2025 Annual Report on Implementation

Our nation’s ability to protect itself and its allies from cyber threats is stalling and, in several areas, slipping. For five years, the U.S. Cyberspace Solarium Commission’s (CSC’s) recommendations have served as a benchmark against which to measure policymakers’ commitment to strengthening the nation’s cybersecurity. This report assesses that approximately 35 percent of the commission’s original 82 recommendations have been fully implemented, 34 percent are nearing implementation, and an additional 17 percent are on track to be implemented. By comparison, however, last year’s report concluded that 48 percent had been implemented, 32 percent were nearing implementation, and an additional 12 percent were on track. For the first time, there has been a substantial reversal of the advances made in previous years. Nearly a quarter of fully implemented recommendations have lost that status — an unprecedented setback that underscores the fragility of progress.

Indeed, implementation alone does not guarantee institutional durability; key reforms remain vulnerable to underinvestment or bureaucratic gridlock that slows or prevents new initiatives from taking root. Personnel turnover and shifts in priorities during presidential transitions have historically also slowed cybersecurity progress. This year’s assessment makes clear that technology is evolving faster than federal efforts to secure it. Meanwhile, cuts to cyber diplomacy and science programs and the absence of stable leadership at key agencies like the Cybersecurity and Infrastructure Agency (CISA), the State Department, and the Department of Commerce have further eroded momentum.

Progress Towards Implementation of the March 2020 Recommendations

Implementation of any one set of recommendations is insufficient on its own to deter, thwart, or mitigate malign cyber activities. Rather, the Cyberspace Solarium Commission designed a new strategic approach — layered cyber deterrence — to reduce the likelihood and impact of significant cyberattacks.

Indeed, many of Washington’s most important policy choices have reflected the commission’s strategy of layered cyber deterrence — the government has been shaping the behavior of foreign states while denying benefits and imposing costs on those who threaten democratic values in cyberspace. In some cases, this is directly through implementation of CSC recommendations; in others, it is indirectly through alignment with the CSC framework. Congressional and White House action have strengthened U.S. cyber resilience by expanding institutional capacity, improving interagency collaboration, and deepening public-private collaboration. But more work must be done.

Source: Cyberspace Solarium Commission

Shaping behavior. The State Department’s Bureau of Cyberspace and Digital Policy (CDP) plays a critical role in promoting responsible state behavior in international forums. Led by an ambassador-at-large, CDP is uniquely positioned to advance U.S. security and economic interests abroad, enabling federal agencies to focus on strengthening cyber resilience at home. The bureau needs a Senate-confirmed leader to be most effective.

Denying benefits. A successful whole-of-nation approach to deterring adversaries requires strong industry partnerships and stable Senate-confirmed leaders to carry out the mission. The Office of the National Cyber Director (ONCD) has driven strategic alignment across the federal enterprise, while CISA has deepened engagement with critical infrastructure owners and operators and state, local, tribal, and territorial governments. Maintaining these partnerships has been challenging as contract lapses and the weakening of liability protections have strained trust. Private capital continues to reinforce these partnership efforts through initiatives such as Cyber Clinics that support both victims of cyberattacks as well as research and development programs that drive innovation.

Imposing costs. U.S. law enforcement agencies and the Department of Defense (DOD) have reinforced deterrence by working with allies and partners to conduct persistent engagement and take down botnets before they reach U.S. networks. But attacks continue, indicating our adversaries are not being forced to bear sufficient costs for their malign activities.

What began as a forward-looking vision has become an urgent set of unfinished tasks. The challenge is to reinforce what has been built and address the gaps that remain. That requires a national cyber director with real budget and authority; empowering CISA and sector risk management agencies; restoring diplomatic tools and foreign assistance to extend U.S. reach abroad; and ensuring the cyber workforce can meet tomorrow’s challenges. Building a more robust domestic response capacity is also becoming a clear need. Lastly, achieving these goals will require reestablishing bipartisan consensus on cybersecurity as a core element of national security.

The United States faces a pivotal decision point. It is up to the administration and Congress to seize this opportunity to secure the gains of the past five years; reinforce its cyber deterrence posture; and send a clear signal of capability, intent, and continuity to its adversaries.

Senator Angus King (advisory)
Former Chairman
Cyberspace Solarium Commission

RADM (Ret.) Mark Montgomery
Executive Director
Cyberspace Solarium Commission

Over the past five years, the Cyberspace Solarium Commission helped lay the foundation for stronger U.S. cyber policy, spurring real progress across government and industry. Yet weak statutory authorities, diminished diplomatic capacity, and growing workforce and regulatory gaps continue to threaten national resilience. Addressing these challenges will require action from both Congress and the administration. The following five priorities mark the next phase in strengthening America’s cyber defense in the years ahead.

1. Enhance the Authorities of the Office of the National Cyber Director

The ONCD, created in the fiscal year (FY) 2021 National Defense Authorization Act (NDAA),¹ has grown into a permanent fixture of U.S. cyber governance. Although the office has proven effective at convening agencies and shaping strategy, it still lacks the positional authority and interagency relationships needed to enforce decisions across the government. This gap undermines efficiency and slows progress on urgent tasks. The same is true for resources: ONCD can review agency budget submissions but has no authority to align cyber investments across departments, leaving federal resources missing, fragmented, or duplicative. Regulatory oversight presents similar challenges. Without a mandate to harmonize regulations, ONCD cannot resolve the patchwork of conflicting requirements facing critical infrastructure operators, a problem that industry has repeatedly warned is eroding trust in government guidance.² To address these shortcomings, the ONCD should lead efforts to rewrite the decade-old policy document, known as Presidential Policy Directive 41,³ to clarify responsibilities for the national incident response process. President Donald Trump should issue an executive order to grant ONCD formal convening authority over civilian agency cyber policy, review authority over agency cyber budgets, and a mandate to lead regulatory harmonization efforts through an interagency working group. Elevating ONCD’s role with these actions would provide the clarity and authority needed for ONCD to fulfill its role as the central driver of national cyber policy.

2. Restore the Workforce and Funding of the Cybersecurity and Infrastructure Security Agency

CISA is the federal government’s cyber defense agency, responsible for leading national incident response, issuing threat advisories, and developing resilience programs across sectors. National Security Memorandum 22 reaffirmed this role, designating CISA as the national coordinator for the security and resilience of critical infrastructure.⁴ Yet CISA’s effectiveness has been weakened by steep workforce and budget cuts that undermine its ability to support operators on the ground. These pressures limit CISA’s ability to scale critical programs that give the administration early visibility into attacks and to share information with private sector partners. By investing in CISA in its role as national coordinator, the administration can prevent disruptions, protect American families, and ensure economic stability. The administration should develop a plan of action and restore staffing and budget levels, with the goal of establishing and reinforcing CISA’s role as national coordinator for the security and resilience of critical infrastructure.⁵ Congress should provide multiyear funding stability to prevent further erosion of capacity. Empowering CISA strengthens the administration’s hand in deterring adversaries and demonstrates visible leadership in keeping the country safe.

3. Restore Funding and Personnel Dedicated to Cyber Diplomacy and Capacity Building at the State Department

Congress codified the State Department’s CDP with the Cyber Diplomacy Act of 2022. CDP’s mission is to strengthen capacity and confidence among allies and partners.⁶ Since its codification, CDP has developed key strategies and led engagements with partners — from standing up incident response capabilities to jointly countering authoritarian narratives online. CDP leveraged a dedicated cyber-assistance fund to help nations rapidly mitigate attacks and paired U.S. seed funding with allied and private-sector investment to crowd out Chinese firms seeking to dominate telecommunications and emerging technology supply chains.⁷ However, CDP’s effectiveness has been constrained by a restructuring effort that fractured cyber expertise across the State Department and stripped away resources that would allow the bureau to coordinate policy and programs effectively, reducing available partner cyber capacity funds. Meanwhile, adversaries like China continue to expand their global digital influence and dominate international technical standard-setting bodies, filling the vacuum left by U.S. retrenchment. The administration should restore CDP’s personnel and resources through reprogramming, supplemental requests, or executive orders, while Congress complements this effort by creating a long-term funding line that ensures the continuity of cyber-capacity building programs. To rebuild trust, the Trump administration must demonstrate to allies that Washington is a reliable partner in building secure digital infrastructure that supports U.S. trade and investment.

4. Maintain and Restore Critical Support to Public Collaboration Effort

The Critical Infrastructure Partnership Advisory Council (CIPAC) has provided a legal framework for information exchange between the federal government and private-sector partners for nearly two decades. The Trump administration’s decision to eliminate CIPAC⁸ created legal uncertainty around information sharing, undermining long-standing trust between industry and government. Since its elimination, critical infrastructure operators have scaled back their engagement with the federal government out of concern that sensitive company data could be publicly exposed.⁹ If the Department of Homeland Security (DHS) fails to immediately reinstate CIPAC, Congress should intervene to restore clear legal protections for industry-government dialogue. Congress should also pass a long-term reauthorization of existing cybersecurity information sharing protections.

5. Expand the Talent Pool and Improve Retention of the Cyber Workforce

Since the start of the Trump administration, several workforce decisions have reshaped how the federal government recruits and retains cyber talent. New hiring practices and at-will mandates shift emphasis away from technical qualifications and discourage qualified candidates from pursuing career roles. The rollback of diversity, equity, and inclusion initiatives eliminated programs that had broadened the pipeline of skilled candidates from underrepresented and nontraditional backgrounds, narrowing access to key talent pools. The result is a growing gap in filling critical cyber positions from an already limited talent pool. While the administration has wisely called for both “skills-based” and “merit-based” hiring, it has yet to establish a consistent workforce model to deliver on those goals — risking what had been a rare area of bipartisan consensus around building a skills-based cyber workforce.¹⁰ Clarifying a consistent, skills-based model — and broadening the pipelines for nontraditional candidates through apprenticeships, training, and scholarship-for-service programs — will be essential to stabilizing the cyber workforce and ensuring agencies have the expertise to defend the nation’s most critical systems. Also, the government should expand proven skills-based recruitment programs like CyberCorps.