House appropriators pair agentic AI, SBOM demands with proposed $252.7M CISA cut
Congress is demanding new AI security work from the same agency it says has not executed prior funding.
TL;DR
Inside Cybersecurity reports that House appropriators’ fiscal 2027 Department of Homeland Security bill report directs the Cybersecurity and Infrastructure Security Agency (CISA) to publish guidance with the National Institute of Standards and Technology on identity and access management for agentic artificial intelligence, steer $10 million from Continuous Diagnostics and Mitigation toward a federal Software Bill of Materials program, and brief on AI-enabled assessment tools. The same proposal gives CISA $2.35 billion, a $252.7 million decrease. Agencies are first in line. Contractors, Cybersecurity Maturity Model Certification third-party assessment organizations and managed service providers get the downstream procurement problem.
The tasking is specific
Inside Cybersecurity reports that the House Appropriations Committee’s fiscal 2027 Department of Homeland Security bill report would direct the Cybersecurity and Infrastructure Security Agency (CISA) to issue guidance, in consultation with the National Institute of Standards and Technology (NIST), for federal civilian executive branch agencies on secure identity and access management for agentic artificial intelligence (AI) systems. The requested guidance names the operational problem: continuous identity and asset discovery for agents, privileged access and lifecycle governance, zero trust least-privilege controls, and acquisition and supply chain standards.
The cut collides with the assignment
The same report proposes $2.35 billion for CISA in fiscal 2027, a $252.7 million decrease from the prior year, and asks for a briefing within 90 days on budget execution capacity. The committee says CISA has not fully executed appropriated funding and has reprogrammed or transferred funding and personnel contrary to congressional intent in fiscal 2025 and fiscal 2026. That is a serious oversight claim. It also means the committee is assigning new AI security work while arguing that the agency has a demonstrated execution problem.
SBOMs move from study to program
On Software Bill of Materials (SBOM), the report directs $10 million from Continuous Diagnostics and Mitigation (CDM) to implement and expand a federal SBOM capability, with a 90-day report on initiating the program and scaling it across federal systems. CISA has a baseline to build on: CISA and G7 partners released nonmandatory “Software Bill of Materials for AI: Minimum Elements” on May 12, 2026, guidance that says AI SBOM elements should supplement general SBOM recommendations for AI systems.
The report also directs $5 million toward AI-enabled penetration testing, red teaming and automated cyber assessment tools for civilian agencies, with a 120-day briefing on incremental delivery, plus another $5 million for AI Defense Enhancements. For practitioners, the report itself does not change Cybersecurity Maturity Model Certification requirements or federal contract clauses. The practical work is to track the identity inventory, privileged access, unauthorized AI asset discovery and acquisition-standard language before it hardens into questionnaires, assessment evidence and procurement text. The open question is whether CISA can meet the 90-day budget briefing and the 120-day AI tools timeline under the reduced fiscal 2027 topline.
Published ·Deep Fathom