Sixty percent of CISA’s workforce has been furloughed, leaving the agency that guards America’s power grids, water systems, and election infrastructure operating at roughly 40% capacity [Gblock]. Iranian and Chinese threat actors remain active. The one federal agency built to coordinate civilian cyber defense has been, in the words of Acting Director Nick Andersen, “forced into a purely reactive posture” [Gblock]. This isn’t a budget debate. It’s an operational gap with real-time consequences.
The Numbers Behind the Headline
Photo by The staffing picture is stark. CISA’s 2025 budget supported 4,021 positions and 3,641 full-time staff. The proposed 2026 budget cuts that to 2,649 positions and 2,324 full-time equivalents [Malware News]. On top of those cuts, approximately 1,000 employees have departed since January 2025 [Gblock]. The combined effect: fewer than half the people doing this work eighteen months ago are still doing it.
This isn’t routine downsizing. CISA protects 16 critical infrastructure sectors, including energy, water, healthcare, transportation, and elections. Programs like the Continuous Diagnostics and Mitigation (CDM) initiative and CISA’s 24/7 Operations Center depend on sustained headcount. You can’t run a security operations center on a skeleton crew indefinitely. Eventually, alerts get missed.
The timing amplifies everything. Ransomware campaigns targeting U.S. healthcare and municipal systems have been escalating, and adversary nations aren’t pausing because Washington is having a staffing dispute.
What CISA Does That Nobody Else Replicates
Three CISA functions have no true equivalent anywhere in the federal government or private sector:
- Automated Indicator Sharing (AIS): A platform that pushes machine-speed threat intelligence to hundreds of critical infrastructure operators and government agencies.
Photo by Think of it as a shared channel for indicators of compromise that feeds directly into defensive tooling.
-
Hunt and Incident Response Teams (HIRT): These teams deploy on-site when a water utility or state election system gets breached. They’re the federal equivalent of an incident response retainer, serving organizations that can’t afford a $300K/year CrowdStrike contract.
-
Known Exploited Vulnerabilities (KEV) catalog: The list that drives mandatory patching timelines across civilian federal networks. Over 1,000 actively exploited CVEs are tracked, and federal agencies must patch against them on CISA’s timeline.
All three are running at reduced capacity. AIS feeds may continue via automation, but the human analysts who triage novel threats, write advisories, and coordinate cross-sector response are the roles hit hardest by furloughs. Automation handles the known-knowns. Humans handle the rest.
The Contrarian View and Its Limits
Photo by Some analysts push back on the alarm. Their argument: skeleton-crew staff remain active, automated systems keep running, and private-sector ISACs (Information Sharing and Analysis Centers) like FS-ISAC and E-ISAC maintain independent threat intelligence pipelines. The lights haven’t gone out.
That’s fair, to a point. Automated systems detect known patterns. They don’t handle novel attack chains, they don’t negotiate with ransomware operators, and they don’t fly to a compromised water treatment plant in rural Ohio to image drives and rebuild networks.
“With the loss of hundreds of experts, CISA’s ability to detect threats from the most significant adversary, China, as well as others like Russia and Iran, is severely diminished.” [Daily Beast]
Private-sector ISACs are valuable, but they serve their own sectors. Nobody is doing the cross-sector coordination that CISA was built for. When a supply chain attack hits healthcare and energy simultaneously, who’s connecting those dots at 40% staffing?
Three Gaps That Keep Experts Up at Night
Strip away the political noise and three concrete risks emerge.
Photo by 1. Slower advisories and emergency directives. CISA’s Emergency Directives have historically shipped within 24 to 72 hours of critical vulnerability discovery. With reduced staff, that timeline stretches, and every extra hour is an open window for exploitation across federal networks.
2. State and local support collapses. CISA’s State and Local Cybersecurity Grant Program (SLCGP) supports all 50 states and territories with planning and implementation assistance. Smaller jurisdictions without dedicated security teams depend on this. Furloughs mean those programs stall.
3. Permanent talent drain. This is the sleeper risk. Federal cybersecurity roles already struggle to compete with private-sector pay. A senior CISA analyst earning $140K can walk into a remote role at a major tech firm for double that. Furlough uncertainty accelerates that calculus. Once institutional knowledge walks out the door, reopening job requisitions won’t bring it back.
“You need good career, nonpartisan expertise for your policy to work… when you’re gutting that career federal workforce, you are really constraining your ability to get to good outcomes.” [New Republic]
What Organizations Should Do Now
Waiting for Congress to fix this is a strategy, but not a strong one.
Photo by Organizations that previously relied on CISA as a backstop should benchmark their own posture independently.
-
Audit against NIST CSF 2.0. It’s vendor-neutral, free, and provides a structured self-assessment framework. If you haven’t mapped your controls to it, now is a good time to start.
-
Diversify threat intel sources. If your only feed was AIS, you’re exposed. Consider layering in commercial feeds, sector-specific ISAC memberships, and open-source intelligence platforms.
-
Test your incident response plan without assuming federal support arrives. A tabletop exercise where CISA doesn’t pick up the phone will quickly reveal what breaks.
On the policy side, peer nations offer a blueprint. The UK’s NCSC and Australia’s ASD operate under frameworks that insulate cybersecurity staffing from government funding disputes. Designating core CISA functions as services exempt from furloughs isn’t radical. It’s what competent threat modeling looks like when applied to government operations.
CISA’s 60% furlough creates measurable gaps in threat sharing, incident response, and state-level cyber support. Automated systems provide partial continuity, but the human-dependent functions that matter most during novel, complex attacks are genuinely degraded. Talent attrition may extend the damage well beyond the furlough itself. Organizations should self-assess against NIST CSF 2.0, diversify their threat intelligence sources, and pressure legislators to shield core cyber functions from future shutdowns. Adversaries don’t furlough. Every day CISA operates at 40% capacity is a day the threat landscape doesn’t pause to match.
