What happened
Sen. Mark Warner sent a letter to CISA Acting Director Nick Andersen expressing concern over staffing cuts, regional vacancies, and reduced support for state and local cybersecurity programs.
Warner said widespread cuts at the Cybersecurity and Infrastructure Security Agency, short-staffed regional divisions, and the disbanding of an information sharing and analysis center supporting state and local critical infrastructure operators are creating serious risks.
The letter follows Warner’s introduction of the Guaranteeing Universal Access to Cybersecurity Act, which would fund the MS-ISAC after the Department of Homeland Security stopped paying for the program and blocked federal grant funding from being used by state and local governments to participate.
Warner also sent a letter to DHS Secretary Markwayne Mullin saying DHS must prioritize CISA and fund the MS-ISAC. He sent separate letters to all 50 governors outlining the risks he believes critical infrastructure in their states face because of the cuts.
According to Warner’s letter, the administration has cut about one-third of CISA’s staff, with many laid-off workers coming from senior agency ranks. The letter also cited a proposed fiscal year 2027 budget reduction of more than $700 million, calling it a dangerous underestimation of the threats facing the country.
Warner said governors, mayors, city and county executives, state chief information officers, school district leaders, education advocates, law enforcement officials, and cybersecurity experts have raised concerns about CISA’s ability to function. Industry leaders and state and local officials also told his office they have seen reduced responsiveness and support from CISA, along with disrupted service delivery and operations.
Andersen recently said CISA is hiring more than 300 additional workers, with some already starting. He said maintaining a ready and available national cyber defense agency is critical.
Warner’s letter asks CISA to provide organizational charts for regional offices and headquarters from January 20, 2025, October 1, 2025, and the present, including vacancies and explanations for why individuals left. It also asks for regional data on security services provided to state and local officials, including vulnerability scans, risk assessments, incident response, inbound service requests, completed requests, and average response times.
Who is affected
State and local governments are directly affected, especially those that rely on CISA for vulnerability scanning, risk assessments, incident response, regional support, and information sharing through the MS-ISAC.
Critical infrastructure operators in every state may also be affected because Warner warned governors that state-level infrastructure faces increased risk as CISA’s support structure is reduced.
CISA’s regional offices and headquarters are affected by the staffing cuts, leadership vacancies, and turnover described in the letter. Five of CISA’s 10 regional directors are serving in an acting capacity, and the agency has been without a permanent director since January 2025.
School districts, law enforcement agencies, local governments, city and county executives, and state chief information officers may also face reduced access to federal cyber support if CISA’s regional service capacity is limited.
Why CISOs should care
This issue matters because CISA is a key support organization for state, local, and critical infrastructure cybersecurity. If the agency’s staffing, regional leadership, and service delivery are disrupted, organizations that depend on CISA may face slower response times, fewer assessments, and reduced access to federal cyber expertise.
The MS-ISAC funding dispute is also important. State and local governments often rely on shared threat intelligence and coordinated support because they do not always have large internal security teams. If access to that information sharing center is reduced or made harder to fund, the impact could be felt most by smaller agencies and public-sector operators.
For CISOs, Warner’s concerns point to a broader resilience issue: external support cannot be assumed during a major incident. Organizations should understand which services they rely on from CISA, MS-ISAC, and regional cyber partners, and identify backup options if federal support is delayed or unavailable.
The leadership gap also adds uncertainty. CISA has been without a permanent director since January 2025, and several regional director roles are being filled in an acting capacity. That kind of instability can affect priorities, responsiveness, and coordination during cyber incidents.
3 practical actions
- Map dependencies on CISA and MS-ISAC services: Warner asked CISA to provide data on vulnerability scans, risk assessments, incident response, inbound service requests, completed requests, and response times. CISOs should identify which federal or information-sharing services their organizations rely on and where alternate support may be needed.
- Build backup incident response capacity outside federal channels: State and local officials reported reduced responsiveness and support from CISA. Organizations should establish relationships with trusted incident response firms, managed security providers, and regional partners before an incident occurs.
- Review threat intelligence and information sharing options: Warner’s legislation would fund the MS-ISAC after DHS stopped paying for the program and blocked grant funding for participation. Public-sector CISOs should assess whether they still have reliable access to timely threat intelligence and determine what additional sharing communities or commercial sources may be needed.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.