The federal landscape is poised for a reset this year as an updated National Cybersecurity Strategy is planned and released. Once announced, governments will reassess how they manage compliance and real-world risk. Federal programs such as the Federal Risk and Authorization Management Program (FedRAMP), the Cybersecurity Maturity Model Certification (CMMC) and new incident reporting requirements have driven significant investment from agencies, software providers and contractors, while CISA has become central to everything from critical infrastructure protection to election-related resilience.
At the same time, geopolitical tensions with China, rapid adoption of artificial intelligence (AI) and state-level action are turning cybersecurity into a strategic domain where emerging technology, governance and mission outcomes collide.
In this environment, 2026 will be defined by how effectively federal leaders translate these challenges into integrated, forward-looking approaches to cyber risk management. We’ll likely see a few outcomes this year:
Pressure on Existing Networks
FedRAMP and CMMC will face scrutiny around cost and compliance burden. Expect attempts to “streamline” or consolidate these programs. We have already seen shifts to new models, many of them productive, such as with FedRAMP 20x and continuous authority to operate (cATO). Organizations are likely to face short-term uncertainty and vendors in authorization pipelines should expect delays.
CISA’s Evolving Role
The agency may shift from regulatory expansion toward more voluntary collaboration with critical infrastructure. The implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) could be softened or delayed. It’s also likely that much of CISA’s private-sector and state-facing programs will be gutted. For sure, there will be no more support for election security initiatives. Expect that CISA will focus more internally on federal civilian agency systems than ever before.
China-Focused Procurement Restrictions
Bipartisan concern about Chinese technology will persist. We’ll see continued, possibly even expanded, restrictions on hardware and software with Chinese ties in federal systems. I believe Beijing’s reported move to bar U.S. and Israeli cybersecurity software is not just a trade decision, but a strategic signal in the broader tech and security contest between China and the U.S.
In this environment, it is likely that the White House will answer with reciprocal restrictions on Chinese technology firms, further hardening the digital and economic fault lines between the two countries. However, the administration will likely cave on the sale of GPUs and other AI technology to China in exchange for agreement on further protections for Taiwan. These restrictions affect risk management beyond just immediate federal contracts.
Offensive Protections
Expect to see the administration entertain the possibilities of Letters of Marque, which would empower authorized private-sector organizations to go on offense at the behest of the federal government. This will likely put a target on the backs of Big Tech companies, increasing pressure on them to “punch back.”
State-Level Divergence
With fewer federal rules in place, states are likely to move faster on their own cyber, AI and privacy laws, as California and New York have already done. This approach can result in a complex and inconsistent set of compliance requirements. For instance, New York State’s new Responsible AI Safety and Education (RAISE) Act aims to create transparency, safety and reporting obligations for “frontier” AI models and sets up a dedicated state AI oversight office.
California has multiple AI laws taking effect in 2026, including new rules for generative AI developers, frontier models, healthcare AI tools, data brokers and automated decision-making, on top of the expanded California Consumer Privacy Act. While Congressional action is possible, albeit unlikely, the Trump administration has already taken action through Executive Order.
When Cyber Becomes a Battleground, Unified Risk Operations Will Help Achieve Agency Missions
No matter how this year unfolds politically, one trend is clear: Unifying risk management and shifting from traditional security operations centers (SOCs) to an agentic AI-driven Risk Operations Centers (ROC) should become an integrated cyber effort in the federal government. SOCs are like a rearview mirror; they focus on security incidents that have already happened. A ROC looks ahead, aiming to spot and reduce threats and risks before they occur.
Rather than treating cyber incidents, compliance findings and mission disruptions as separate streams, a ROC will bring them into a single operational picture, where cyber risk is quantified, prioritized and acted on in real time.
For agencies under pressure to do more with less, this model turns cybersecurity from a reactive cost into a continuous, mission-aligned function, one that can absorb policy changes, emerging threats and emerging technologies without losing sight of the mission.
Alex Kreilein is Vice President of Product Security & Public Sector Solutions at Qualys (NASDAQ: QLYS), where he ensures Qualys products are secure, resilient, and provably trustworthy for government and regulated industry use. He leads initiatives across Security by Design, DevSecOps, FedRAMP, the Qualys Product Security Incident Response Team (PSIRT), and Public Sector Solutions. Previously, Alex led mission-critical engineering programs at Microsoft Azure, served in lead roles at Department of Homeland Security, and was a Research Fellow at NIST. A former SaaS company CISO and cybersecurity venture investor, he co-founded the nation’s first cybersecurity bootcamp. Alex holds graduate degrees from CU Boulder and the U.S. Naval War College.
Leave a Reply
You must be logged in to post a comment.