GAO Report: DHS Cybersecurity Modernization Programs Face Cost, Staffing, and Threat Evolution Challenges

Executive Summary

A U.S. Government Accountability Office (GAO) report published on June 12, 2026, provides an assessment of the Department of Homeland Security's (DHS) major cybersecurity acquisition programs. The report concludes that while these programs are fundamental to bolstering the resilience of federal civilian agencies, they are grappling with significant challenges. These hurdles include a rapidly evolving threat landscape, changing mission requirements, and persistent issues with costs, staffing, and acquisition processes. The GAO reviewed key initiatives managed by the Cybersecurity and Infrastructure Security Agency (CISA), such as the Continuous Diagnostics and Mitigation (CDM) program, finding that while milestones are being met, ongoing adaptation and investment are critical for long-term success.

Regulatory Details

The GAO report, titled "DHS CYBER: Major Acquisition Programs Face Cost, Schedule, and Performance Challenges" (GAO-26-107983), is an oversight document intended for Congress and federal agency leaders. It evaluates the progress and challenges of DHS's portfolio of cybersecurity programs designed to protect federal networks.

Key Findings:

• Evolving Threats: The programs struggle to keep pace with the increasing sophistication of cyber threats from nation-states and criminal actors.
• Cost and Staffing: Mounting program costs and a shortage of skilled cybersecurity professionals pose significant risks to program execution and long-term viability.
• Acquisition Hurdles: The federal acquisition process can be slow and cumbersome, making it difficult to procure and deploy new technologies quickly enough to counter emerging threats.
• Program Progress: Despite these challenges, the report acknowledges that key programs are making progress. For example, the CDM program is on track to meet its goals for 2026, though this is based on a revised definition of "Full Operational Capability" (FOC) for its central dashboard.

Affected Organizations

The report's findings directly concern the Department of Homeland Security (DHS) and its operational arm, CISA. The performance of these programs impacts the cybersecurity posture of all Federal Civilian Executive Branch (FCEB) agencies that rely on them for threat detection, visibility, and incident response.

Compliance Requirements

The report does not impose new compliance rules but provides recommendations to DHS to improve program management and oversight. These recommendations typically focus on:

• Improving cost estimation and budget justification.
• Developing robust strategies for workforce development and retention.
• Streamlining acquisition processes for cybersecurity technologies.
• Establishing clearer performance metrics and milestones for programs like CDM.

Impact Assessment

• Federal Government Risk: The challenges identified in the report indicate a persistent risk to federal government networks and the sensitive data they hold. If these programs falter, the U.S. government's ability to defend against major cyberattacks could be compromised.
• Critical Infrastructure Protection: Many of these programs, like CyberSentry, also extend to protecting U.S. critical infrastructure. Challenges in these areas have national security implications.
• Need for Sustained Investment: The report underscores that cybersecurity is not a one-time fix but requires continuous, sustained investment and modernization. It serves as a justification for Congress to maintain or increase funding for these critical programs, despite cost pressures.

Enforcement & Penalties

As an oversight body, the GAO does not have enforcement power. However, its reports carry significant weight with Congress, which controls agency budgets. Poor performance highlighted in a GAO report can lead to increased congressional scrutiny, budget cuts, or mandated changes in program management.

Compliance Guidance

For federal agencies relying on DHS programs, the guidance is to:

• Engage Actively with CISA: Work closely with CISA to understand the capabilities and limitations of the provided tools and services.
• Implement Compensating Controls: Do not rely solely on DHS-provided capabilities. Agencies must continue to invest in their own cybersecurity measures and personnel.
• Provide Feedback: Offer constructive feedback to DHS/CISA on the effectiveness of the programs to help drive improvements.