no limiting scope, and no boundary separating foreign adversary activity from domestic speech.

CyberScoop noted the tension directly: the strategy pledges to "counter the spread of the surveillance state and authoritarian technologies that monitor and repress citizens," even as critics argue this administration has engaged in precisely that conduct domestically. That observation is not partisan commentary. It is a description of documented, on-the-record behavior — and it is the context that gives these undefined terms their significance.

That context is already established. DHS has served hundreds of administrative subpoenas on Google, Meta, Reddit, and Discord — without judicial approval — demanding the names, email addresses, phone numbers, and identifying data behind anonymous social media accounts that tracked or criticized ICE. Google, Meta, and Reddit complied with at least some of those requests. One targeted account, "Montco Community Watch," was a Pennsylvania Facebook page posting bilingual alerts about ICE activity in its community — protected speech, as the ACLU successfully argued before DHS withdrew the subpoena entirely.

NSPM-7, signed in September 2025, reinforces the broader architecture: it uses national security framing to direct law enforcement and intelligence resources against categories of domestic political activity defined by viewpoint rather than conduct. Read together — NSPM-7 implementation guidance, the documented ICE subpoena campaign against major platforms, and a cyber strategy that commits the government's offensive and intelligence cyber capabilities to countering undefined "cultural subversion" and "ideological bias" — the concern is not hypothetical.

The strategy grants no civil liberties guardrails on those terms, names no limiting principle distinguishing foreign adversary activity from domestic dissent, and provides no mechanism for oversight or accountability. Those are not omissions the cybersecurity community can afford to treat as someone else's problem. They are part of what this strategy is.

The Connection to Last Week's Piece

In my piece published last week, I documented a specific and immediate failure: the federal cyber apparatus responsible for defending American critical infrastructure from Iranian retaliation has gone conspicuously quiet at the moment the threat is highest. I described the silence of WaterISAC and E-ISAC. I described the gap between Cyber Command's proven offensive capability and the hollowed-out defensive infrastructure behind it. I asked who is doing the defensive job.

This strategy, read honestly, does not answer that question. It does not name the agencies responsible. It does not establish the coordination mechanism. It does not address the specific attack surface — OT and ICS — that is most exposed. It does not describe how threat intelligence reaches the operators who need to act on it. And it does not acknowledge the condition of the apparatus that is supposed to execute it.

I want to be precise about what I am and am not saying. I am not saying this strategy is without value. The offensive posture is real. The federal network modernization direction is sound. The workforce commitment is warranted. I am saying that on critical infrastructure cyber defense specifically — the domain most directly at risk from the threats this nation faces right now — this strategy provides an insufficient foundation for the implementation guidance that is supposed to follow it. The pillars are present. The substance behind the most important one is not.

The administration has promised implementation guidance. That guidance must do what this strategy does not: name the sector risk management agencies and their roles, establish the OT and ICS security framework, restore the government-industry coordination architecture that was disbanded, direct the ISAC intelligence pipeline, and honestly account for the current state of the defensive apparatus so that the resource decisions needed to rebuild it have a strategic home.

In Closing

One final observation, offered without apology: this analysis is longer than the strategy it examines. The document that prompted it is seven pages, more than half of which is preamble. The gaps, contradictions, and omissions documented here required more space to describe than the administration used to address the entire domain of American cybersecurity. That disproportion is not an accident of my writing. It is a reflection of what the strategy chose to leave out — and a measure of how much work remains to be done before the nation has a cyber posture equal to the threats it is already facing

Sources:

**The Strategy Document**

- White House, "President Trump's Cyber Strategy for America," March 6, 2026 — whitehouse.gov

**NSS Nesting / Strategic Architecture**

- 2025 National Security Strategy — whitehouse.gov, December 2025

- FDD analysis, "NSS Misses the Mark on Cybersecurity," December 2025

- Brookings Institution, December 2025 — cyber as technology competition vs. homeland defense framing

- Lawfare, January 2023 — analysis of 2017 NSS cyber provisions

**Workforce Exodus (CISA)**

- Axios, June 3, 2025 — approximately 1,000 CISA departures, one-third of workforce

- Nextgov/FCW, July 2025 — "first time in the digital era" quote; Phil Reitinger and Rob Joyce quotes

- Federal News Network, March 6, 2026 — Shelly Hartsook departure

- FDD, September 2025 — CTIIC elimination under ODNI 2.0

- Hemant Baidwan and Amanda Day departures — FedScoop, March 2026

**Federal CIO/CISO Departures**

- Melvin Brown/OPM — Nextgov/FCW January 23, 2025; FedScoop January 22, 2025

- James Saunders — StateScoop May 5, 2025; IT Brew June 4, 2025

- Melinda Rogers/DOJ — Nextgov/FCW February 2026

- Paul Blahusch/Labor — MeriTalk April/May 2025

- Bob Costello/CISA — MeriTalk early 2026

**NIST**

- Cybersecurity Dive, May 6, 2025 — Scholl, Hall, Ferraiolo departures; 20%+ CSD loss

- CyberScoop, January 22, 2026 — 700+ total positions shed; encryption validation backlog

- FDD, April 2025 — workforce cut impact on cybersecurity standards

- Congressional letter to Secretary Lutnick, April 2, 2025

**Secure by Design**

- Cybersecurity Dive, April 22, 2025 — Lord and Zabierek departures

- CSO Online, April 28, 2025 — "Secure by Design is likely dead at CISA"

**CESER / Cyber-Informed Engineering**

- DOE FY2026 Congressional Budget Justification, CESER volume, June 2025 — 25% overall cut; RMT division 35% cut; CIE named as priority

- McCrary Institute at Auburn University — Cheri Caddy senior fellow bio

- NREL workshop report — INL/CESER CIE collaboration documentation

**Critical Infrastructure Gap (Pillar 4)**

- Federal News Network — CIPAC dissolution, CIRCIA delay, ANCHOR not stood up

- Nextgov/FCW, Cybersecurity Dive — CISA Stakeholder Engagement Division gutted, October 2025

**Civil Liberties Section**

- CyberScoop — strategy civil liberties expert reaction

- Military.com, TechCrunch, Daily Beast, NOTUS — DHS administrative subpoena campaign; Montco Community Watch

- NSPM-7 documentation