The Looming Cybersecurity Gap: How CISA’s Shift Could Leave States Vulnerable
A staggering 88% of U.S. counties lack dedicated cybersecurity personnel, according to a recent study by the National Association of Counties. Now, a significant shift in federal cybersecurity strategy threatens to widen this gap, potentially leaving state and local governments increasingly exposed to sophisticated cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) is set to end its cooperative agreement with the Center for Internet Security (CIS) – a move that, despite assurances of a “new model,” raises serious questions about the future of accessible, affordable cybersecurity support for those on the front lines.
The End of an Era for Collaborative Defense
For years, the CIS has been a critical partner in bolstering the nation’s cybersecurity posture, particularly at the state and local levels. Through programs like the Multi-State Information Sharing and Analysis Center (MS-ISAC), CIS provided a vital, nationwide threat-intel network – largely free of charge – to officials across all 50 states. This network allowed for rapid dissemination of critical information, enabling proactive defense against evolving threats. However, recent funding cuts, including a $10 million reduction (half its budget) for the MS-ISAC in March, have forced CIS to transition to a fee-based model. CISA’s planned termination of the cooperative agreement on September 30, 2025, marks a further departure from this collaborative approach.
CISA’s “New Model”: Grant Funding and Unanswered Questions
CISA frames this transition as a move towards empowering state, local, tribal, and territorial (SLTT) partners through “access to grant funding, no-cost tools, and cybersecurity expertise.” The agency insists this “new model” will strengthen accountability and maximize impact. But a crucial question remains: will the funding redirected from CIS-led initiatives actually reach those who need it most, and will it be sufficient to replace the comprehensive services currently offered? CISA has yet to clarify whether federal dollars previously channeled to CIS will be directly funneled into existing state and local infosec efforts, such as the State and Local Cybersecurity Grant Program, or other free services like Cyber Hygiene scanning, phishing assessments, and vulnerability management.
The Impact on Information Sharing and Analysis Centers (ISACs)
The cuts extend beyond the MS-ISAC. Earlier this year, the Department of Homeland Security terminated funding for the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), also run by CIS. This center played a crucial role in advising election officials and voting machine makers on cyber threats to democratic processes. While the EI-ISAC Executive Committee is exploring alternative funding options, the disruption highlights the fragility of these vital information-sharing networks. Without consistent funding, the ability of states to rapidly communicate about emerging threats – as Tina Barton of The Elections Group pointed out, “How are states going to communicate if they see a cyber issue happening out in Oregon, how are they going to let Michigan know that that’s happening?” – is severely compromised.
Beyond CISA-CIS: A Perfect Storm of Cybersecurity Challenges
The timing of these changes is particularly concerning. The CISA-CIS agreement isn’t the only critical element expiring. The 2015 Cybersecurity Information Sharing Act (CISA) is also set to lapse on October 1st, unless Congress acts. Coupled with the potential for a federal government shutdown, this creates a “perfect storm” of uncertainty for cybersecurity preparedness. The lapse of CISA could hinder the voluntary sharing of cyber threat information between the private sector and government, further isolating SLTT entities.
The Rise of Ransomware and the Increasing Sophistication of Attacks
This shift in federal strategy occurs against a backdrop of escalating cyber threats. Ransomware attacks against state and local governments continue to rise, disrupting essential services and costing taxpayers millions of dollars. These attacks are becoming increasingly sophisticated, often leveraging zero-day exploits and advanced persistent threats (APTs). Without robust, accessible support from organizations like CIS, smaller governments may struggle to defend against these evolving tactics. The financial burden of cybersecurity is also a significant factor; many local governments simply lack the resources to invest in advanced security solutions and dedicated personnel.
Looking Ahead: A Need for Proactive Investment and Collaboration
The move away from a centralized, federally-supported model towards a grant-based system carries inherent risks. While grants can empower local governments, they often come with bureaucratic hurdles and may not be sufficient to address the full spectrum of cybersecurity needs. A more sustainable approach requires a proactive, long-term investment in cybersecurity infrastructure at all levels of government, coupled with continued collaboration between federal agencies, non-profit organizations, and the private sector. The future of U.S. cybersecurity resilience hinges on ensuring that every state and local government has the resources and expertise necessary to defend against the ever-growing threat landscape. What are your predictions for the future of state and local cybersecurity funding? Share your thoughts in the comments below!
The National Institute of Standards and Technology (NIST) provides valuable resources and frameworks for improving cybersecurity practices.
