CISA cyber partnerships face ‘standstill’ amid cuts

Cyber experts say staff cuts and other changes at the Cybersecurity and Infrastructure Security Agency have left CISA less ready to engage with the private sector on critical cyber issues, even as lawmakers eye new steps to address increasingly important sectors like space systems and data centers.

During a House Homeland Security cybersecurity and infrastructure protection subcommittee hearing Wednesday, witnesses focused primarily on CISA’s role carrying out sector risk management agency (SRMA) duties assigned to the Department of Homeland Security.

Rep. Delia Ramirez (D-Ill.), the new ranking member of the cybersecurity subcommittee, pointed out that CISA has lost roughly one-third of its staff over the past year. CISA’s Stakeholder Engagement Division lost 96 of 189 staff since January 2025.

“It’s ironic to talk about modernizing DHS as a Sector Risk Management Agency when Trump has been on a vindictive campaign to dismantle CISA, the very agency he established but started attacking the minute it became an obstruction to his interest,” Ramirez said

CISA’s fiscal 2027 budget request would further cut the Stakeholder Engagement Division to just 62 positions. The budget would eliminate the division’s Council Management offices, Stakeholder Engagement activities and offices, and the International Affairs external engagement offices.

“This change shifts CISA’s stakeholder engagement mission space to solely support the SRMA efforts and aligns with CISA’s priorities to strengthen critical infrastructure security while optimizing operational effectiveness,” CISA’s budget request states.

But Mark Montgomery, senior director and senior fellow at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, argued the Stakeholder Engagement Division’s work is crucial amid the cuts.

“Without the Stakeholder Engagement Division, you don’t have the ability to set up the information sharing agreements to do the engagement with the sector,” Montgomery said during Wednesday’s hearing.

Cyber attacks ‘have not stopped’

The Stakeholder Engagement Division’s Council Management offices had supported CISA and DHS’s work with various groups, including the Critical Infrastructure Partnership Advisory Council (CIPAC). The council had provided key authorities for DHS and CISA to work with the private sector on security issues, including cyber threats.

But DHS eliminated CIPAC last year. A promised replacement for the council hasn’t materialized.

Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center, called for DHS to move forward with a replacement for CIPAC.

“When DHS disbanded CIPAC, it removed the legal framework that enabled and protected strategic engagement between CISA and industry,” Algeier testified on Wednesday. “As a result, most of the work with CISA is at a standstill. Our adversaries have not paused. They have not stopped. They are continuing to attack with impunity.”

CISA officials have also warned that the ongoing government shutdown has hampered the agency’s ability to coordinate with the private sector and other partners.

However, Robert Mayer, senior vice president of cybersecurity and innovation at USTelecom, applauded a “marked increase” in the number of intelligence briefings CISA had provided to the private sector over the last two years.

“We’ve made a lot of progress in this that area,” Mayer said. “One area that deserves greater attention is the ability to convey that information to the local and regional providers in the communication sector. There are hundreds of such providers, and getting very quick information is very important to them. But I also will say that CISA has done a better job in terms of releasing cybersecurity advisories at the unclassified level, and that has been very helpful as well.”

Montgomery pointed out that CISA’s work with state and local governments has been hampered by the elimination of CIPAC, the pulling of federal funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC), and Congress’s failure to reauthorize the State and Local Cybersecurity Grant Program.

“When you combine those three efforts together … there’s no way that these small public utilities, who don’t have two wood nickels to rub together normally in their budget for cybersecurity, are able to make the proper investments to protect those utilities against ransomware and against nation state actors,” Montgomery said. “And so our public health and safety at the very core, at our most vulnerable level, is weak.”

Space and data centers

Meanwhile, some cyber experts continue to advocate for an expansion of the 16 designated critical infrastructure, with various proposals to add the space sector and data centers, respectively.

Several House lawmakers in recent years have introduced legislation that would direct the Secretary of Homeland Security to designate space systems, services and technology as a sector of critical infrastructure.

Sam Visner, chairman of the board of directors for the Space Information Sharing and Analysis Center, said the United States should “recognize that space systems are, in fact, critical to every aspect of our national security, every aspect of our economic security, and every aspect of the security of our critical infrastructure.”

Visner also pointed to a Council of Foreign Relations report that advocated for an assessment of space vulnerabilities and remediation steps.

“It certainly should include DHS, which, despite the decrement in its staffing, there have been people at DHS and at CISA who have worked very closely with the Space-ISAC and with the space systems domain, and have shown a great deal of interest,” Visner said.

Meanwhile, amid the artificial intelligence boom, Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andy Ogles (R-Tenn.) pointed out that the current U.S. policy framework “does not provide a clear, unified approach to data center security.” That includes which federal agency would be responsible for addressing risks to data centers.

Data center security largely falls under the IT sector today. But Montgomery advocated for the United States to create a separate designation for data centers, much like the United Kingdom has already done.

“There should be a strong consideration of whether data centers and cloud need to be a separate critical, national critical infrastructure,” Montgomery said. “There’s been a push for that in the past. It fell short with the cloud. But now the other data centers as well, and we can all see the dynamic, large role they’re going to play in the United States, possibly an independent national critical infrastructure that handles data center and clouds separate from communications.”

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.