As 2025 comes to a close, MeriTalk is taking a look back at the year in federal cybersecurity. From policy updates and leadership changes to audits, guidance, and major program developments, agencies spent the year responding to persistent threats while adjusting long-term cyber strategies.
A year marked by persistent cyber threats
The year opened with fallout from a cybersecurity incident at the Treasury Department. Software provider BeyondTrust disclosed in December that a China state-sponsored threat actor compromised a remote access support key, allowing access to Treasury workstations and some unclassified documents.
The Cybersecurity and Infrastructure Security Agency (CISA) said it worked with Treasury and BeyondTrust and found no evidence that other agencies were affected.
This year also saw geopolitical tensions heightening cyber concerns.
After U.S. bombings of Iranian nuclear facilities in June, the Department of Homeland Security (DHS) issued a nationwide alert warning of possible retaliatory cyber activity. DHS and CISA also cautioned that Iranian-linked actors often target poorly secured U.S. networks and critical infrastructure, while a joint advisory warned defense contractors tied to Israeli firms faced increased risk.
Additionally, China-linked activity remained a recurring issue.
Officials confirmed that the hacking group Salt Typhoon targeted multiple National Guard networks in 2024, with effects extending into 2025. Later, CISA and international partners warned about BRICKSTORM malware, which enabled long-term access to government and private-sector networks using stolen service account credentials.
Cyber risks also reached the judicial branch, where officials reported escalated attacks on the federal court system’s electronic case filing platform.
Policy shifts and executive action
Cybersecurity in 2025 was not only about incidents – it was also a year of consequential policy moves.
Just days before leaving office, former President Joe Biden signed his final cybersecurity-focused executive order. Issued four days before the transition to a new Trump administration, the order sought to strengthen security across federal systems, cloud services, and software supply chains. It built on Biden’s landmark 2021 cybersecurity EO, continuing the push toward cloud adoption and zero trust architectures.
In March, President Donald Trump signed an executive order shifting more responsibility for cyber preparedness to states and local governments. Democrats, including Rep. Eric Swalwell, D-Calif, warned that less-resourced states could face increased exposure to nation-state threats.
Congress, shutdowns, and cyber funding
Legislative activity around cybersecurity was turbulent, particularly during the fall. A government shutdown in October disrupted federal operations and allowed key cyber-related authorities to lapse.
The Cybersecurity Information Sharing Act of 2015 (CISA 15) and the State and Local Cybersecurity Grant Program (SLCGP) expired Sept. 30, raising concerns across the cyber community.
Congress later approved a funding package extending the SLCGP and CISA 15 through Jan. 30.
Momentum picked up as the House passed the PILLAR Act and Strengthening Cyber Resilience Against State-Sponsored Threats Act to reauthorize the SLCGP and create a China-focused task force. In the Senate, Sens. Maggie Hassan and John Cornyn introduced bipartisan legislation to reauthorize the SLCGP, supporting state, local, and tribal cybersecurity efforts.
Reauthorizing CISA 15 remains uncertain, with lawmakers considering another short-term extension.
Cybersecurity at the DOD
Inside the Pentagon, 2025 brought some of the most significant changes of the year.
After years of development, the Defense Department (DOD) finalized and began rolling out its Cybersecurity Maturity Model Certification (CMMC) program. The rule took effect Nov. 10, formally enforcing CMMC requirements in defense contracts after a long period of voluntary compliance. Implementation will occur in four phases over three years, with lighter self-assessment requirements early on.
Another major shift came in September, when the DOD moved to replace its longstanding Risk Management Framework. Acting DOD Chief Information Officer Katie Arrington rolled out the Cybersecurity Risk Management Construct, emphasizing automation, continuous monitoring, and real-time risk management over what officials described as a slow, checklist-driven approach.