The Capitol considers a new cyber force in addition to the US Cyber Command, while the Department of Defense shores up national security with new mandates. 
On August 4, 2025, the Center for Strategic and International Studies (CSIS) working with the Foundation for Defense of Democracies (FDD) project, Cyber Solarium Commission 2.0 (CSC 2.0), reported the launch of a commission on Cyber Force Generation in a press release. The announcement of the venture follows the FY2025 National Defense Authorization Act (NDAA), which also requested a consensus study from the National Academies of Sciences, Engineering, and Medicine for an “evaluation of alternative organizational models for the cyber forces of the Armed Forces.”
The press release described the call for a specialized cyber force as a response to “the well-documented shortcomings in current force generation and readiness models to organize, train, and equip for military cyber operations”. In recent years, the cyber landscape has proven to be an impactful way to wreak havoc on national security, so a push to address shortcomings in military operations is well-timed.
The Office of the Director of National Intelligence’s (ODNI’s) 2025 Threat Assessment explained the possible danger of malicious cyber campaigns from Russia, China, Iran, and North Korea. Notably, the disastrous China-sponsored Salt Typhoon hack that infiltrated several US telecommunication firms and the cellphones of an untold number of Americans, has even delayed the appointment of the next director of the Cybersecurity and Infrastructure Security Agency (CISA) due to concerns over the state of US security. The world has also watched how the cyber landscape became another battlefront in the Ukraine-Russia war, where a remote drone operation recently took down reportedly $7 billion worth of Russian aircraft and hacktivism has wiped huge swaths of important data from satellites and radars. Cybersecurity is becoming a more critical investment, leading to the question of an independent military service for cyberspace.
This question is not a new one, and some are not sure that a US Cyber Force is the answer. The US already has a cybersecurity defense agency - the US Cyber Command (CYBERCOM), a military command in the Department of Defense (DoD). Since 2010, the group has led, harmonized, and organized cyberspace operations to defend and advance national interests with partners in and outside of the country. Last year, CYBERCOM and the Defense Advanced Research Projects Agency announced the Constellation pilot program to support and streamline the entry of new technology and cyber abilities into the command’s software ecosystem.
This year CYBERCOM also underwent restructuring because of the new Trump administration - the previous deputy chief Air Force General Timothy Haugh was fired by the President after an X post by Laura Loomer connected him to General Mark Milley, someone Trump accused of treason. The move was criticized in the context of the Salt Typhoon hack, which was especially concerning the Cyber Command had already been weakened by a shortage of qualified personnel. The report on the shortage by the Foundation for Defense of Democracies (FDD) likely led to the NDAA’s request for a study from the National Academies of Sciences, Engineering, and Medicine on the need for a cyber force.
This study by the National Academies is not related to the CSIS commission that was announced on August 4. In fact, the Academies study’s call for experts is open until today, August 8, 2025. This dissonance has been criticized by a previous deputy chief at CYBERCOM, retired Lieutenant General Charles Moore: “It's difficult to reconcile the tasking in the NDAA to conduct an objective assessment of what type of cyber organization would be in the best interest of the nation with the fact that a separate unofficial effort is also underway to design what a cyber service would look like…I’m hearing from voices across the community who are concerned that the legitimacy of the Congressionally mandated study is being undercut by the second."
Co-chair of the commission, Josh Stiefel, addressed the issues Moore presented in an interview with Recorded Future News, by calling the CICS commission and the Academies study “incredibly distinct” - the Academies will determine “should we, or should we not, have a service aligned to this warfighting domain”, while Stiefel’s organization operates on the “core, ironclad assumption at the outset is that the president has ordered the establishment of the Cyber Force. And then we're going to design it.”
In the release, CICS, explains they are “not litigating the decision to create a Cyber Force but instead addressing the critical—and often overlooked—questions of implementation.” Co-chairs of the commission, Josh Stiefel and retired Lieutenant General Ed Cardon, also stressed the need for implementation planning, with Cardon saying pulling on his experience as justification for the “unofficial” effort: “Having supported multiple organizational transformations within the Department of Defense, the most consequential phase begins after a decision is made—implementation. When this phase is neglected or rushed, the result is enduring organizational friction with inefficiencies, confusion that can persist for years, and degraded mission effectiveness. This project takes a different approach: it invests in implementation planning up front to generate momentum, reduce downstream risk, and accelerate outcomes if and when there is a decision to create a Cyber Force.”
The commission for the generation of a Cyber Force is just part of a larger effort from the Department of Defense to shore up and improve national cybersecurity. On July 17, 2025 the Chief Information Officer (CIO) at the Department of the Navy (DON), Jane Rathbun, released a memo requiring “all software development activities transitioning to the cloud and/or upgrades that are hosted in a cloud” to use containerization technology. Software containerization is a more secure means of storing software code, with the specific goal of “modernizing the DON’s IT infrastructure and software deployment capabilities,” according to a DON spokesperson.
The day following the DON’s memo, Pete Hegseth, the Secretary of Defense released a memo directing the DoD CIO, Katie Harrington, to ensure that “all information technology [IT] capabilities, including cloud services, developed and procured for DoD are reviewed and validated as secure against supply chain attacks by adversaries such as China and Russia.”
The requirements are stricter than the guidelines for supply chain cybersecurity established by other agencies, like the US Department of Energy, and also go further than the supply chain risks listed in the Department of Commerce’s 2024 proposed ban on Chinese and Russian car parts and software. Hegseth specifically encouraged using the Cybersecurity Maturity Model Certification (CMMC), the latest version of which could transform cybersecurity for DoD contracts and subcontractors, among other security programs. While these plans have not named a US Cyber Force by name, a multi-pronged approach to digital defense may be a step in the right direction for the US.