CISA funding cuts expose the limits of ATT&CK-dependent defence

At a glance

What this is: This is an analysis of how CISA funding pressure could weaken the public support system around ATT&CK and CVE, even though ATT&CK itself remains active.

Why it matters: It matters because IAM, NHI, and security teams that map detections, playbooks, and controls to public taxonomies need governance that survives slower updates, fragmented guidance, and ecosystem instability.

By the numbers:

• ATT&CK v18 landed on October 28, 2025, updating Enterprise, Mobile, and Industrial Control Systems matrices.
• CISA retained only about one-third of its staff, roughly 889 out of 2,540 employees, during the six-week federal shutdown.
• The FY2026 budget proposal would reduce about 1,000 funded positions at CISA, roughly a third of its workforce.
• MITRE’s CVE program was extended for only 11 months after the April 2025 contract scare.

👉 Read Delinea's analysis of CISA funding cuts and ATT&CK dependency

Context

ATT&CK-driven defence programmes assume that public taxonomies, identifiers, and guidance will remain available long enough for teams to map controls, detections, and incidents consistently. This article examines what happens when that assumption weakens because the institutions maintaining CVE and supporting ATT&CK-aligned guidance are under funding pressure.

The practical issue for IAM and security leaders is not whether ATT&CK disappears tomorrow. It is whether the surrounding governance layer, the curation, publication cadence, and public-sector support that make shared taxonomies usable, becomes fragmented enough that internal programmes have to absorb more of the maintenance burden.

For organisations using ATT&CK to structure NHI detections, cloud abuse playbooks, or identity-centric monitoring, the problem is a governance dependency, not a framework failure. That makes version control, internal mapping, and alternate sources part of operational resilience rather than administrative overhead.

Key questions

Q: How should security teams manage ATT&CK mappings if public funding becomes unstable?

A: Security teams should version ATT&CK like any other dependency. Pin the release used by detections, retain the mapping bundle internally, and document any local extensions so reporting and playbooks remain consistent if public updates slow or the ecosystem fragments.

Q: Why do ATT&CK and CVE funding issues matter to identity security teams?

A: They matter because identity programmes often rely on the same public taxonomies to connect vulnerabilities, credentials, and attack behaviour. If CVE access or ATT&CK curation weakens, prioritisation, correlation, and reporting become slower and less consistent, especially for cloud and NHI attack paths.

Q: What breaks when teams treat ATT&CK coverage as a complete defence model?

A: Coverage metrics become misleading when ATT&CK stops reflecting new attacker behaviour quickly enough. The framework still helps, but a static coverage view can hide gaps in cloud identity abuse, SaaS misuse, and other fast-moving techniques that need local overlays and internal mappings.

Q: Which controls help when public threat guidance is delayed or fragmented?

A: Use internal taxonomy governance, mirrored external feeds, and controlled versioning for detections and playbooks. That combination gives you continuity when public guidance shifts, and it lets IAM and security teams keep identity-linked controls aligned to the actual threat surface.

Technical breakdown

Why public taxonomies become fragile under funding pressure

MITRE ATT&CK and CVE are not static documents. They depend on ongoing curation, analyst review, and release management so technique definitions and identifiers stay useful across tools and teams. When funding tightens, the risk is not immediate collapse but slower update cycles, narrower coverage, and more time between real attacker behaviour and public taxonomy representation. That gap matters because security tooling, reporting, and training often assume a stable external reference model. If the reference model drifts, the control layer can still function, but it will increasingly describe yesterday’s threats better than today’s.

Practical implication: Treat ATT&CK and CVE as versioned dependencies and pin the versions used in detections, playbooks, and assurance reporting.

How ATT&CK-dependent detections drift when the ecosystem fragments

Most mature programmes do not use ATT&CK as a poster on the wall. They use it as a normalisation layer across SIEM, EDR, SOAR, threat intelligence, and exposure management. That creates consistency, but it also creates dependency. If public updates slow or vendors begin extending ATT&CK in incompatible ways, the same behaviour may be labelled differently across products, and coverage metrics will become harder to compare. The technical problem is not that detections stop firing. It is that technique-level reporting becomes less trustworthy as a shared language and more like a vendor-specific dialect.

Practical implication: Build an internal TTP catalogue that maps your detections and playbooks to the ATT&CK version you actually use.

Why identity teams should care about CVE and ATT&CK together

Identity security teams often think of ATT&CK as an adversary-behaviour framework and CVE as a vulnerability catalogue, but the two are operationally linked. Attack paths in cloud, SaaS, and NHI environments often combine credential exposure, privilege abuse, and known weaknesses in surrounding platforms or integrations. If CVE access or public guidance becomes less reliable, the downstream effect is slower correlation between vulnerabilities and attack technique mapping. That weakens prioritisation, especially where identity compromise is the entry point and lateral movement depends on weak coverage models.

Practical implication: Mirror the public feeds you rely on and cross-reference them with identity-specific threat models and internal control maps.

Threat narrative

Attacker objective: The objective is not direct compromise but creating blind spots and decision lag by exploiting governance and knowledge fragmentation in defender taxonomies.

1. Entry occurs when defenders depend on externally maintained taxonomies and identifiers that may no longer update at the pace of current attacker behaviour.
2. Escalation happens when fragmented ATT&CK dialects and weaker public guidance force teams to reconcile multiple mappings inside their own programme.
3. Impact shows up as delayed detection coverage, inconsistent reporting, and weaker prioritisation for identity-driven attack paths that no longer map cleanly to the public model.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ATT&CK and CVE are becoming governance dependencies, not just reference systems. Teams that rely on public taxonomies are depending on a maintained knowledge supply chain, not a neutral lookup table. When public funding tightens, the first failure is usually curation velocity, not the framework brand itself. The practitioner implication is that security architecture now has to assume variable external maintenance.

Versioned taxonomies need internal ownership or they degrade into reporting theatre. ATT&CK mappings only stay meaningful when teams pin versions, document extensions, and govern crosswalks across tools. Without that discipline, coverage dashboards can look coherent while the underlying labels no longer mean the same thing across platforms. The practitioner implication is to treat taxonomy governance as part of detection engineering.

Public-sector pressure is widening the gap between attacker behaviour and shared defensive language. ATT&CK v18 shows the model is still moving, but CISA’s reduced capacity means fewer public resources to help organisations operationalise it. That gap is especially visible in fast-changing cloud and identity attack paths. The practitioner implication is to expect more local adaptation, not less.

Identity teams need a separate lens for cloud and NHI abuse because generic technique coverage will lag there first. Identity-driven intrusion paths often combine credential exposure, privilege misuse, and cloud-control-plane abuse before they are fully captured in shared taxonomies. When public guidance slows, those behaviours are the ones most likely to fall into catch-all categories. The practitioner implication is to maintain identity-specific overlays alongside ATT&CK.

Framework continuity should be measured by programme resilience, not by whether a public matrix still exists. The real test is whether detections, playbooks, and reporting can survive slower updates, altered funding, or competing vendor extensions without losing meaning. That is a governance problem first and a content problem second. The practitioner implication is to design for graceful degradation, not perfect upstream continuity.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• That governance gap is explored further in NHI Lifecycle Management Guide, which shows how rotation, offboarding, and visibility close the operational loop.

What this signals

ATT&CK drift is not a tooling inconvenience, it is a governance signal. As public frameworks face slower curation or fragmented extension, programmes will need their own control plane for taxonomy management. Teams that already maintain internal crosswalks will absorb that change more cleanly than those that treat ATT&CK as a fixed external truth. For a baseline check on NHI exposure risk, see Ultimate Guide to NHIs , Why NHI Security Matters Now.

Public funding pressure will surface first in identity-heavy attack paths. Cloud abuse, credential misuse, and NHI compromise are easier for vendors to describe than for public taxonomies to keep pace with, so those paths need local overlays now. The operational response is to separate your internal detection language from whatever the latest external matrix happens to be.

With 79% of organisations already reporting secrets leaks and 77% of those incidents causing tangible damage, the case for mirrored feeds and internal taxonomy ownership is no longer theoretical. The programme risk is not whether ATT&CK survives, but whether your own mappings remain readable when the public ecosystem gets noisier.

For practitioners

• Pin the ATT&CK version your programme actually uses Record the exact ATT&CK release in detection runbooks, tabletop templates, and coverage reports so everyone is working from the same snapshot, even if public updates slow or diverge.
• Build an internal TTP catalogue with local governance Create a controlled catalogue that maps internal incident patterns, detections, and playbooks to ATT&CK techniques, then assign owners to approve new mappings and extensions.
• Mirror the public feeds your programme depends on Store CVE, KEV, and related references in internal repositories so your vulnerability and exposure workflows continue even if public services become delayed or unavailable.
• Separate identity-specific patterns from generic technique labels Add cloud, SaaS, and NHI overlays where ATT&CK is too broad to describe the behaviour you actually see, especially for credential abuse and control-plane misuse.

Key takeaways

• CISA funding pressure does not break ATT&CK outright, but it does weaken the public maintenance ecosystem that makes ATT&CK and CVE operationally useful.
• Security teams that rely on shared taxonomies need version pinning, internal mappings, and mirrored feeds so coverage reporting stays meaningful under slower public updates.
• Identity and cloud abuse paths will feel taxonomy drift early, so NHI and IAM teams should add local overlays instead of waiting for the public model to catch up.

Key terms

• Attack Taxonomy: A structured vocabulary for describing attacker behaviour in a consistent way. In practice, taxonomies like ATT&CK help teams map detections, incidents, and controls to shared technique names so reporting and analysis can be compared across tools and time.
• Coverage Drift: The gap that appears when a defensive framework no longer keeps pace with real attacker behaviour. The programme still works, but its labels, metrics, and playbooks describe the threat landscape less accurately than before, which weakens prioritisation and governance.
• Internal Ttp Catalogue: An organisation-owned catalogue of tactics, techniques, and procedures that extends public frameworks with local behaviours seen in the environment. It gives teams a controlled reference for detections, playbooks, and mappings when external taxonomies are too broad or too slow.
• Versioned Dependency: A framework or data source treated like software with a specific release, ownership, and change control. This approach prevents silent drift when the external source changes, and it is especially important for ATT&CK, CVE, and other shared defensive references.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: How CISA funding cuts will impact your dependence on MITRE ATT&CK & CVE. Read the original.