U.S. Federal Cyber Leadership Turmoil and CISA Policy Disruptions
U.S. federal cyber operations faced heightened uncertainty amid leadership turnover and staffing reductions at CISA, raising concerns about the agency’s capacity to execute its mission. Reporting indicated acting director Madhu Gottumukkala was replaced by Nick Andersen following controversies including alleged mishandling of sensitive information, while CISA also lost its CIO and reportedly saw staffing reduced by roughly one-third. Separately, Senate confirmation dynamics continued to affect cyber leadership, with Sen. Ron Wyden opposing the nomination of Lt. Gen. Joshua Rudd to lead U.S. Cyber Command and the NSA, citing concerns about experience and constitutional-rights familiarity as the agencies remained without a permanent chief.
CISA’s policy and guidance output continued but faced headwinds from broader federal disruptions. CISA published new insider-threat program guidance centered on the POEM framework (Plan, Organize, Execute, Maintain) to help organizations build multi-disciplinary insider threat management teams spanning physical security, cybersecurity, HR/personnel, and reporting/analysis functions. At the same time, a partial DHS shutdown was reported to be stalling progress on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rulemaking, complicating compliance planning for critical infrastructure entities awaiting clarity on incident reporting requirements and enforcement expectations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Trump proposes $707 million cut to CISA's FY2027 budget
On April 3, 2026, President Trump proposed cutting $707 million from CISA's fiscal year 2027 budget, framing the reduction as a refocus on the agency's core cybersecurity mission. The proposal would eliminate or reduce programs tied to misinformation, stakeholder engagement, international affairs, and other functions, raising concerns about weakened coordination with government and private-sector partners.
Sean Plankey nominated as permanent CISA director
Sean Plankey was nominated to serve as CISA's permanent director, but his Senate confirmation remained pending and was reportedly delayed by demands to release a report on telecom cybersecurity flaws tied to Salt Typhoon activity.
CISA staffing cut by roughly one-third amid leadership turnover
Over the past year, CISA reportedly lost about one-third of its staff and also saw the departure of Chief Information Officer Bob Costello, prompting concerns about the agency's operational capacity and security posture.
Nick Andersen becomes CISA acting director after Madhu Gottumukkala
Nick Andersen replaced Madhu Gottumukkala as CISA's acting director following controversies during Gottumukkala's tenure, including reports involving sensitive document handling and a failed counterintelligence polygraph.
Partial DHS shutdown delays CIRCIA rulemaking progress
A partial U.S. government shutdown affecting the Department of Homeland Security stalled progress on CISA's cyber incident reporting rule, complicating compliance planning for critical infrastructure organizations.
Sen. Ron Wyden opposes Joshua Rudd's NSA/Cybercom nomination
Sen. Ron Wyden entered a letter into the Congressional Record opposing Army Lt. Gen. Joshua Rudd's nomination to lead the NSA and U.S. Cyber Command, arguing that Rudd lacks sufficient experience and understanding of constitutional rights for the role.
CISA seeks additional feedback on draft CIRCIA rule
In February 2026, CISA announced it was seeking additional feedback on its draft CIRCIA incident reporting rule, its first major update since industry comments were submitted in 2024.
CISA publishes insider threat management team guidance
On January 28, 2026, CISA released guidance titled "Assembling a Multi-Disciplinary Insider Threat Management Team" to help organizations build insider threat programs using its four-phase POEM framework.
CISA, FBI, and NSA withdraw from RSAC after Jen Easterly's hiring
Eight days after RSAC appointed former CISA Director Jen Easterly as CEO, CISA, the FBI, and the NSA withdrew from participation in the conference and their officials were removed from the event schedule. The move disrupted planned panels on public-private partnerships, incident response, and nation-state threats, marking a break from years of federal participation in RSAC.
Gen. Timothy Haugh removed from NSA and Cyber Command leadership
Gen. Timothy Haugh was removed from leadership of the National Security Agency and U.S. Cyber Command in April 2025, leaving both organizations without a permanent chief for months.
CISA receives industry comments on draft CIRCIA reporting rule
Industry comments on CISA's draft Cyber Incident Reporting for Critical Infrastructure Act rule were submitted in June 2024, marking a key step in the agency's incident reporting rulemaking process.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Trump wants to slash $707M from CISA's budget • The Register
go.theregister.com
Open sourceCISA faces leadership changes amidst staffing cuts and security concerns | brief | SC Media
scworld.com
Open sourceCISA Releases New Guidance on Assembling Multi-Disciplinary Insider Threat Management Teams - DataBreaches.Net
databreaches.net
Open sourceShutdown Stalls Compliance Plans for Cyber Breach Reporting Rule - DataBreaches.Net
databreaches.net
Open sourceAnother roadblock faced by Trump’s Cybercom, NSA nominee | brief | SC Media
scworld.com
Open sourceFederal agencies abruptly pull out of RSAC after organizer hires Easterly | Cybersecurity Dive
cybersecuritydive.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Capacity Degraded by Personnel Cuts, Program Closures, and Leadership Vacancies
Bipartisan lawmakers and private-sector cybersecurity leaders warned that the U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has been significantly weakened after roughly a year of personnel cuts and layoffs under the second Trump administration, with reporting indicating the agency has lost about **one-third of its workforce** and shuttered or reduced entire divisions. Sources described diminished ability to execute core missions such as coordinating with industry and protecting federal civilian networks, with some organizations reportedly seeking alternatives (industry alliances, outside consultants, or direct government-to-government partnerships) rather than relying on CISA support. Reporting also tied the degradation to a prolonged **leadership vacuum**—with the administration’s nominee **Sean Plankey** not confirmed and Acting Director **Madhu Gottumukkala** criticized by some sources as struggling to lead—alongside political and operational pressures that deprioritized the agency. Specific capability impacts cited include reduced **counter-ransomware** efforts, work to promote **secure software development**, and losses affecting **election security** functions; additional strain was attributed to reassignment of staff to other DHS priorities and to a partial federal government shutdown that further reduced available staffing levels, raising concerns about CISA’s readiness to respond to a major cyber crisis.
Mar 21, 2026
US Federal Cyber and IT Leadership Turnover and Confirmation Disputes
US federal cyber and IT leadership saw multiple high-profile personnel moves, including a planned transition at the **Cybersecurity and Infrastructure Security Agency (CISA)**. Acting director **Madhu Gottumukkala** is expected to leave CISA for a new Department of Homeland Security role as director of strategic implementation, with **Nick Andersen** (CISA’s executive assistant director for cybersecurity) slated to become acting director. Separately, CISA **CIO Bob Costello** reportedly received reassignment/transfer orders and is expected to depart the agency, with reporting indicating he may have been offered reassignment to **FEMA**; the reasons for the move were not publicly clarified. In parallel, Senate confirmation politics affected senior national cyber leadership: Sen. **Ron Wyden** said he would block confirmation of Lt. Gen. **Joshua Rudd** to lead both **U.S. Cyber Command** and the **NSA**, citing a lack of cyber and signals intelligence experience and concerns about his understanding of NSA surveillance authorities. Outside the cyber agencies, the **Department of Justice** elevated **Nikki Collier** from deputy CIO to permanent CIO, following a prolonged vacancy after the prior CIO’s departure, underscoring broader federal IT leadership churn during a period of workforce reductions and ongoing scrutiny of security governance practices.
Mar 21, 2026
US Lawmakers Seek Short-Term Extension of Key CISA Cybersecurity Authorities Amid Agency Leadership Turmoil
Congressional leaders introduced a compromise federal funding package that would **temporarily extend two major U.S. cybersecurity authorities**—the 2015 *Cybersecurity and Infrastructure Security Act* (which provides liability protections intended to encourage private-sector cyber threat information sharing with the federal government) and the **State and Local Cybersecurity Grant Program**—through **September 30**. The proposal follows prior stopgap extensions after the statutes lapsed, and comes as lawmakers debate longer-term reauthorization options, including competing House and Senate proposals and a draft approach from Sen. Rand Paul that would remove the original law’s liability protections. Separately, reporting highlighted **internal leadership instability at CISA**: acting director **Madhu Gottumukkala** reportedly attempted to remove or reassign CISA CIO **Robert Costello** via a management-directed reassignment, but was blocked after objections from other political appointees within DHS. The episode adds to concerns about decision-making and turnover at the agency at a time when CISA is responsible for coordinating federal cyber defense, incident response support, and collaboration with state, local, and private-sector partners—functions that could be affected by sustained leadership disruption.
Mar 21, 2026