America's primary civilian cybersecurity agency is operating at 38% of its workforce while Senate Republicans have blocked, on multiple occasions, targeted emergency legislation that would restore its funding — all while Chinese and Iranian threat actors continue their campaigns against U.S. critical infrastructure without pause.
The Department of Homeland Security shutdown that began at 12:01 a.m. on February 14, 2026 did not happen without warning. For weeks, the Cybersecurity and Infrastructure Security Agency's acting director, Madhu Gottumukkala, told Congress directly what a funding lapse would mean. "I want to be clear," he said in testimony before the House Appropriations Subcommittee on Homeland Security, "when the government shuts down, cyber threats do not." The warning landed. The funding did not.
By the time the shutdown took effect, CISA had already lost roughly one-third of its workforce through the Trump administration's voluntary buyout programs, deferred resignations, and reduction-in-force actions over the preceding year. The shutdown then furloughed 1,453 of the agency's remaining 2,341 employees — 62% — leaving 888 personnel to cover the full scope of the nation's civilian cyber defense responsibilities across 16 critical infrastructure sectors.
How the DHS Shutdown Left CISA Exposed
The DHS-specific shutdown is not a standard government funding lapse. It stems from a prolonged congressional impasse over immigration enforcement reform, specifically whether Congress would impose accountability measures on U.S. Immigration and Customs Enforcement and Customs and Border Protection before releasing funds. Democrats have demanded reforms following the January 2026 fatal shootings of U.S. citizens Renee Good and Alex Pretti by federal agents in Minneapolis. Republicans have refused to link those reforms to DHS funding, insisting on a clean, full-agency appropriation that would fund ICE and CBP alongside CISA, TSA, FEMA, and the Coast Guard.
The irony embedded in the standoff is notable: ICE operations are not affected by the shutdown at all. ICE's funding flows from the President's reconciliation legislation — the "One Big Beautiful Bill Act" — and its operational activities qualify as "excepted" under the Antideficiency Act. The agency at the center of the political dispute continues operating while the agency responsible for defending the nation's digital infrastructure has been operating at barely more than a third of capacity since mid-February.
What has made the current situation particularly acute is that CISA entered the shutdown already hollowed out. By the end of May 2025, nearly all of the agency's senior leadership had resigned or announced plans to do so. The agency had also seen the departure of veterans across counter-ransomware, threat hunting, and secure software development programs. Two information sharing and analysis centers serving state and local governments lost their funding. A division that coordinated with foreign governments and businesses was effectively shut down. The agency's acting director himself, Gottumukkala, was reassigned to another DHS division in early March 2026, following reported controversies including uploading sensitive contract documents to a commercial AI platform and failing a polygraph test administered by CISA staff.
"CISA as an organization has pretty much fallen apart." — Rob Knake, former senior Biden administration cybersecurity official, February 2026
What Stopped Working on Day One
The Antideficiency Act governs which government functions may continue during a funding lapse. At CISA, the 888 "excepted" employees can maintain the agency's 24/7 operations center, respond to imminent threats, share urgent vulnerability and incident information, and keep the Known Exploited Vulnerabilities catalog online. What they cannot do covers an enormous share of what the agency exists to perform.
Proactive vulnerability scanning of federal networks stopped immediately. New cybersecurity guidance, advisories, and best-practice publications were paused. Tabletop exercises and simulation training for critical infrastructure operators — the kind of preparation that gives hospitals, utilities, and financial institutions a rehearsed response to cyberattacks — were cancelled. Stakeholder engagement meetings with state and local governments, private sector partners, and international allies were suspended. Development of new technical capabilities and defensive tools was halted entirely.
CISA's website, as of mid-February 2026, carried a notice stating it was last updated on February 17 due to a "lapse in federal funding" and was not being actively managed. That same day, DHS published official guidance noting that a prolonged shutdown would compound existing gaps: "As the lapse goes on, CISA's lack of involvement in these key areas will lead to a future threat or an increased area of weakness."
Furloughs do not only affect federal employees. A significant portion of CISA's operational work — including vulnerability patching, network monitoring, and incident response readiness — is performed by contractors who stop working entirely during a funding lapse. Cybersecurity researcher Mike Hamilton, a former state CISO, warned that without contractors, agencies become exposed in the race to patch vulnerabilities the moment they are publicly disclosed: "When a patch is released and a vulnerability announced, it's a race. The scanning is automated, looking for vulnerable exposures. Nation states, criminal gangs, all reverse engineer the patch so that they can build the exploits." Without contractor support, federal agencies can lose that race.
The Cybersecurity Information Sharing Act of 2015, which provided critical legal protections for companies sharing threat intelligence with the government and with each other, expired on September 30, 2025, adding a second layer of institutional damage. Without that statute's liability protections and antitrust shields, private companies face legal risk when sharing breach data — meaning the flow of threat intelligence that CISA depends on to protect everyone is now slower and more legally complicated than it was a year ago.
Michael Daniel, former White House cyber coordinator and president of the Cyber Threat Alliance, described the practical effect: "Without those protections, decisions get routed back through legal bottlenecks, slowing or discouraging the very real-time collaboration that makes a difference in fast-moving cyberattacks."
The Cyber Incident Reporting for Critical Infrastructure Act — known as CIRCIA — compounded the timeline problem. The 2022 law requires critical infrastructure operators to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. The final implementing rule was originally due in October 2025. It was pushed to May 2026. CISA had scheduled a series of industry town halls to gather final input on the rule, running from March 9 through early April 2026. All of those sessions were cancelled as a direct consequence of the shutdown, with acting CISA director Nick Andersen blaming what he called "the Democrats' shutdown of DHS." Whether that May 2026 deadline holds is now an open question.
The Political Stalemate Blocking Relief
Senate Democrats have made multiple attempts to carve out emergency funding for CISA specifically, separating it from the broader DHS appropriations fight. Senator Andy Kim of New Jersey introduced legislation to fund CISA independently while negotiations over ICE accountability measures continued. The bill was blocked by Senator Roger Marshall of Kansas. Within a 24-hour period, Senate Republicans also blocked separate emergency funding bills for TSA, FEMA, the Coast Guard, and the Secret Service.
Senate Minority Leader Chuck Schumer summarized the Democratic position bluntly: "Democrats are ready to fund CISA. Republicans are blocking it. Democrats are ready to fund FEMA. And Coast Guard. Republicans are blocking it."
House Appropriations Committee Ranking Member Rosa DeLauro put the condition in sharper terms: "Unless Immigration and Customs Enforcement and Customs and Border Protection get another $28 billion with no reforms, TSA agents will not be paid, Coast Guard servicemembers will be hung out to dry, and the federal disaster relief fund will remain dangerously depleted. That is the Republican position."
Republicans argue the Democrats created the crisis by refusing to accept a full DHS appropriation without ICE reform conditions attached. Senate Republicans made four separate attempts to pass a clean, full-DHS funding bill through September — the fourth falling short in a 51 to 46 vote, well under the 60-vote threshold required to advance. Senator John Fetterman of Pennsylvania was the only Democrat to vote yes. Senate Majority Leader John Thune has repeatedly stated that Republicans have tried to keep all of DHS funded while negotiations continue, and that Democrats are using federal workers as leverage in an immigration dispute.
Senator Collins of Maine noted a White House proposal that included mandatory body cameras for ICE agents, name tags for all agents, deescalation training, and a commitment to investigate the Minneapolis shootings. Democrats have not engaged formally with that offer, citing concerns it does not go far enough.
The result is a stalemate with no visible resolution timeline, and CISA sitting in the middle of it — not because it is the subject of the dispute, but because it is housed in the same department.
"We don't have to tie that disagreement up and use people at the airports and American citizens as hostages." — Senate Minority Leader Chuck Schumer, March 2026
A Threat Landscape That Does Not Wait
Nation-state threat actors operate on their own schedules. The FBI confirmed as recently as February 19, 2026 that Salt Typhoon — the Chinese state-sponsored group that compromised at least nine U.S. telecommunications companies — remains active. Michael Machtinger, deputy assistant director for cyber intelligence at the FBI, said at CyberTalks 2026 that companies who engaged with CISA and the FBI early in the Salt Typhoon campaign were "without a doubt the most successful in mitigating the impact of the Salt Typhoon intrusions." The corollary to that finding is significant: CISA's ability to provide that early engagement support is now dramatically curtailed.
CISA threat hunters previously played a direct role in detecting Salt Typhoon on federal networks before the full scope of the telecom compromise was understood, a capability that allowed law enforcement to act. That threat-hunting capacity is now operating on a skeleton staff. The agency's regional teams — cybersecurity advisors stationed in every state — were among the roles affected by both the pre-shutdown workforce reductions and the ongoing furloughs.
Iran presents a separate escalation concern. In early March 2026, cybersecurity experts warned that Iranian-linked groups were assessing opportunities to target U.S. businesses and infrastructure amid the ongoing conflict in the Middle East. Pavel Gurvich, founder and CEO of cybersecurity startup Tenzai, described the timing bluntly: "From a timing perspective, it's now or never." CISA's acting director at the time acknowledged that the agency was "stretched thin."
The Secure by Design program — CISA's initiative to shift the burden of security from end users to software manufacturers — sits among the casualties of the combined pre-shutdown workforce reductions and the shutdown itself. The program, which worked with technology vendors to build security into products before they reached market, relied on the stakeholder engagement and strategic planning functions that are now paused. Its future trajectory inside a reorganized, reduced CISA is unclear.
The agency's reorganization is proceeding in parallel. Nick Andersen, CISA's executive assistant director for cybersecurity, told staff in a February 13, 2026 town hall that the agency would be "turning off" certain programs to concentrate remaining resources on operational technology security and a narrower set of high-priority goals. Sources familiar with the meeting said Andersen told staffers directly: "There are some people in this room in programs we are going to turn off." The divisions targeted in late 2025 reduction-in-force actions included the Stakeholder Engagement Division, the Infrastructure Security Division, and the Integrated Operations Division — all core to the agency's proactive defense mission.
With CISA's proactive services scaled back, the practical burden shifts to private organizations. Critical infrastructure operators — electric utilities, water systems, hospitals, transportation networks — can no longer assume federal cyber assessment support will be available on demand. Security firm principal Brian Weiss noted: "Critical infrastructure owners and operators cannot assume the federal government will have the capacity to step in the way it once did." Organizations should prioritize direct engagement with sector-specific information sharing centers, maintain their own vulnerability scanning cycles, and establish response playbooks that do not depend on federal support arriving quickly.
Key Takeaways
- CISA is running at 38% capacity: Of 2,341 employees, only 888 are working. Combined with the loss of roughly 1,000 staff through 2025 workforce reductions, the agency has shed a substantial share of its pre-2025 headcount.
- Emergency funding bills have been blocked: Senate Democrats introduced targeted legislation to fund CISA independently of the ICE dispute. Senate Republicans objected, blocking the bills under unanimous consent procedures.
- Proactive defense functions have stopped: Vulnerability scanning, infrastructure assessments, stakeholder training, cybersecurity guidance publication, and Secure by Design program activities are all paused.
- CIRCIA implementation is slipping: Industry town halls on the landmark cyber incident reporting rule were cancelled because of the shutdown. The May 2026 deadline for the final rule is now in doubt.
- Adversaries are not pausing: Salt Typhoon remains active according to the FBI. Iranian-linked groups are assessing U.S. targets. The shutdown presents an opportunity window for threat actors who monitor federal defense capacity.
The structural lesson embedded in this crisis is one Congress has had the opportunity to act on before: housing the nation's primary civilian cybersecurity agency inside a department that becomes a recurring political flashpoint creates predictable, avoidable risk. CISA has now been degraded by funding fights in 2023, 2025, and 2026. Each time, the threat environment grew more sophisticated. Each time, the agency emerged with fewer resources and less institutional knowledge than it had before the disruption began. Whether the current impasse ends this week or this summer, what is already lost — senior personnel, program continuity, private-sector trust, and operational momentum against active nation-state campaigns — will take far longer to rebuild than it took to lose.
Sources
- Senate Appropriations Committee (Minority) — "In 24 Hours, Senate Republicans Block Five Separate Bills," March 2026
- CBS News — "Senate fails again to advance funding for DHS as tempers flare," March 2026
- SecurityWeek — "CISA Navigates DHS Shutdown With Reduced Staff," February 2026
- Nextgov/FCW — "CISA to Furlough Most of Its Workforce Under Impending DHS Shutdown," February 2026
- Cybersecurity Dive — "CISA will shutter some missions to prioritize others," February 2026
- Federal News Network — "CISA delays cyber incident reporting town halls due to shutdown," March 2026
- CyberScoop — "Acting CISA chief says DHS funding lapse would limit, halt some agency work," February 2026
- CyberScoop — "FBI: Threats from Salt Typhoon are 'still very much ongoing'," February 2026
- CNBC — "The lead U.S. cyber agency is stretched thin as Iran hacking threat escalates," March 2026
- CyberScoop — "Across party lines and industry, the verdict is the same: CISA is in trouble," February 2026
- Federal News Network — "The shutdown and CISA lapse expose new cracks in America's cyber defenses," October 2025
- House Appropriations Committee (Minority) — DeLauro Statement, March 2026