With days left until current funding expires on September 30, time is running out for lawmakers to pass appropriations bills or a temporary funding measure - known as a continuing resolution (CR) - to prevent a government shutdown. As the threat of a government shutdown looms with Republicans and Democrats remaining divided, agencies are preparing their contingency plans to determine which government operations and personnel are considered excepted and can continue operating during a lapse of appropriations.
Exempted Activities Under the Anti-Deficiency Act
The Anti-Deficiency Act plays a pivotal role during a government shutdown, guiding agencies on what they can and cannot do in the absence of appropriations. It’s important to understand that while the Act generally prohibits agencies from incurring obligations beyond their appropriations, there are limited exceptions. These exceptions fall into three general categories:
- A statute or other legal requirement expressly authorizes an agency to obligate funds in advance of appropriations.
- The function addresses emergency circumstances such that the suspension of the function would imminently threaten the safety of human life or the protection of property.
- The function is necessary to the discharge of the President’s constitutional duties and powers.
Within these parameters, each Administration has a degree of flexibility in how they interpret these categories. Under the previous Administration, the Office of Management and Budget (OMB) gave agencies wide discretion to determine which services were excepted from shutdown.
Impact to Cybersecurity
Since the last few shutdowns, the scope of the nation’s cybersecurity work has significantly grown, which also means that an impact from a shutdown can be much greater to cybersecurity than it has in the past. Below are potential effects that a shutdown can have on U.S. cybersecurity:
- Reduced Cybersecurity Workforce: Many federal employees, including those working on cybersecurity, may be furloughed. With a talent shortage in this space already, having an external event result in the reduction of cybersecurity personnel at work exacerbates the challenges faced by government agencies and organizations alike. We have already seen that the Cybersecurity Infrastructure and Security Agency (CISA) is planning on furloughing more than 80% of its workforce if a shutdown occurs. The Department of Homeland’s plan for “Lapse in Appropriations'' shows that CISA will have “571 employees as the total number excepted and estimated to be retained during a shutdown.” While we anticipate CISA’s operationally focused missions will be considered excepted, the reduction in workforce will undoubtedly cause delays. This reduction not only weakens our collective ability to address cyber threats, but it leaves room for adversaries to target vulnerable systems, knowing that resources will be limited.
- Delay in Patches and Slower Incident Response: With reduced staffing and resources, we expect that government agencies will be delayed in securing their systems and applying patches promptly and may experience delays in identifying and responding to newfound cyber threats.
- Impact on Information-Sharing: Information-sharing is a critical aspect of cybersecurity, with agencies sharing intelligence not only with one another but with private sector partners as well. A shutdown will likely reduce the flow of this information, making it harder for organizations to address emerging threats.
- Contracting Delays: Many cybersecurity contracts may be paused or significantly delayed. No new contracts or modifications will be issued or awarded, especially if those contracts have funding tails that rely on appropriations in the next fiscal year. However, not all government contracts will be affected. Cyber contracts that are funded for a period that crosses over the fiscal year and are for services and supplies that may be deemed excepted are permitted to continue.
- Regulatory Impacts: We expect the majority of cybersecurity initiatives currently in the Federal Acquisition Regulation or other regulatory process to be paused or delayed. This would include many of the activities still underway as part of the Executive Order on Improving the Nation’s Cybersecurity.
As the countdown to the funding deadline continues, the potential of a government shutdown underscores the critical need for cyber defenders to proactively implement controls that add resilience to systems from ongoing and emerging threats. In the light of external disruptions, our defenses must be prepared and agile to withstand the unexpected.
Read Next
The Clock’s Ticking: Why CISA 2015 Must Be Renewed Now
As the September 2025 expiration of CISA 2015 looms, Congress faces a critical decision that will shape the future of national cyber defense. At a time when the U.S. is under near constant cyber attacks, government and industry need to share intel.
Cybersecurity Coalition, CR2 Comment on EU Cybersecurity Act Revision Consultation
The Cybersecurity Coalition and the Coalition to Reduce Cyber Risk submitted comments to the European Union Directorate-General for Communications Networks, Content and Technology’s open consultation on revisions to the Cybersecurity Act.
New Cybersecurity Executive Order, Same Mission: Protecting America's Digital Infrastructure
Since taking office speculation has swirled on what President Trump would do on cybersecurity. A new EO upholds previous messaging and underscores that cybersecurity isn't a partisan battle; it demands nonpartisan solutions to protect the nation.