TL;DR: The Cyberspace Solarium Commission says US federal cyber defense has regressed for the first time since it began annual assessments in 2020, with 35% of 82 recommendations now fully implemented after almost half were at 48% in 2024, according to Swarmnetics citing CSC. Budget cuts, staffing gaps, and weakened coordination are turning preparedness into a governance problem, not just a funding problem.
NHIMG editorial — based on content published by Swarmnetics: US Federal Cyber Defense is Slipping, Warns Cyberspace Solarium Commission
By the numbers:
- The report finds that 35% of 82 recommendations are now fully implemented, down from 48% in 2024.
- The report covers 82 ongoing recommendations across six cyber defense pillars.
Questions worth separating out
Q: How should security teams plan for weakening national cyber coordination?
A: Security teams should treat national coordination as an input, not a guarantee.
Q: Why do cryptographic changes matter to IAM and NHI programmes?
A: IAM and NHI programmes rely on certificates, signing keys, and token trust to establish who or what is authenticated.
Q: What breaks when cyber recommendations are treated as permanently solved?
A: Controls become brittle when teams assume implementation is final.
Practitioner guidance
- Revalidate dependencies on federal threat intelligence Identify which incident response, monitoring, and escalation playbooks depend on federal advisories or sector coordination.
- Map governance controls to funding and staffing assumptions Review which cyber, identity, and resilience controls only work if named teams remain in place.
- Separate stable controls from policy-dependent controls Classify cyber controls by how much they rely on external institutions, such as national guidance, shared reporting, or advisory councils.
What's in the full analysis
Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:
- A fuller breakdown of the 82 CSC recommendations and which pillars lost momentum in 2025.
- The report’s specific funding and staffing concerns across CISA, the State Department, and related cyber bodies.
- The rationale behind restoring CIPAC and expanding the Office of the National Cyber Director's budget authority.
- The article's discussion of congressional structure, breach notification standards, and AI oversight capacity.
👉 Read Swarmnetics' analysis of the Cyberspace Solarium Commission's 2025 cyber defence warning →
Federal cyber defense backsliding: what security teams should watch?
Explore further
Federal cyber defence is now a resilience problem, not only a budget problem. The report shows that implementation can regress when funding, staffing, and leadership continuity are disrupted. That means control maturity is conditional on institutional stability, not merely policy intent. For practitioners, the lesson is to model governance failure as a real threat to cyber resilience.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which makes governance regression especially hard to spot in large environments.
A question worth separating out:
Q: Who is accountable when national cyber governance weakens?
A: Accountability is shared, but it is not diffuse. Policymakers remain responsible for maintaining institutional capacity, while enterprise security teams must assume that federal guidance may be incomplete or delayed. Practitioners should document which decisions rely on external governance so accountability does not vanish into assumptions.
👉 Read our full editorial: US federal cyber defense is regressing under budget cuts