Under-Resourced and Undermined: How CISA is Bearing the Brunt of the U.S. Government Shutdown

What’s Going On: CISA Among Agencies Hit with Layoffs During Shutdown

At the outset, it’s important to understand the scale of the challenge. Several recent credible reports show that CISA has been hit hard by the shutdown.

• According to a piece titled “CISA among agencies hit with layoffs during shutdown”, about two-thirds of CISA’s roughly 2,500 employees were furloughed when the funding lapse began — leaving around 900 staff working without pay.
• Another article reports that multiple CISA divisions were targeted for reduction-in-force (RIF) notices, including the Stakeholder Engagement Division and Infrastructure Security Division.
• Further coverage states the statement explicitly: “massive downsizing of CISA is underway, with layoffs and forced relocations.”

In other words: CISA, a civilian cybersecurity agency whose mission is to protect federal networks, critical infrastructure and to coordinate with state and local entities, is now among the agencies experiencing the deepest staffing cuts in the shutdown period.

Why now — and what triggered it

There are several overlapping factors. First, the federal funding lapse triggered the shutdown, which immediately forced many agencies into furlough, halt of new hiring, and freeze of certain functions. CISA is no exception.

Second, CISA’s authorising legislation — the Cybersecurity Information Sharing Act (“CISA Act”) — has expired, reducing legal certainty for key programmes of the agency.

Third, the current administration’s budgeting and workforce priorities appear to place CISA (and other agencies) in the cross-hairs of reductions. For example, internal documents suggest CISA’s headcount may be cut by nearly one-third in 2026.

What does “massive downsizing” look like?

Let’s put some numbers on it. Reports indicate:

• Before the shutdown, CISA had around 2,540 employees. In planning documents, 1,651 of them (about 65 %) were projected to be furloughed in the shutdown scenario, leaving only about 889 staff.
• In certain divisions, such as stakeholder engagement and infrastructure security, staff are receiving RIF notices or being reassigned.
• In one forecast, up to one-third of the workforce might be permanently cut in the next budget.

For an agency tasked with coordinating nationwide cybersecurity efforts, sharing threat intelligence, and supporting state/local partners — these numbers are alarming.

Why This Matters for North Carolina Businesses and Public Sector

You might think “this is a federal issue”, but in truth the ripple effects will be felt deeply in states like North Carolina — in our cities, counties, universities, critical infrastructure, and businesses.

1. Reduced coordination with state/local governments

CISA’s mission includes working with state and local governments, and critical infrastructure providers (energy, water, K-12 schools, healthcare). When divisions are cut — for example the Stakeholder Engagement Division — it means fewer resources for outreach, guidance, and assistance.

In North Carolina, that could translate into slower notifications of threats, less help for state/local agencies when cyber incidents arise, and less capacity for training and preparedness.

2. Higher risk to critical infrastructure

North Carolina hosts a broad set of essential systems — utilities, manufacturing, logistics, healthcare. CISA’s Infrastructure Security Division plays a key role in assessing and protecting these systems. With staffing cuts there, the risk of vulnerabilities being unaddressed rises.

For example: if a ransomware gang targets a smaller utility in the state, the ability of the federal-state interface to respond may be weaker.

3. Shrinking “safety net” for private companies

CISA also plays a role in sharing cyber threat intelligence and coordinating public-private partnerships. When under-resourced, that sharing weakens. Already the lapse of the Cybersecurity Information Sharing Act and the shutdown have created gaps.

For a small or medium-sized business in Raleigh or Cary, that could mean fewer warnings, reduced guidance, and less timely awareness of emerging threats.

4. Long-term talent and readiness impact

Beyond the immediate furloughs and layoffs, the reductions may create longer-term damage: loss of institutional knowledge, lower morale, fewer fresh hires, less training. One article warns of a “brain drain” at CISA.

That dynamic will gradually degrade the nation’s defensive posture — meaning North Carolina organisations may face a less robust external cyber-environment than previously assumed.

The Big Picture: Cybersecurity Risks Rise While Defences Fall

Let’s step back and look at the broader metaphor: imagine a fortress built to protect a city. That fortress is now operating with only one-third of its guards, the walls are less maintained, key weapons systems are offline or under-staffed. That is roughly the position cybersecurity is in right now — at least from the federal support side.

Shutdown + Expired Authority = Double Whammy

The shutdown itself forces furloughs and suspended operations. On top of that, the expiry of the CISA Act (which enabled threat-sharing and other authorities) means that legal mechanisms for cooperation are on standby.

Threat actors are watching

Cybersecurity experts warn that adversaries exploit disruptions in defence. One report states: “As the government shutdown continues … it could be a good time for hackers, cyber criminals, and even America’s adversaries.”

Mission creep and overload

With fewer staff and the same or growing number of threats, remaining personnel are stretched thin — forced to take on more than before, handle emergency incidents while also covering planning, outreach and coordination. That means delays, lower resilience, and greater chance of missteps.

What CISA’s Undercapacity Could Mean for NC: Real-Life Scenarios

To make this more concrete for audiences in North Carolina, let’s consider some scenarios:

Scenario A: A ransomware attack hits a regional hospital

A medium-sized hospital in the Research Triangle region is hit with a ransomware infection that has spread to its digital imaging and administrative systems. In normal times, a CISA-coordinated response might provide rapid guidance, threat intelligence, and coordination with state-level cyber units. But with fewer staff, those response windows lengthen, guidance might be delayed, and coordination may be weaker — leading to longer downtime, greater patient risk, and higher remediation cost.

Scenario B: A water-treatment plant suffers a cyber intrusion

Many smaller water utilities in North Carolina rely on federal and state coordination for cybersecurity support. With CISA’s Infrastructure Security division reduced, the “early warning” and vulnerability scanning support that had been available may be curtailed — leaving the utility more vulnerable and less prepared to respond.

Scenario C: A small manufacturing firm attacked via supply-chain threat

SMEs often depend on timely alerts about vulnerabilities (the kind shared via CISA’s public-private partnerships). With threat-sharing mechanisms impaired (both by reduced staffing and by authority gaps), the manufacturing firm might be slower to become aware of a supply-chain exploit targeting its software vendor — and thereby face greater risk of disruption.

Why It Matters for Your Organisation’s Cyber Posture

If you are a business or public-sector organisation in North Carolina — whether in Raleigh, Cary, Durham, Wake Forest, Holly Springs or Chapel Hill — here are some important considerations.

1. Assume less federal support, ramp up internal readiness

Given CISA’s reduced capacity, don’t assume federal agencies will be there to plug gaps quickly. Instead, treat this as a signal to strengthen your own cyber defences: incident response plans, business-continuity planning, vulnerability management, employee training.

2. Double-check threat intelligence flows

You might have relied on federal-agency bulletins or alerts to inform your cyber posture. With staffing and authority reduced, those flows may slow. Make sure you supplement with private-sector or state-level intelligence feeds, and consider partnerships that aren’t dependent on CISA alone.

3. Review your critical-infrastructure dependencies

If you operate infrastructure or supply-critical services (utilities, medical, manufacturing, logistics), map your dependencies on federal coordination. If your model assumed “CISA will help when something fails”, now is the time to stress-test that assumption and have alternative plans in place.

4. Communicate with your board, leadership and stakeholders

This kind of federal agency disruption may not make headlines in your industry, but it is part of your risk environment. Make sure leadership understands that “external defence support” is weaker for now, and that your organisation has to compensate.

5. Explore state and local resources

North Carolina has resources at the state (and perhaps university) level. With federal capacity reduced, state and local partnerships become more important. Investigate whether state cyber task-forces, university-industry consortia, or state-led threat-sharing programmes can fill the gap.

What Needs to Be Done: Recommendations and Next Steps

From a policy and practitioner viewpoint, there are actionable steps — both by federal/state leaders and by organisations — to respond.

At the federal/state policy level

• Reauthorise key cybersecurity legislation: The lapse of the CISA Act needs to be resolved so that legal authorities for sharing cyber-threat data are restored.
• Stabilise CISA’s workforce and mission: Dramatic cuts risk strategic capabilities; the agency requires a permanent director and clear mission-priorities so that staffing and budget are aligned.
• Strengthen state-federal coordination: With state/local governments and critical infrastructure providers increasingly exposed, mechanisms for collaboration must be resilient even if federal capacity dips.
• Encourage public-private partnerships: Since many threats transcend government boundaries, enabling industry-government coordination is essential. Cuts to CISA’s stakeholder engagement threaten this.

At the organisational level (for NC businesses and public-sector)

• Conduct a cyber risk audit that explicitly includes “external support erosion” as a factor.
• Update incident response playbooks to assume longer lead times for external assistance.
• Investment in cyber workforce development: training existing staff, cross-training non-IT personnel for incident support roles.
• Consider cyber insurance and forensic support readiness: given increased risk, make sure contractual and response arrangements are current.
• Maintain clear board-level communication: ensure leadership understands that the national cyber-defence backdrop is shifting, and that organisational risk-tolerance may need adjusting.

Why This Moment Is Possibly a Turning Point

One way to view the current crisis is that it may represent a pivot in U.S. cyber-defence strategy. The combination of major downsizing at CISA, expiration of key legislative authority, and a broader shift in federal workforce policy suggests that we are entering a new era — one in which national cyberspace defence may rely more heavily on state/local/industry partnerships rather than solely on federal-led coordination.

For North Carolina organisations, that means three things: (1) the era of expecting the “federal firewall” to catch everything may be waning, (2) resilience and self-reliance are growing in importance, (3) there may be valuable leadership opportunities for state-level and regional actors to step up.

Some have described CISA’s situation as akin to a fortress whose exterior defences are intact for now, but whose garrison is dramatically depleted — leaving it vulnerable to a surprise breach.

Whether or not this turns into a full-blown cyber-incident crisis remains to be seen. But the conditions for risk have increased.

Bringing It Home: What North Carolina Organisations Should Remember

• The phrase “CISA among agencies hit with layoffs during shutdown” isn’t just headline-grabbing — it’s signalling real capacity loss.
• Massive downsizing of CISA is underway, and the agency is facing not only furloughs but permanent workforce reductions.
• As the national civilian cyber-defence lead, CISA’s challenges are a national concern — but they have state-level implications: for municipal governments, educational institutions, utilities, healthcare providers and business supply chains in North Carolina.
• Organisations should not wait for federal help to stabilise; instead, they should act now: strengthen internal cyber-capability, diversify threat-intelligence sources, engage local/state partners, and ensure leadership is aware of this shifting risk environment.
• While policy solutions are important (reauthorisation of legislation, stabilising workforce, renewed coordination mechanisms), the operational reality is: the time for assuming “everything will be okay because the federal agency has our back” is fading.

Final Thoughts

Cybersecurity is often described as an arms race: defenders build new walls, attackers discover new tunnels. But what happens if the defenders begin to lose their manpower and tools? The story unfolding at the Cybersecurity and Infrastructure Security Agency shows precisely that scenario: an agency carving away at its workforce and mission while threats march ahead.

For North Carolina organisations — whether in Raleigh’s tech corridor, Cary’s business parks, Durham’s institutions, or the manufacturing hubs around Holly Springs and Apex — the takeaway is clear: you cannot rely purely on federal-level safety nets anymore. Instead, the onus is on local readiness, proactive planning, and making sure your own house is in order.

When you factor in your own cyber-defence posture, supply-chain relationships, infrastructure dependencies and incident-response playbooks — ask yourself this: “If the federal agency that used to coordinate disappeared overnight, would we still be okay?” If the answer is uncertain, now is the time to act.

Cyber threats don’t pause because budgets do. And as the world becomes more connected, the costs of a failure to prepare grow ever larger. In this moment of federal vulnerability, state and business-leaders in North Carolina have both responsibility and opportunity: to harden their defences, fill the gaps the federal government can no longer cover, and perhaps build a regional model of cyber-resilience that others will look to.