With days left until current funding expires on September 30, time is running out for lawmakers to pass appropriations bills or a temporary funding measure - known as a continuing resolution (CR) - to prevent a government shutdown. As the threat of a government shutdown looms with Republicans and Democrats remaining divided, agencies are preparing their contingency plans to determine which government operations and personnel are considered excepted and can continue operating during a lapse of appropriations. 

Exempted Activities Under the Anti-Deficiency Act

The Anti-Deficiency Act plays a pivotal role during a government shutdown, guiding agencies on what they can and cannot do in the absence of appropriations. It’s important to understand that while the Act generally prohibits agencies from incurring obligations beyond their appropriations, there are limited exceptions. These exceptions fall into three general categories:

1. A statute or other legal requirement expressly authorizes an agency to obligate funds in advance of appropriations.

2. The function addresses emergency circumstances such that the suspension of the function would imminently threaten the safety of human life or the protection of property.

3. The function is necessary to the discharge of the President’s constitutional duties and powers.

Within these parameters, each Administration has a degree of flexibility in how they interpret these categories. Under the previous Administration, the Office of Management and Budget (OMB) gave agencies wide discretion to determine which services were excepted from shutdown. ‍

Impact to Cybersecurity

Since the last few shutdowns, the scope of the nation’s cybersecurity work has significantly grown, which also means that an impact from a shutdown can be much greater to cybersecurity than it has in the past. Below are potential effects that a shutdown can have on U.S. cybersecurity: 

• Reduced Cybersecurity Workforce: Many federal employees, including those working on cybersecurity, may be furloughed. With a talent shortage in this space already, having an external event result in the reduction of cybersecurity personnel at work exacerbates the challenges faced by government agencies and organizations alike. We have already seen that the Cybersecurity Infrastructure and Security Agency (CISA) is planning on furloughing more than 80% of its workforce if a shutdown occurs. The Department of Homeland’s plan for “Lapse in Appropriations'' shows that CISA will have “571 employees as the total number excepted and estimated to be retained during a shutdown.” While we anticipate CISA’s operationally focused missions will be considered excepted, the reduction in workforce will undoubtedly cause delays. This reduction not only weakens our collective ability to address cyber threats, but it leaves room for adversaries to target vulnerable systems, knowing that resources will be limited. 

• Delay in Patches and Slower Incident Response: With reduced staffing and resources, we expect that government agencies will be delayed in securing their systems and applying patches promptly and may experience delays in identifying and responding to newfound cyber threats. 

• Impact on Information-Sharing: Information-sharing is a critical aspect of cybersecurity, with agencies sharing intelligence not only with one another but with private sector partners as well. A shutdown will likely reduce the flow of this information, making it harder for organizations to address emerging threats. 

• Contracting Delays: Many cybersecurity contracts may be paused or significantly delayed. No new contracts or modifications will be issued or awarded, especially if those contracts have funding tails that rely on appropriations in the next fiscal year. However, not all government contracts will be affected. Cyber contracts that are funded for a period that crosses over the fiscal year and are for services and supplies that may be deemed excepted are permitted to continue. 

• Regulatory Impacts:  We expect the majority of cybersecurity initiatives currently in the Federal Acquisition Regulation or other regulatory process to be paused or delayed.  This would include many of the activities still underway as part of the Executive Order on Improving the Nation’s Cybersecurity.

As the countdown to the funding deadline continues, the potential of a government shutdown underscores the critical need for cyber defenders to proactively implement controls that add resilience to systems from ongoing and emerging threats. In the light of external disruptions, our defenses must be prepared and agile to withstand the unexpected.

‍