CISA Lost a Third of Its Workforce. America's Cyber Gap Grows.

The numbers behind the warning are stark. CISA's authorized staffing level is 3,292 positions. As of Warner's June 2026 letters, only 2,324 positions are actually filled. The agency lost roughly one third of its staff through a combination of layoffs, early retirement offers, transfers, and program eliminations since January 2025.

Key Takeaways

• CISA's workforce dropped from approximately 3,400 to 2,400 employees since January 2025, with 5 of 10 regional directors serving in acting capacities.
• The Trump administration's FY2027 budget proposal cuts $495 million from CISA, eliminating election security, chemical security, and cyber education and training entirely.
• Former DHS Secretary Kristi Noem defunded the MS-ISAC program, ending free cybersecurity monitoring for 18,000 state and local governments, schools, hospitals, and utilities.
• Senator Warner introduced the Guaranteeing Universal Access to Cybersecurity Act to restore MS-ISAC funding at $50 million annually.
• CISA has operated without a permanent director since January 2025 after its nominated replacement withdrew from consideration.

What Is the Scale of CISA's Staffing Crisis?

CISA's authorized staffing level is 3,292 positions. As of Warner's June 2026 letter, only 2,324 positions are actually filled — a gap of nearly 1,000 roles even before accounting for the workforce that departed since January 2025. The cuts hit senior career officials hardest.

Five of the agency's ten regional directors are currently serving in acting capacities. Warner flagged this as operationally significant: regional directors are the primary points of contact for state and local governments seeking federal cybersecurity assistance. A rotating cast of temporary leaders disrupts continuity, institutional knowledge, and the trust relationships that make incident response work.

Acting Director Nick Andersen announced plans to extend approximately 200 to 300 job offers in the coming months. Warner acknowledged the effort but called it "insufficient given the scale of threats facing our nation's cybersecurity and critical infrastructure, particularly at the state level." Warner has demanded organizational charts and vacancy explanations from CISA, with responses due by June 26.

What Programs Are Being Cut?

The FY2027 budget proposal zeroes out funding for several CISA programs entirely. The election security program, which received $39.6 million and employed 14 staff, is eliminated. So are the bombing prevention program, federal school safety programs, chemical security, the national cybersecurity protection system, and the cyber defense education and training program.

Analysis of the budget documents shows the proposed total CISA budget at $2.49 billion, down from $2.87 billion under the FY2026 continuing resolution — a reduction of roughly $380 million at the enacted level, and $495 million against the program baseline. The headline number matters less than the specificity of what disappears. Eliminating election security infrastructure and the cyber education pipeline simultaneously removes both the agency's defensive capacity for the 2026 and 2028 election cycles and the pathway for training the next generation of federal cybersecurity personnel.

The MS-ISAC Collapse

The most consequential single cut may be one that did not require a congressional vote. Former DHS Secretary Kristi Noem halted federal funding for the Multi-State Information Sharing and Analysis Center in March 2025, eliminating roughly $8.3 million of its remaining 2025 budget. CISA formally ended its cooperative agreement with the Center for Internet Security in September 2025.

Before defunding, MS-ISAC provided free cybersecurity resources, threat intelligence, and incident response support to approximately 18,000 state and local organizations: water utilities, public hospitals, K-12 schools, law enforcement agencies, and tribal governments. The Center for Internet Security has since transitioned to a fee based model charging $1 million per month, with tiered pricing based on government budgets. That pricing is simply out of reach for most rural counties, small municipalities, and underfunded school districts.

Warner's Guaranteeing Universal Access to Cybersecurity Act would mandate $50 million annually for MS-ISAC — doubling previous federal investment — and require CISA to re-enter its agreement with the Center for Internet Security and restore lost memberships. The legislation's introduction signals that Congress does not consider the Noem decision settled policy.

Why Compliance Officers Should Care

The MS-ISAC defunding and CISA staffing cuts create a direct operational gap for private sector organizations whose security programs depend on public sector threat intelligence. Water utilities, hospitals, and election administrators that shared MS-ISAC threat feeds with private sector partners in their regions have lost that pipeline. The cascade runs downstream: a hospital network's cyber posture affects the insurers, vendors, and health information exchanges that connect to it.

For compliance officers managing HIPAA, state data protection requirements, or sector-specific critical infrastructure regulations, the practical question is who fills the federal void. CISA's regional offices were the first call for many state level incident response coordinators. With five of ten regional directors in acting capacities and an authorized staffing gap approaching 1,000 positions, response times and service consistency have already degraded. Warner's letter cited "reduced responsiveness and support" reported by state and local officials and industry leaders as a documented outcome of the cuts, not a hypothetical risk.

Organizations in sectors that sit adjacent to critical infrastructure — financial services firms with utility clients, healthcare IT vendors, logistics companies serving defense contractors — should audit which threat intelligence streams they receive indirectly through government partnerships and plan for those channels to be less reliable or unavailable.

The Threat Environment Has Not Paused

The cuts arrive as Chinese and Russian state sponsored actors continue active campaigns against US critical infrastructure. CISA issued a supplementary advisory in February 2026 noting that Volt Typhoon activity had intensified since mid-2025, with new indicators of compromise identified in the water and communications sectors. The advisory describes the group's strategy as "pre-conflict positioning" — establishing persistent access to operational technology systems that control physical infrastructure so that disruption can be triggered at a chosen moment.

Salt Typhoon, the Chinese APT responsible for the 2024 and 2025 breaches of US telecommunications backbone infrastructure, continues to operate. The Office of the Director of National Intelligence's 2026 Annual Threat Assessment explicitly names both groups as active threats whose target selection extends beyond espionage into potential sabotage.

CISA was designed as the agency that coordinates the federal response to exactly these threats. It was established in 2018 specifically to prevent critical infrastructure attacks of the type Volt Typhoon and Salt Typhoon are currently staging. The agency has operated without a permanent director since January 2025. Its nominated replacement, Sean Plankey, withdrew after senior senators blocked confirmation. Acting Director Andersen assumed the role in February 2026.

What Comes Next

Warner's legislative response — the Guaranteeing Universal Access to Cybersecurity Act — is a floor, not a ceiling. Even if it passes and restores MS-ISAC funding, it does not rebuild the 1,000 positions lost, reconstitute the election security program, or accelerate the hiring pipeline that produces experienced federal cybersecurity personnel.

The CIRCIA cyber incident reporting rule, which Gblock has covered separately, places new federal reporting obligations on critical infrastructure operators — obligations that CISA is supposed to administer and enforce. Fewer staff means slower processing, reduced technical assistance, and weaker institutional capacity to act on the incident data that rule will generate.

Congress has a deadline. The combination of active Chinese advance positioning, a degraded federal cyber agency, defunded state and local threat sharing infrastructure, and a permanent leadership vacuum is not a theoretical risk scenario. Warner's letters were addressed to an acting director and demanded a response by June 26. The structural problems they document will take considerably longer to resolve.

For context on the broader federal surveillance and security apparatus that intersects with CISA's mission, Gblock's analysis of FISA 702 and the continued warrantless surveillance powers that persist even as CISA's defensive capacity contracts offers a useful counterweight: the surveillance half of the equation is expanding while the defense half contracts.