DHS Leadership Upheaval and Uncertainty Over CISA’s Direction
The Department of Homeland Security is undergoing a significant IT and cybersecurity leadership realignment, including the reported departures of DHS CISO Hemant Baidwan and Deputy CISO Amanda Day. The shakeup follows broader turbulence across DHS and CISA, including the reassignment of acting CISA Director Madhu Gottumukkala to a DHS headquarters role and the resignation of CISA CIO Bob Costello; Day has since moved to the private sector as VP of cybersecurity and trust at Workday.
Separately, President Donald Trump nominated Sen. Markwayne Mullin to lead DHS after firing Secretary Kristi Noem, a move that DHS and CISA personnel described as adding uncertainty to an agency already strained by workforce reductions, leadership instability, and operational impacts from a recent DHS shutdown. While Mullin has supported some cybersecurity-related legislation, employees cited ongoing concerns about CISA’s ability to stabilize without a permanent, Senate-confirmed leader; an unrelated report noted the IRS has launched a “thorough” cybersecurity review amid congressional scrutiny of taxpayer-data sharing and privacy compliance, but that issue is not part of the DHS/CISA leadership event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
DHS CISO and deputy CISO are replaced
As part of the realignment, DHS moved to replace Chief Information Security Officer Hemant Baidwan and Deputy CISO Amanda Day, according to sources cited by FedScoop.
DHS begins major IT and cybersecurity leadership realignment
DHS launched a significant IT leadership overhaul led in part by CIO Antoine McCord, with plans that sources said could include moving headquarters personnel into component CIO roles and consolidating IT functions under the DHS CIO office.
Markwayne Mullin is nominated to lead DHS
The Trump administration nominated Sen. Markwayne Mullin to become DHS secretary after Noem's removal, prompting mixed reactions inside DHS and CISA about the department's future direction.
Trump announces Kristi Noem will leave DHS at end of March
President Trump announced that Homeland Security Secretary Kristi Noem would depart at the end of March, setting off a broader leadership transition across DHS.
FEMA IT staff are fired and acting CIO is installed
FEMA previously dismissed IT personnel and installed Zeke Maldonado as acting FEMA CIO, a move sources said fit a wider DHS effort to consolidate component IT functions under headquarters.
DHS CIO Bob Costello resigns
DHS Chief Information Officer Bob Costello resigned as part of broader upheaval in the department's technology leadership ranks.
Madhu Gottumukkala departs as acting CISA director
Former acting CISA Director Madhu Gottumukkala left the role after reported tensions, adding to leadership turnover at the agency.
Sean Plankey leaves Coast Guard advisory role amid Senate hold
CISA director nominee Sean Plankey departed an advisory role with the U.S. Coast Guard while his confirmation remained blocked by a Senate hold, prolonging uncertainty over CISA leadership.
DHS shutdown follows Minneapolis shootings and funding standoff
A DHS shutdown occurred after fatal shootings by immigration agents in Minneapolis triggered political fallout and a standoff over immigration reforms and DHS funding. The shutdown further destabilized DHS and CISA operations.
Trump returns to office with CISA lacking a Senate-confirmed leader
Since President Donald Trump returned to office, CISA has operated without a permanent Senate-confirmed director, contributing to prolonged leadership uncertainty at the agency.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Leadership Shakeup: CIO Departure and New Acting Cyber Chief नियुक्त
The Cybersecurity and Infrastructure Security Agency (**CISA**) is undergoing a leadership transition marked by the departure of its chief information officer, **Robert Costello**, who announced he is leaving after nearly five years in the role. Reporting indicates Costello’s exit follows internal turbulence, including conflicting accounts about whether then-acting director **Madhu Gottumukkala** attempted to push him out and subsequent transfer orders that raised the prospect of reassignment elsewhere in DHS; Costello had public support from some lawmakers and had been a visible advocate for modernization and improved tooling at the agency. Separately, CISA named **Chris Butera** as acting executive assistant director for the agency’s **cybersecurity division** amid broader leadership shakeups: Gottumukkala was moved to another DHS role, and **Nick Andersen** assumed leadership of the agency. The changes come as CISA continues to face workforce attrition tied to broader federal staffing reductions, with additional departures expected within the cyber division, raising concerns about sustained capacity to execute CISA’s mission to address major cyber threats, vulnerability response, and critical infrastructure resilience.
Mar 21, 2026
DHS Shutdown and Leadership Vacuum Deepen Concerns Over CISA Staffing and Mission Capacity
Senators and cybersecurity experts warned that **CISA** is operating under growing strain as the **Department of Homeland Security shutdown** and the absence of stable leadership compound earlier cuts to the agency’s workforce and budget. During his confirmation hearing, DHS secretary nominee **Markwayne Mullin** was pressed on whether he would restore staffing and funding after roughly one-third of CISA’s workforce was cut, but he declined to commit to rehiring personnel or reversing budget reductions, saying only that the agency would be staffed to remain mission capable. Security professionals said CISA can still perform its core statutory functions with excepted staff, but the loss of personnel, sidelining of employees during the shutdown, and lack of a permanent director are limiting the agency’s ability to sustain non-essential programs, build new capabilities, and advocate for long-term resources. Even as CISA continues to issue operational guidance, including recent warnings tied to **Microsoft Intune** hardening and patching of vulnerabilities in products such as **Synacor Zimbra Collaboration Suite** and **Microsoft Office**, the broader concern is that reduced staffing and weakened leadership are eroding national cyber defense capacity at a time of elevated threat pressure.
May 27, 2026
U.S. Federal Cyber Leadership Turmoil and CISA Policy Disruptions
U.S. federal cyber operations faced heightened uncertainty amid **leadership turnover and staffing reductions at CISA**, raising concerns about the agency’s capacity to execute its mission. Reporting indicated acting director **Madhu Gottumukkala** was replaced by **Nick Andersen** following controversies including alleged mishandling of sensitive information, while CISA also lost its CIO and reportedly saw staffing reduced by roughly one-third. Separately, Senate confirmation dynamics continued to affect cyber leadership, with Sen. Ron Wyden opposing the nomination of Lt. Gen. **Joshua Rudd** to lead **U.S. Cyber Command and the NSA**, citing concerns about experience and constitutional-rights familiarity as the agencies remained without a permanent chief. CISA’s policy and guidance output continued but faced headwinds from broader federal disruptions. CISA published new insider-threat program guidance centered on the **POEM framework** (*Plan, Organize, Execute, Maintain*) to help organizations build multi-disciplinary insider threat management teams spanning physical security, cybersecurity, HR/personnel, and reporting/analysis functions. At the same time, a **partial DHS shutdown** was reported to be stalling progress on the **Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)** rulemaking, complicating compliance planning for critical infrastructure entities awaiting clarity on incident reporting requirements and enforcement expectations.
Apr 3, 2026