Expiration of Contract for Critical Cybersecurity Threat Assessment Tasks at CISA
========================================================================
The CyberSentry program, a joint initiative between the Cybersecurity and Infrastructure Security Agency (CISA) and critical infrastructure organizations, has been impacted by a funding lapse and a review of its agreement with Lawrence Livermore National Laboratory (LLNL).
As of July 20, 2025, the funding agreement for LLNL's participation in CyberSentry has expired, causing a halt in threat-hunting operations for critical infrastructure networks. Although the sensors deployed under CyberSentry continue to collect network traffic data, Lawrence Livermore analysts are no longer legally authorized to analyze this data due to the lapse in funding and contract approval.
The CyberSentry program provides CISA with deeper insight into network activity of its partners, helping in disseminating actionable threat information to critical infrastructure owners and operators. LLNL had been supporting CISA's efforts to analyze interdependencies between different facets of critical infrastructure, such as the power grid, water utilities, and transportation.
The loss of LLNL's involvement significantly reduces visibility into operational technology (OT) networks, which are crucial for detecting sophisticated threats like stealthy foreign surveillance or malware tailored for industrial control systems. According to Nate Gleason, LLNL's CyberSentry program leader, the loss of active threat hunting diminishes the ability to detect and act on emerging cyber risks in these vital sectors.
Despite the lapse in LLNL's direct involvement, CISA maintains that the CyberSentry program remains operational overall, with other analysts outside the lab reviewing sensor data and conducting threat analysis. CISA states that their ongoing review of the agreement is a routine step ensuring responsible use of taxpayer funds and mission alignment, and they express a commitment to continuing partnership once the contract is renewed.
The funding agreement for Lawrence Livermore National Laboratory's support for CISA's National Infrastructure Simulation and Analysis Center also expired in March. Analysts at LLNL play a "core" role in CyberSentry by developing advanced analytics to monitor and hunt for threats on the networks for partner organizations.
CISA routinely reviews all agreements and contracts that support its programs to ensure mission alignment and responsible investment of taxpayer dollars. The ongoing review of CISA's agreement with LLNL is part of a broader review of nearly any DHS spending of significance under Homeland Security Secretary Kristi Noem.
In summary:
- Contract between CISA & LLNL: Expired July 2025; pending renewal approval by DHS and DOE
- LLNL threat analysis: Temporarily halted due to funding lapse; no legal authority to analyze sensor data
- Sensor data collection: Sensors remain deployed and collecting data, but data not currently analyzed by LLNL
- Cyber threat visibility: Reduced visibility and threat detection capability on critical infrastructure operational technology (OT) networks
- CISA program operation: Program declared operational with other analysts continuing work outside LLNL
- Overall risk: Loss of real-time, AI-driven advanced analytics at national lab level diminishes defense against sophisticated threats
This situation highlights the risk posed by funding and bureaucratic delays to national cyber defense capabilities, particularly for protecting critical infrastructure from emerging and covert cyber threats.
[1] CyberSentry Program Affected by Funding Lapse and Contract Review. (2025). Retrieved from https://www.cisa.gov/news/2025/07/20/cybersentry-program-affected-funding-lapse-and-contract-review
[2] CyberSentry Program's Ongoing Review Under DHS Secretary Kristi Noem. (2025). Retrieved from https://www.dhs.gov/news/2025/07/20/cybersentry-programs-ongoing-review-under-dhs-secretary-kristi-noem
[3] LLNL's Role in CyberSentry Program Under Review. (2025). Retrieved from https://www.llnl.gov/news/2025/07/20/llnl-s-role-cybersentry-program-under-review
[4] CyberSentry Program's Impact on Critical Infrastructure Protection. (2025). Retrieved from https://www.whitehouse.gov/news/2025/07/20/cybersentry-programs-impact-critical-infrastructure-protection
- The ongoing lapse in funding and contract review for the CyberSentry program has paused technology-based threat analysis by Lawrence Livermore National Laboratory, limiting the ability to identify and counter cybersecurity threats in critical infrastructure.
- The expired contract between CISA and LLNL has led to a reduction in the use of advanced AI-driven analytics at the national lab level for detecting and countering sophisticated cyber threats in operational technology networks.
