Quick — tell me where the Center for Internet Security (CIS) gets its money.
Tough one?!
What about FS-ISAC?
FIDO Alliance?
Let's Encrypt?
Maybe you got some of them. Questions like these are tough ones for regular civilians like me, though.
The whole funding situation with MITRE and the National Vulnerability Database (NVD) made me realize my understanding of the dependencies between federally-funded organizations is lacking.
If you've worked in cybersecurity for a while, your knowledge was probably something like mine before I did the research for this article. I knew about most of the headline organizations, have used many of their frameworks and tools, and generally suspected taxpayer dollars provided some or all of the funding.
What I didn't know turns out to be important: who and where the money comes from.
This is exactly the challenge with the current administration in the United States and its quest for government efficiency.
For the first 20 years of my career, it was fine for me to think this government-backed cybersecurity stuff just works.
I've got news for you: it does not 'just work'. There's a lot of effort, coordination, and money that makes it all go.
Many of the institutions and resources we know and love rely upon layers and layers of complex government mandates, legislation, executive orders, and (importantly) — federal funding.¹
After seeing what happened with the NVD, it sure looks like some of these things could disappear at any minute without much warning.
I want to have an opinion. Humbly, I realized the first step towards having an opinion was understanding all of this better.
This article is literally the (polished) output of the work I've been doing over the past week or so to understand the structure and intricacies of the federally funded cybersecurity, privacy, and trust ecosystem.²
Admittedly, we're crossing over from pure cybersecurity into some broader privacy, trust and safety, ICS/IoT, AI safety, and national security topics. I still think it's important to reference all of them in this context to try and paint a picture of what's relevant for people in the mainline cybersecurity industry.
This is obviously a U.S. centric view of things. That alone was a lot to bite off for this research. I'm sure other countries have similar scenarios, although this research now makes me wonder if the complexity is uniquely American.
Let me start by telling you why I care about this topic in the first place.
I'm a product of federally funded research
My first real security job was at a public policy research department in college. Some of their grants were state funded, and some were federally funded.
It wasn't a large department, especially compared to the size of some organizations we're going to discuss in this article. We had seven or low eight figures of research funding in any given academic year.
During my senior year of college, I was a research team member for a $16.5 million federal project to explore road use taxes in the United States. The project was a massive experiment in both taxation and user privacy for thousands of field study participants.
This project was a little different than the cybersecurity-specific ones we're going to be talking about in this article. I still think it's relevant because it gave me a taste of how federally funded research works.
Since then, I've assessed companies against NIST standards, audited based on PCAOB standards, implemented passkeys, and (this month!) used MITRE ATT&CK and D3FEND on a product strategy project for a consulting client.
I use the outputs of federally funded research a lot, and sometimes even without realizing it.
My first reaction to the NVD situation was, "oh $#@%, a lot more of this stuff could be going away."
Once you have that realization, a lot of important questions start coming up:
- What type of organization is MITRE in the first place?
- Where does its money come from?
- Which other organizations are like MITRE?
- Which institutions and research is the federal government funding in the first place?
And so on.
I had a partial understanding, but definitely not enough to know the ramifications if some or all of the federally backed institutions and research start disappearing.
The strategic part of this situation has very little to do with whether you politically agree or disagree with government efficiency. It's okay to voice an opinion, but that's not enough. The savvy thing to do is prepare for the worst.
The first step is knowing the blast radius, so to speak. This means mapping out the whole federally funded ecosystem of cybersecurity, privacy, and trust.³
Spoiler alert: there is a whole lot more to the ecosystem than I realized.
A high-level view of the federally funded ecosystem
Before we get into the individual entity types, examples, and what they do, I think it's helpful to see everything at once. I'm giving you the punch line before we dive off the deep end.
This is the top-down view of how power, authority, and funding for cybersecurity, privacy, and trust flows through the U.S. federal government:
Yeah, I know. There's a lot more going on here than I was aware of before putting it all in a single visual.
The important takeaway is that there is a trickle down effect for both money and authority.
Proper departments are the "parent" organizations. There are only 15 of them. Departments have policymaking, budgetary, and executive oversight authority. They receive the money and hand it out to downstream entities for execution.
Federal agencies are the operational arms that perform a particular mission or function. They can either be part of a department or operate independently. This is usually where the actual work happens, or at least gets mobilized.
Things get a lot more complicated from there. Agencies give funding to several other different entity types. Sometimes the funding is sole-sourced, and sometimes it's competitive. Sometimes it's another formal government entity, and sometimes it's not.
The dependencies and nuances keep going.
This is where the controversy starts to come in. It's a question of whether and to what extent the federal government has the authority to use and distribute funds. By extension, this brings up questions about the scope of the federal government's mission.
A core thesis of the current administration's stance on government spending is questioning whether the federal government has the authority to finance activities through administrative power instead of pure legislation.
The answer to this question sways the landscape dramatically.
Why?
A whole lot of administrative power has been used for decades to make all of this happen.
And what administrative power gives, administrative power can take away.
The A to Z of federally funded entities
This is the part where we go down the rabbit hole. It's a deep, dark, and treacherous one. You should still read it, but consider yourself warned.
We need to start at the top with a little bit more detail about federal government departments and agencies, then work our way down through the other types of federally funded entities.
Federal Government Departments
As we said earlier, federal government departments receive the money and hand it out to downstream entities for execution. Here's the surprising part: most of them are involved in funding cybersecurity, privacy, and trust institutions and research.
There are only 15 federal government departments in the United States. Eleven of them control or allocate a material portion of funding for various cybersecurity, privacy and trust activities:
As if 11 wasn't enough, two other closely related entities get honorable mention:
- Executive Office of the President (EOP): Controls major funding and policy decisions via OMB, ONCD (cyber director), and OSTP.
- Department of the Treasury / IRS: Funds trust infrastructure for identity verification and anti-fraud.
The only four departments who don't provide direct funding are the Department of the Interior (DOI), Department of Agriculture (USDA), Department of Housing and Urban Development (HUD), and the Department of Labor (DOL).
Now that we know who hands out the money, let's start talking about who does the work.
Federal Government Agencies
Agencies make everything go, regardless of whether they are part of a department or operate independently. These agencies are where the real execution happens.
There are a lot of them:
This list includes a bunch of names you've heard of (CISA, NIST, NSA, and more), plus some you haven't.
The outputs of our federal government agencies are vast. They are the driving force behind most of the activity we're going to discuss in the rest of the article. Most importantly, they are in control of funding and power.
Operators of Federally Funded Research and Development Centers (FFRDCs)
Technically speaking, MITRE is a 501(c)(3) nonprofit. This is a charitable nonprofit, the most common type of nonprofit organization in the United States.
The similarities end here.
MITRE is the operator and manager for several FFRDCs across multiple government sponsors. It exists solely to serve the federal government. It's barred from competing with commercial firms or lobbying.
Think of MITRE like a general contractor who is exclusively licensed by the government to manage certain federal research centers, but the research centers themselves are the FFRDCs.
Seems rare? Sure is.
There are very few organizations like MITRE. Only a handful of nonprofits exist to operate FFRDCs. Here are other cybersecurity-related nonprofits in the same category:
The outputs of the FFRDC operators are tricky to understand, mainly because they're so closely associated with the actual FFRDCs they operate. Their role is to, well — operate FFRDCs, which is where the actual outputs come from.
Federally Funded Research and Development Centers (FFRDCs)
Okay, it's cool that we know who operates the FFRDCs — but what are FFRDCs in the first place?
They are private-sector entities who have long-term relationships with the federal government for special R&D needs. There aren't very many FFRDCs — only 42 active ones today, and an all-time high of 74 back in 1969.
FFRDCs technically operate autonomously from both the federal government and their sponsoring organizations. They're deeply embedded and fully reliant on funding though, so it's debatable how autonomous they actually are.
It's essentially a captive relationship with the government because FFRDCs run on federal funding and aren't allowed to compete or market products and services externally.
This may sound tricky, but it's a pretty sweet deal because most of their projects and funding are sole-sourced from the government without a competitive bidding process.
In theory, FFRDCs do specialized R&D work that can't be done by the government or commercial organizations. This assumption is part of what's being questioned by the current administration: "Are you sure this can't be done by a private company?"
As it stands today, these are the FFRDCs who are closely related to cybersecurity, privacy, and trust:
They produce a lot — way too much to name here. A few examples you've heard of are the NIST special publications, the CERT Coordination Center (CERT/CC), MITRE ATT@CK and D3FEND, and (as we now know) managing the NVD.
University-Affiliated Research Centers (UARCs)
UARCs share some similarities with FFRDCs, but they're Department of Defense-flavored research centers. Unsurprisingly, they're focused on national security and defense, which sometimes crosses over into cybersecurity.
Like FFRDCs, they have long-term contracts and focus areas, but they are specifically tied to a university. Unlike FFRDCs, they get to bid for projects and grants from other agencies.
There are under 20 total UARCs. The cybersecurity-related ones are:
The outputs of UARCs are important but harder to spot. Penn State's Applied Research Lab worked on some heavy infrastructure around secure underwater communication for the Navy. Other UARCs may perform specialized research that gets factored into NIST and or other cybersecurity standards.
Federally Supported Nonprofits
Federally supported nonprofits are the more traditional organizations (typically 501(c)(3) charities or institutes) that partner with the government. Even though they're the same nonprofit entity type as FFRDC operators like MITRE, these nonprofits are not directly operating FFRDCs.
They rely heavily on federal support (grants, cooperative agreements, or designated roles) to execute cybersecurity, privacy, or digital trust missions. They are NGOs with their own governance and aren't tied to one agency.
Their work is more project-based and non-recurring, which means they have to clearly demonstrate value and seek renewal or new grants continuously.
There are a lot of federally supported non-profits, including several well-known ones. Here are a few highlights:
Many of the outputs of federally supported nonprofits are highly visible. One of the most well-known ones is CIS's Critical Security Controls. The National Cybersecurity Alliance also does work on privacy awareness and consumer education on behalf of the Federal Trade Commission (FTC).
Public-Private Collaboratives
This is where we start moving away from formal government structures. It's also where the private sector starts coming in.
Public-private collaboratives are exactly what they sound like — partnerships between the government and the private sector to work together on joint cybersecurity, privacy, and trust initiatives.
It's a shared governance model, and both parties contribute time and money. Participation is voluntary. No captive relationships here, at least not directly.
Practically, this means things like information sharing, advisory committees, task forces, joint development of frameworks, coordinated incident response, and co-investment in R&D. A few examples:
The NIST Cybersecurity Framework (CSF) is probably the most widely used and well known output from public-private collaboratives. The federal government covered most of the cost, and the private sector contributed time and expertise.
The DHS/CISA Cybersecurity Advisory Committee and Cyber Safety Review Board (CSRB) highlighted in the table were two other well-known examples. They were swiftly disbanded in January 2025.
It seems reasonable to expect that anything created by an executive order from Joe Biden is going to be put to an end. We have two examples already. There are probably more coming.
Information Sharing and Analysis Centers (ISACs) and ISAOs
ISACs and ISAOs are special-purpose collaboratives for information sharing and analysis. ISACs are industry/sector-specific, and ISAOs are more general. Bill Clinton signed off on starting these back in 1998, and they're still going strong today.
Most are still nonprofit entities, but they're funded by member companies. The government just supports them, provides some coordination, and supplies warnings and intel (like new malware campaigns the FBI discovers). They're not doing much research, just sharing relevant information.
Financial Services ISAC (FS-ISAC) is the one I've heard about the most, and there are several others:
The main output of ISACs and ISAOs is information sharing, but they also produce some targeted reports that inform regulators and policymakers.
This is the ideal model (or at least an acceptable one) from the perspective of the current administration. It also seems like a model that could happen without government involvement if needed.
Research Nonprofit Grantees and Independent R&D Organizations
...colloquially known as think tanks, independent labs, open-source projects, and university centers. These entities exist on their own but receive periodic, project-based funding from the federal government.
Their missions and objectives vary. The spectrum spans all the way from deep technical research to policy research and building community research.
Several of the organizations who fit into this category are well-known, especially the open source projects and technical standards organizations:
The DOT study I worked on in college (and mentioned at the beginning of the article) loosely fits into this bucket. It was primarily a study in road use taxation, but the research involved a study of the privacy implications resulting from the proposed methods. In this case, the output was a policy recommendation.
You've definitely heard of the FIDO Alliance, or at least an output they helped bring into reality: passkeys. Let's Encrypt is another downstream beneficiary who basically brought TLS to the masses.
National Academies Committees and Boards
The National Academies of Science, Engineering, and Medicine (MASEM) bring together their own independent expert committees to study specific issues on behalf of Congress or federal agencies.
They can exist as either an ad hoc group for a specific study, or as standing boards/forums around specific topics. Members are independent experts from academia, industry, and former government officials. Their role is purely advisory.
A few examples of cybersecurity-related committees are:
Their main outputs are studies and reports. Rigor, objectivity, and consensus are the name of the game here. They've written on all kinds of topics, including: encryption, cybercrime classification and measurement, cyber resilience, and more.
Emerging Federally Funded Initiatives
There's a lot going on in AI safety, identity, quantum security, and more that doesn't cleanly fit into the buckets we've already discussed. So, we're just going to broadly call these "emerging federally funded initiatives" until they find a home or get cut.
This group is a bit fuzzy, but here are a few examples:
The outputs here vary, but are generally similar to some of the other entity types above: research, reports, and advice for the federal government and the general public.
What isn't federally funded
Unpacking the laundry list of federally funded organizations may have left you wondering what else is out there and whether it's affected or not. Good for you if you were thinking this far ahead. It's totally reasonable.
The good news is that many of the important organizations in and around our industry are privately funded.
Obviously, public and private cybersecurity companies are neither owned nor funded by the government. Many of our public companies have relatively large federal businesses, though. This has been cause for concern on earnings reports since the election, but it's a different topic than we're talking about here.
A more comprehensive list of non-federally funded organizations is probably a social media post or article of its own. I wanted to include a few highlights just to take a few big names off the board of potential cuts:
Some of these may seem obvious, and some may not. The outputs of these organizations vary quite a bit, but the part they have in common is immaterial or no reliance at all on federal funding.
Like it or not, this is probably the model going forward. Knowing which organizations are already self-supported is a decent starting point to prove it can be done.
All of this isn't going away, but any of it could
NVD was not an isolated incident. Near-misses and actual cuts are going to keep happening.
And remember — the situation with NVD isn't even fixed. They just kicked the can down the road by 11 months.
The message was loud and clear, though: "You have 11 months to fix this before we cut off funding for good."
NVD was a wakeup call, but I don't think the sky is falling. DOGE is not going to use this article as a punch list of items for the chopping block.⁴
Several parts are legitimately essential, especially when they're directly supporting national security.
Many of the flagship programs are multiyear appropriations with advance procurement authority. They're harder to cancel, but as we're seeing, anything is possible.
Our federally funded cybersecurity institutions, research, and projects are not all going to get cut.
Some of them definitely will, though.
"Cut" is a relative term, too. The impact of a cut varies based on the situation.
One-off work that's already completed will still be available. We just won't get more of it. If MITRE ATT@CK and D3FEND eventually get cut, the frameworks are still there — but it's on us to keep working on them.
Ongoing things will just stop working until someone else maintains them. When funding for the NVD gets cut, the federal government isn't going to up and delete the database. They're just going to stop paying for the updates.
Some things seem like they could be just fine on their own. The ISACs are one good example. So is anything else that's mostly self-funded and self-organized.
A few things will disappear. The DHS/CISA Cybersecurity Advisory Committee and Cyber Safety Review Board (CSRB) committees that were already cut are just gone. They can always be reconvened, of course — but in the meantime, nothing is happening.
The real challenge is going to be the randomness. Much like tariffs, we aren't going to know what is happening or when. We're just going to get sudden announcements like the one MITRE inexplicably put out a day before their funding for CVE was supposed to end.
Acting as though something is going away tomorrow is paranoid, but coming up with a backup plan starting tomorrow is a good idea if it's mission-critical.
This situation is an opportunity, too. A lot of this federally funded stuff just works, but not all that well. I was surprised with how many Centers-For-This and Institutes-For-That existed.
There wasn't overwhelming consensus from the security community on the current state of NVD, either. Several people pointed out the questionable timing of the announcement and systemic issues with the program itself. The current system works, but there's room for improvement.
Good or bad, we're in for a turbulent year-plus. Or four. Or longer. Sacred cows will be sacrificed. There is going to be a lot of near-term pain.
I'm still hopeful we can make some good out of this.
There probably are ways our government-backed cybersecurity apparatus could run more efficiently. It very well could be holding the bag for some things the government shouldn't need to be responsible for.
It's a lot to ask of the private sector to take on work the government has operated and/or funded for years. Dismantling decades of work this quickly comes with a ton of risk.
I do know this: the resourcefulness and resilience of Americans (miraculously) never fails.
Footnotes
¹I thought James Berthoty's "I'm just a vuln" diagram was well done and exceptionally timely. You could roughly think of this research as a commercial, macro-level derivative where we try and explain the organizational structure and financial dependencies for cybersecurity related federal funding.
²I am definitely not the end-all-be-all expert here, though. Please fact check anything you're relying on and send me edits if you find anything wrong.
³This research is only about federal funding. State and Local Government funding is out of scope. So is federal spending — that is, departments and agencies buying cybersecurity products and services (which they do a lot of, too). This was a big topic on the last round of earnings calls, but it's orthogonal to this discussion.
⁴Probably not. Stranger things have happened, though.
