The U.S. Government Accountability Office (GAO) found that the Department of Homeland Security’s major cybersecurity acquisition programs continue to play a central role in strengthening federal cyber defenses, but several efforts face challenges associated with a rapidly evolving threat environment, changing mission requirements, and technology modernization demands. Among the cybersecurity programs reviewed were the Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation (CDM) program, CyberSentry, the Cyber Analytic and Data System, and Next Generation Network Priority Services initiatives, all aimed at improving visibility, threat detection, and resilience across federal networks and critical infrastructure.
The report noted that DHS acquisition programs have experienced cost and schedule changes since their initial baselines, reflecting the complexity of adapting cybersecurity capabilities to emerging threats and operational requirements.
At the same time, GAO found that cybersecurity programs continue to advance key milestones while operating in a dynamic environment where agencies must balance modernization, risk management, and mission delivery. The findings underscore the growing importance of sustained investment in federal cybersecurity programs as government networks and critical infrastructure face increasingly sophisticated cyber threats.
“As of September 30, 2025, 15 of the 19 programs had revised their baseline goals since initially setting them, some of them multiple times. Most programs with revised baselines delayed their plans to deliver full capabilities,” the GAO reported. “Baselined costs collectively increased a projected $11.4 billion, or 26 percent, since they were first set. Of those 19 programs, 18 were meeting their most recent baseline goals. One program—the Coast Guard’s Offshore Patrol Cutter—has ongoing efforts to revise its baseline to reflect recent schedule delays and cost increases.”
It added that DHS acquisition programs continue to operate in a rapidly changing environment that affects their ability to manage cost and schedule risks. Workforce reductions remain a significant concern, with eight programs reporting staffing declines of at least 20% during fiscal year 2025, resulting in the loss of critical subject matter expertise and technical skills. Program oversight has also been affected by organizational changes. In October 2025, DHS dissolved the office responsible for department-level oversight of major acquisition programs and reassigned some responsibilities elsewhere within the department.
As of January 2026, officials remained uncertain about the future scope of oversight, although part of the office was reestablished in May 2026. Funding levels also continue to shape program execution, with 12 of the 27 programs expecting to receive at least $14 billion through the 2025 Budget Reconciliation Act.
GAO conducted the review because DHS now expects to spend more than $55 billion on its major acquisition portfolio, roughly $11 billion above original projections. The assessment, mandated by congressional appropriations language, examined how DHS acquisition programs have performed against their approved cost, schedule, and performance baselines and evaluated risks across the department’s broader acquisition portfolio.
To conduct the review, GAO analyzed 27 of DHS’s largest acquisition programs as of the end of fiscal year 2025, including 19 programs with approved acquisition baselines, and reviewed program documentation, performance data, and interviews with DHS officials.
The watchdog reported that most of the 19 baselined programs reviewed are meeting their current cost targets, but their combined projected costs have increased by approximately $11.4 billion since the programs established their original baselines, a rise comparable to that identified in GAO’s 2024 annual assessment.
“Three programs—CISA’s CDM program and Coast Guard’s NSC and OPC programs—accounted for the majority of this cost increase. Projected costs for the CDM program grew by $4 billion, while NSC and OPC grew by $3.5 billion and $2 billion, respectively,” according to the report. “In the case of the CDM program, the cost growth reflected the addition of capability requirements and additional functionality to the cybersecurity program, while the NSC cost growth primarily resulted from adding three more ships than originally baselined. In contrast, OPC costs grew because of design instability, awarding a contract to a second shipbuilder, hurricane damage, and increased infrastructure cost.”
GAO reported that the programs that started testing are making progress. “By the end of fiscal year 2025, nine programs demonstrated through testing that they met all their performance goals, also known as key performance parameters (KPP). This includes CISA’s Next Generation Network Priority Services (NGN-PS) Phase 1 program, which is now meeting all of its KPPs following the completion of testing for increment. Three other programs met at least one KPP. Of note, TSA’s Checkpoint Property Screening System program is not meeting its KPP for cyber resilience for two screening system configurations.”
It added that TSA officials said the remaining configurations continue to meet all KPPs, and that they are working with vendors to mitigate concerns for the affected configurations. The remaining 15 programs in our selected sample have not yet started testing. The CDM, CyberSentry, CBTT, and Multi-Role Enforcement Aircraft programs plan to conduct testing in fiscal year 2026.
Program officials stated that CDM is on track to achieve ADE 3 and FOC, albeit with a new definition, in 2026. Program officials stated they are revising the definition of FOC in the program baseline to address greater focus on the operational realities of how the CDM dashboard operates and is used, and agency priorities on data collected. Program officials added that they do not anticipate changes to schedule goals, but are pursuing an administrative adjustment to the cost goals related to the Endpoint Detection and Response subcapability. These officials expect to complete the update to cost goals and FOC definition by June 2026.
Last March, CDM updated its planned program lifecycle cost estimate to $5.7 billion for acquisition costs. The program saw an increase in estimated costs as compared with the prior year, which program officials mostly attributed to inflation.
CDM began testing Asset Management capability KPPs on DHS networks in summer 2024 and completed an operational assessment later that year, with a formal assessment letter issued in April 2025. The capability was rated as having moderate risk to operational effectiveness and low risk to operational suitability, while cyber resilience was not assessed. Testing recommendations included streamlining KPPs to make them more measurable and testable. User feedback generally found the dashboard useful, although some users reported difficulties downloading large datasets.
In July 2024, DHS designated CyberSentry as a rapid acquisition program, making it only the second DHS initiative to use the framework. Program officials said CyberSentry’s reliance on mature technology and commercial off-the-shelf hardware and software made it ideal for accelerated acquisition approach. Although the program had planned to reach its first major acquisition milestone and enter the obtain phase in June 2025, that decision was postponed to fiscal year 2026 due to leadership direction and updates to DHS acquisition requirements. Program officials are currently reassessing future milestones and schedules.
“In January 2026, program officials estimated a total PC&I cost of approximately $155 million,” GAO reported. “According to program officials, they are completing an affordability analysis to account for budget constraints, which could reduce the number of organizations the program can partner with. The program reported that it did not receive any OBBBA funding. In July 2025, officials said the program had not yet undergone testing, but initial operational test and evaluation events are scheduled for fiscal year 2026 to evaluate the effectiveness, suitability, and resilience of the program.”
As of last August, the program partnered with 42 organizations across national critical functions such as emergency response systems and transportation, according to program officials. These officials stated that the program originally planned to partner with 57 organizations by the end of fiscal year 2026, but this number may change depending on final funding decisions. Without fully deploying its capabilities, program officials explained, the program will be unable to detect, deter, and respond to threats in real time across the critical infrastructure that supports national security, the economy, and public safety.
“In its September 2024 preliminary acquisition baseline, CADS estimated a total acquisition cost of $2.2 billion with an additional $325 million per year through fiscal year 2034 in sustainment costs,” GAO reported. “According to officials, the program is currently reevaluating these estimates in preparation for the R2 milestone. They also reported that they did not receive any OBBBA funding. CADS planned to reach the R2 milestone—approving production through disposal—by December 2025. Program officials told us, however, that upcoming changes to the DHS acquisition management directive are likely to affect the program’s continuation on the rapid pathway, but it is too soon to know exactly how.”
CADS also finalized its test and evaluation strategy in September 2024, which established program key performance parameters and testing plans. CADS planned to conduct initial operational testing by October 2025, but program officials said that this could not occur as a contract with the independent testing agent ended. DOT&E has not been notified if or when operational testing will be scheduled.
The NGN-PS program was established to ensure continuous federal communications during emergencies by leveraging commercially operated communications infrastructure. Managed by CISA, the program achieved full operational capability for its first two increments in 2018 and 2022 and is now working toward full deployment of its third increment, which depends on service providers completing network upgrades and operational testing.
CISA officials said NGN-PS was originally on track to achieve its final acquisition milestone by September 2025 and full operational capability by December 2025. Although acquisition reviews were delayed by funding disruptions and organizational changes, the program declared full operational capability in October 2025, two months ahead of schedule.
However, the termination of an integration services contract resulted in the loss of support from 16 regional carriers, reducing priority communications coverage in rural areas, including Puerto Rico, Hawaii, and Alaska. The program remains within its $868 million cost baseline and is working to establish a replacement integration contract.
NGN-PS Phase 1 has met all six of its key performance parameters, with the final requirement, wired call quality, validated during testing for increment.
While the program was deemed operationally effective and suitable, it was not rated cyber resilient because its capabilities depend on commercial service provider networks that remain vulnerable to cyber threats. To address this risk,
CISA added cybersecurity requirements for major service providers, including cyber tabletop exercises and security protocol attestations. Officials also reported the loss of eight supporting contracts and five federal staff members, though they do not expect these reductions to affect the nearly completed Phase 1, while future phases could face impacts.
NGN-PS Phase 2 continues to face significant funding challenges that are expected to delay key milestones and reshape the program’s scope. After previously pushing its ADE 2B milestone from December 2024 to December 2026 due to funding shortfalls, the program now expects annual funding over the next five years to decline by 28%, from $25 million to $18 million. In response, CISA is developing a revised plan that prioritizes deployment of 5G signaling and 5G voice capabilities with major service providers by 2030, while deferring other planned Phase 2 capabilities until additional funding becomes available.
The program’s performance requirements remain under development, with officials considering revisions to key performance parameters and a phased implementation approach similar to Phase 1. Testing will rely on developmental and operational evaluations conducted by service providers on their own networks, with government oversight to verify performance and readiness. Funding constraints have also forced CISA to halt several proof-of-concept efforts focused on cybersecurity, interoperability, Wi-Fi, alternative network technologies, and future data and video services.
Program management has been further strained by workforce reductions and contract terminations. CISA reported ending or not renewing eight NGN-PS support contracts and losing five of its 13 federal staff members through workforce reduction initiatives. While the agency has temporarily reassigned personnel from within its Emergency Communications Division to support the program, officials warned that the approach is not sustainable and noted that the loss of in-house engineering and cybersecurity expertise has complicated efforts to replan Phase 2.
GAO will continue to monitor DHS’s updated acquisition oversight structure as well as DHS’s portfolio of major acquisition programs.
