CISA Layoffs Challenged Amid Union Injunction During Government Shutdown
The Cybersecurity and Infrastructure Security Agency (CISA) defended its decision to issue reduction-in-force notices to 54 employees in its stakeholder engagement division, arguing in federal court that none of the affected workers are protected by a preliminary injunction covering unionized federal employees. The agency stated that the layoffs, delivered on October 11, were in compliance with a court order that blocks layoffs during the government shutdown for employees represented by eight national civil service unions. CISA maintained that none of the impacted branches include union members covered by the injunction.
Critics have raised concerns that the layoffs could undermine CISA's ability to coordinate with private sector partners, as the affected employees were responsible for fostering external relationships. CISA reported taking additional steps to ensure ongoing compliance with the court's order while the legal challenge proceeds. The preliminary injunction, extended by a San Francisco federal judge, prohibits agencies from issuing or processing layoff notices to any office with even a single member of the unions involved in the lawsuit.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CISA defends layoffs amid union injunction
CISA publicly defended layoffs while facing a union-backed injunction challenge. The references provide no additional factual details about the underlying actions, scope, or prior milestones.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Divisions Impacted by Workforce Termination Orders During Government Shutdown
Several divisions within the Cybersecurity and Infrastructure Security Agency (CISA) have been affected by reduction-in-force (RIF) notices issued during the ongoing government shutdown, according to multiple industry sources. The Office of Management and Budget, led by Director Russ Vought, announced these workforce cuts as part of broader federal government measures. Staff members from CISA's Stakeholder Engagement Division, Infrastructure Security Division, and Integrated Operations Division are among those impacted by the layoffs. The Department of Homeland Security (DHS) has stated that these layoffs are intended to help CISA refocus on its core mission. Prior budget documents from DHS indicated that the Chemical Security subdivision within CISA was already scheduled to wind down certain programs and initiatives, suggesting that the workforce reductions are part of a longer-term restructuring. A recent court filing revealed that 176 DHS employees were laid off, though the specific number of CISA employees affected remains unclear. The possibility of further reductions across the federal workforce has not been ruled out. The Trump administration has been critical of CISA's involvement in addressing misinformation, particularly regarding its collaborations with social media platforms to counter false information about elections and COVID-19. This criticism has been cited as a factor in the administration's push to "refocus" the agency. The layoffs have created uncertainty within CISA, with staff members expressing concerns about the future of their divisions and the agency's ability to fulfill its cybersecurity mandate. The Stakeholder Engagement Division, which plays a key role in liaising with external partners, is believed to be among the hardest hit. The Infrastructure Security Division and Integrated Operations Division, both critical to national infrastructure protection and operational coordination, are also affected. The reduction in workforce may impact CISA's capacity to respond to cyber threats and support critical infrastructure sectors. DHS has not provided detailed breakdowns of which positions or functions are being eliminated. The ongoing government shutdown has exacerbated the challenges faced by CISA, as resource constraints and political pressures converge. Industry observers are closely monitoring the situation for potential impacts on national cybersecurity readiness. The future direction of CISA remains uncertain as the agency navigates these significant organizational changes. The broader implications for federal cybersecurity efforts are still unfolding as the shutdown and workforce reductions continue.
Mar 21, 2026
CISA Workforce Reductions and Pullback From RSAC Amid Leadership and Mission Refocus
The **Cybersecurity and Infrastructure Security Agency (CISA)** said it will **not participate in the RSA Conference (RSAC)** in March, citing routine reviews of stakeholder engagements and “good stewardship of taxpayer dollars,” and framing the decision as part of a broader effort to return to its statutory “core mission” and align with the Trump administration’s priorities. The move followed the announcement that former CISA Director **Jen Easterly** was named **CEO of the RSAC Conference**, after which senior administration cyber officials reportedly discussed canceling their attendance. Separately, Acting CISA Director **Madhu Gottumukkala** told the House Homeland Security Committee that CISA remains capable of protecting government networks and critical infrastructure despite significant workforce reductions, describing the cuts as intended to eliminate duplication and refocus on mission outcomes. Lawmakers raised questions about impacts to **election security**, broader cybersecurity operations, and implementation of the **Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)**; Gottumukkala said CISA will continue targeted hiring for mission-critical roles and asserted the agency has the staffing it needs, while an internal report cited in the hearing indicated nearly **1,000 personnel** have departed, been laid off, or transferred since President Trump took office (over one-third of the workforce).
Jan 31, 2026
Acting CISA Director Warns DHS Shutdown Would Curtail Cyber Defense Operations
Acting CISA Director **Madhu Gottumukkala** told House appropriators that a potential Department of Homeland Security funding lapse would materially reduce CISA’s ability to support public- and private-sector partners, warning that “when the government shuts down, cyber threats do not.” He said a shutdown would degrade timely, actionable guidance; curtail core missions such as digital response; and limit work to activities deemed essential to protecting life and property—shifting the agency from proactive efforts (including vulnerability scanning) to a more reactive posture. He also said a shutdown would force more than a third of CISA’s frontline security experts and threat hunters to work without pay and would impede progress on CISA’s long-awaited cyber incident reporting rule. In the same congressional context, Gottumukkala also acknowledged that **about 70 CISA staff** were reassigned to other DHS offices over the last year (including a “handful” to **ICE**), while “30 plus” personnel were transferred into CISA; a December 2025 staffing chart cited in reporting reflected **27 inbound** and **65 outbound** reassignments. Separately, Congress reauthorized the **Cybersecurity Information Sharing Act of 2015 (CISA 2015)**—which provides liability protections, FOIA exemptions, and other safeguards for sharing cyber threat indicators and defensive measures—extending it from its planned January 2026 sunset to **September 30, 2026**. Reporting on the Senate Intelligence Committee advancing a nominee to lead **U.S. Cyber Command/NSA** is related to federal cyber leadership but is not part of the shutdown/CISA operational-impact story.
Mar 21, 2026