CISA Lost 60% of Its Workforce and Can Only React to Imminent Threats Now

The Agency That Guards Everything Is Running on Fumes

The Cybersecurity and Infrastructure Security Agency (CISA) is the federal body responsible for defending US government networks and coordinating cybersecurity across critical infrastructure sectors including energy, healthcare, finance, and water systems. As of March 2026, approximately 60% of its workforce has been furloughed due to the federal government shutdown, and the agency carries over 1,000 unfilled vacancies.

Acting Director Nick Andersen testified that CISA has been forced into a purely reactive posture. The remaining staff can only respond to imminent threats, protect life and property, and share basic vulnerability information. Proactive threat hunting, strategic planning, industry coordination, and binding operational directives have all been scaled back or paused entirely.

Six Threat Hunters Quit in a Single Day

The staffing crisis goes beyond furloughs. Six members of a highly technical threat hunting and incident response team submitted their resignations on the same day. Shelly Hartsook, acting associate director of CISA's cybersecurity division, also resigned. Since January 2025, approximately 1,000 employees have departed through voluntary buyouts or resignations, and nearly all senior leadership has left.

The departures are not just numbers. Threat hunters are among the most specialized cybersecurity professionals in the federal government. They actively search networks for signs of compromise that automated tools miss. Replacing them takes months of hiring and years of institutional knowledge that walks out the door with each resignation.

Andersen warned that long term talent retention is at risk because the instability makes DHS and CISA less attractive to cybersecurity professionals who can earn significantly more in the private sector with far less uncertainty.

What Is No Longer Being Done

The cuts are not abstract budget line items. They translate directly into things that are no longer happening:

• Proactive threat assessments of federal networks and critical infrastructure have been paused
• Binding operational directives that order federal agencies to patch critical vulnerabilities are delayed
• Industry partner coordination where CISA works with private sector companies to share threat intelligence has been reduced
• Incident response capacity to help organizations recover from cyberattacks is constrained
• Intelligence sharing between CISA and other agencies is described as exceedingly strained
• The Cybersecurity Information Sharing Act expired during the shutdown, removing legal protections that encouraged private companies to share cyberattack data with the government

The Threat Landscape Is Not Waiting

These cuts come at a time when nation state cyber threats are escalating. The Salt Typhoon campaign, attributed to Chinese state actors, compromised major US telecommunications networks in late 2025. Iranian cyber operations have spiked 245% amid regional tensions. Russian intelligence services are actively hijacking encrypted messaging accounts.

Andersen specifically flagged two upcoming events that require heightened cyber readiness: the America 250 celebration and the 2026 FIFA World Cup, both of which will be high value targets for adversaries looking to disrupt critical systems or conduct influence operations. With CISA unable to prepare adequately, the risk window is widening.

The Proposed Budget Makes It Worse

Beyond the immediate shutdown, the administration's proposed 2026 budget would reduce CISA's workforce by nearly one third permanently. Significant cuts target risk management divisions, stakeholder engagement, collaboration activities, and cybersecurity education programs. The federal cybersecurity scholarship program faces over 60% funding reduction, threatening the pipeline of future federal cyber workers.

The practical effect is a feedback loop. Fewer staff means slower response times. Slower response times mean more successful attacks. More successful attacks mean greater costs to taxpayers and businesses. And the institutional knowledge lost through departures cannot be rebuilt quickly, even if funding is eventually restored.

What This Means for Everyone

CISA's work affects far more than government networks. The agency coordinates vulnerability disclosures that protect private sector organizations, runs the Known Exploited Vulnerabilities catalog that security teams worldwide rely on for patching priorities, and provides free security assessments to critical infrastructure operators.

When CISA cannot issue timely binding directives, federal agencies are slower to patch. When its intelligence sharing is strained, private companies get less warning about active threats. When incident response capacity is constrained, breached organizations wait longer for help.

Andersen's warning was blunt: at some point, the compounding risk within this dynamic threat landscape is going to cause real damage to the American people. The question is not whether a major cyber incident will exploit these gaps, but when.