This assessment reviews the implementation of CSC recommendations and identifies top 5 recommendations for the Trump administration and Congress.
Our nation’s ability to protect itself and its allies from cyber threats is stalling and, in several areas, slipping. For five years, the U.S. Cyberspace Solarium Commission’s (CSC’s) recommendations have served as a benchmark against which to measure policymakers’ commitment to strengthening the nation’s cybersecurity. This report assesses that approximately 35 percent of the commission’s original 82 recommendations have been fully implemented, 34 percent are nearing implementation, and an additional 17 percent are on track to be implemented. By comparison, however, last year’s report concluded that 48 percent had been implemented, 32 percent were nearing implementation, and an additional 12 percent were on track. For the first time, there has been a substantial reversal of the advances made in previous years. Nearly a quarter of fully implemented recommendations have lost that status — an unprecedented setback that underscores the fragility of progress.
Indeed, implementation alone does not guarantee institutional durability; key reforms remain vulnerable to underinvestment or bureaucratic gridlock that slows or prevents new initiatives from taking root. Personnel turnover and shifts in priorities during presidential transitions have historically also slowed cybersecurity progress. This year’s assessment makes clear that technology is evolving faster than federal efforts to secure it. Meanwhile, cuts to cyber diplomacy and science programs and the absence of stable leadership at key agencies like the Cybersecurity and Infrastructure Agency (CISA), the State Department, and the Department of Commerce have further eroded momentum.
Implementation of any one set of recommendations is insufficient on its own to deter, thwart, or mitigate malign cyber activities. Rather, the Cyberspace Solarium Commission designed a new strategic approach — layered cyber deterrence — to reduce the likelihood and impact of significant cyberattacks.
Indeed, many of Washington’s most important policy choices have reflected the commission’s strategy of layered cyber deterrence — the government has been shaping the behavior of foreign states while denying benefits and imposing costs on those who threaten democratic values in cyberspace. In some cases, this is directly through implementation of CSC recommendations; in others, it is indirectly through alignment with the CSC framework. Congressional and White House action have strengthened U.S. cyber resilience by expanding institutional capacity, improving interagency collaboration, and deepening public-private collaboration. But more work must be done.
Senator Angus King (advisory)
Former Chairman
Cyberspace Solarium Commission
Mark Montgomery
Executive Director
Cyberspace Solarium Commission