DHS Shutdown and Leadership Vacuum Deepen Concerns Over CISA Staffing and Mission Capacity
Senators and cybersecurity experts warned that CISA is operating under growing strain as the Department of Homeland Security shutdown and the absence of stable leadership compound earlier cuts to the agency’s workforce and budget. During his confirmation hearing, DHS secretary nominee Markwayne Mullin was pressed on whether he would restore staffing and funding after roughly one-third of CISA’s workforce was cut, but he declined to commit to rehiring personnel or reversing budget reductions, saying only that the agency would be staffed to remain mission capable.
Security professionals said CISA can still perform its core statutory functions with excepted staff, but the loss of personnel, sidelining of employees during the shutdown, and lack of a permanent director are limiting the agency’s ability to sustain non-essential programs, build new capabilities, and advocate for long-term resources. Even as CISA continues to issue operational guidance, including recent warnings tied to Microsoft Intune hardening and patching of vulnerabilities in products such as Synacor Zimbra Collaboration Suite and Microsoft Office, the broader concern is that reduced staffing and weakened leadership are eroding national cyber defense capacity at a time of elevated threat pressure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
27 events from the most recent confirmed update back to the earliest known activity.
CISA leadership exodus leaves most top posts vacant or departing
Cybersecurity Dive reported that nearly all of CISA's top officials had departed or were scheduled to leave by the end of May 2026, according to an internal email from deputy director Madhu Gottumukkala. The departures affected five of the agency's six operational divisions and six of its 10 regional offices, prompting warnings about lost expertise, continuity, and support for critical infrastructure and government partners.
CISA names Ryan Donaghy as its first chief operating officer
CISA announced that Ryan Donaghy returned to the agency from the Transportation Security Administration to serve as its first chief operating officer. In the new role, he will advise senior leadership on operations, business functions, financial and acquisition management, policy development, and interagency coordination during a period of restructuring and budget pressure.
House hearing spotlights state and local fallout from federal cyber cuts
At a House Homeland Security subcommittee hearing, Democratic lawmakers and witnesses from Tennessee, New York, and Florida warned that proposed cuts to CISA, the State and Local Cybersecurity Grant Program, and federal support for MS-ISAC were weakening state and local cyber defenses. They urged Congress to reauthorize and fully fund state and local cybersecurity assistance amid rising ransomware, AI-enabled, and nation-state threats.
Bipartisan lawmakers warn CISA cuts have gone too far
Rep. Don Bacon and Rep. James Walkinshaw publicly said recent staffing and budget reductions have weakened CISA’s ability to defend domestic networks, critical infrastructure, utilities, and local governments against nation-state threats. They pointed to personnel losses, shuttered divisions, proposed FY2027 cuts, and the lack of a Senate-confirmed director as undermining CISA’s coordination and victim-support role.
Tom Parker emerges as leading candidate for CISA director
Tom Parker of IBM Security was reported as a leading candidate to become CISA director, reportedly favored by Homeland Security Secretary Markwayne Mullin for his private-sector experience. The development marked a potential step toward filling CISA's leadership vacancy after Sean Plankey's nomination became nonviable.
Sen. Mark Warner presses DHS over CISA election security rollbacks
Sen. Mark Warner sent a letter to Homeland Security Secretary Markwayne Mullin warning that cuts to CISA's election security mission could leave states and localities without adequate cyber defense and threat intelligence support before the 2026 midterms. He requested details on remaining personnel, programs, assistance requests, trainings, tabletop exercises, and any internal review of election security work.
CISA launches CI Fortify resilience initiative
CISA announced its new CI Fortify initiative to help critical infrastructure organizations maintain essential services during cyberattacks and possible geopolitical conflict. The guidance emphasized isolation and recovery capabilities, though the rollout reportedly lacked specific objectives, timelines, funding, or new resources.
House vote ends 75-day DHS shutdown and restores CISA funding
A bipartisan House vote ended the record 75-day Department of Homeland Security shutdown, restoring funding for DHS components including CISA. The fiscal 2026 Homeland Security package provided $64.4 billion in discretionary DHS funding and included $20 million for critical CISA hiring focused on countering threats from China.
CISA cancels summer cyber scholarship intern onboarding during shutdown
Because of the DHS funding lapse, CISA canceled onboarding for summer interns in a government cyber scholarship program, reflecting a direct hit to the agency's workforce development pipeline. The move came as Acting Director Nick Andersen said the shutdown was restricting preparatory work, outreach, and non-salary spending.
Andersen presents $2.5 billion CISA budget amid shutdown strain
CISA Acting Director Nick Andersen told the House Appropriations Subcommittee on Homeland Security that the agency's proposed $2.5 billion budget is meant to stabilize and scale CISA's mission despite the prolonged DHS shutdown. He said the shutdown had reduced CISA to about 40% staffing capacity, harming federal network defense, while the agency sought funding for cyber operations, infrastructure resilience, emergency communications, the National Risk Management Center, and hiring for 329 critical positions.
Trump FY2027 budget proposal seeks further cuts to CISA
The Trump administration's fiscal 2027 budget proposal called for another major reduction in CISA funding, with budget documents indicating cuts ranging from $361 million to $707 million depending on the baseline used. The proposal would reduce CISA discretionary funding to just over $2 billion and frame the cuts as a refocusing on federal network defense and critical infrastructure resilience.
CISA acting chief warns Congress shutdown is driving resignations
CISA Acting Director Nick Andersen told Congress that the DHS shutdown is degrading the agency’s ability to manage cyber risk, with about 60% of staff furloughed, roughly 1,000 vacancies, and recent resignations among key technical personnel. He said CISA is largely limited to mission-essential functions while proactive risk-reduction work has been paused, creating exploitable gaps and longer-term recruiting and retention damage.
Experts warn DHS shutdown and leadership gap increase cyber risk
Cybersecurity experts publicly warned that CISA's lack of permanent leadership during the DHS shutdown would weaken political influence, long-term planning, threat prioritization, and public messaging. They said the prolonged gap could create exploitable openings for adversaries including China, Iran, North Korea, and Russia.
CISA urges patching of exploited Zimbra and SharePoint flaws
CISA also recently warned agencies to patch actively exploited vulnerabilities affecting Synacor Zimbra Collaboration Suite and Microsoft Office SharePoint. The guidance reflected continued focus on urgent defensive measures even as non-essential programs were curtailed.
CISA issues Microsoft Intune guidance after Iran-linked Stryker attack
Despite staffing constraints, CISA recently published guidance on securing Microsoft Intune following an Iran-linked cyberattack on medical device maker Stryker. The action showed the agency continuing core operational work during the leadership and shutdown turmoil.
Sean Plankey's nomination for CISA director becomes nonviable
The SC Media report states that Sean Plankey's nomination to lead CISA was no longer viable, leaving the agency without a confirmed permanent director. This contributed to concerns about weakened leadership, funding prospects, and strategic continuity.
Senators press DHS nominee Mullin on restoring CISA staffing
During a Senate Homeland Security Committee hearing, senators including Maggie Hassan and Gary Peters questioned DHS secretary nominee Markwayne Mullin about whether he would reverse cuts to CISA. Mullin did not commit to restoring previous staffing or funding levels, saying only that the agency should be adequately staffed with the right personnel.
CISA staffing and budget cuts reduce agency capacity
CISA underwent significant workforce reductions, budget cuts, and rollbacks of programs tied to election security, cyber grants, and vulnerability tracking. By the time of the reported DHS shutdown, the agency was operating with roughly one-third of its staff and only essential functions remained active.
Leader of CISA federal cyber defense programs resigns
Federal News Network reported that the official leading CISA's federal cyber defense programs resigned from the agency amid broader leadership turmoil and workforce disruption. The departure added to concerns about instability in one of CISA's core operational missions shortly after DHS replaced the acting director.
DHS removes Madhu Gottumukkala and names Nick Andersen acting CISA director
The Department of Homeland Security removed Madhu Gottumukkala as acting director of CISA and reassigned him to DHS headquarters, replacing him with Nick Andersen as acting director. The move followed controversy around Gottumukkala's tenure and was seen by some employees and officials as a chance to stabilize agency leadership.
DHS reassigns two senior CISA officials after attempted ouster
Politico reported that two senior CISA officials were reassigned amid internal turmoil following an earlier attempted ouster. The move signaled escalating leadership disruption at the agency immediately before DHS replaced acting director Madhu Gottumukkala.
Trump re-nominates Sean Plankey for CISA director
President Donald Trump re-nominated Sean Plankey to lead CISA after the agency had gone nearly a year without a Senate-confirmed director. The move revived a nomination that had bipartisan and industry backing, though it remained entangled in Senate holds unrelated in part to cybersecurity.
Report blames Trump workforce cuts for weakening US cyber edge
A report published in October 2025 said Trump administration workforce reductions were dulling America's cybersecurity advantage, linking staffing cuts to reduced cyber capacity. The assessment broadened concern beyond CISA headcount losses to the wider impact on U.S. cyber readiness.
JCDC support contract lapses, cutting over 100 contractor staff
A major support contract for CISA's Joint Cyber Defense Collaborative expired on July 25, causing the loss of more than 100 contractors, with only 10 temporarily retained through emergency funding. The lapse disrupted a key public-private cyber defense program responsible for incident coordination, risk assessments, exercises, and threat information sharing.
Elimination of CIPAC disrupts critical infrastructure cyber partnerships
By June 2025, industry representatives and former officials said the Trump administration's elimination of the Critical Infrastructure Partnership Advisory Council, along with staffing cuts and canceled engagements, had frayed trusted cyber coordination between government and critical infrastructure sectors. The disruption affected information sharing and preparedness across sectors including healthcare, water, energy, and telecommunications.
CISA workforce drops by about 1,000 amid Trump reduction efforts
By early June 2025, roughly 1,000 employees had departed CISA through buyouts, early retirements, layoffs, and DHS workforce transition measures, cutting staffing to about 2,200. Reports said the Cybersecurity Division and Cybersecurity Advisers field staff were among the hardest hit, raising concerns about reduced operational capacity.
Politico reports Trump purge is gutting federal cyber disinformation workers
Politico reported that the Trump administration was continuing a purge of federal cyber personnel, including workers involved in combating disinformation. The report marked an early public indication that cyber-focused staffing cuts were underway and affecting mission areas tied to information integrity and security.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
41 references tracked. Mallory keeps watching after this page renders.
Ryan Donaghy returns to CISA as first chief operating officer - Nextgov/FCW
nextgov.com
Open sourceDems slam Trump cyber cuts amid ballroom, Jan. 6 'slush fund'
theregister.com
Open sourceLawmakers from both parties say CISA cuts have gone too far | CyberScoop
cyberscoop.com
Open sourceState Officials Urge Congress to Renew Cyber Grant Program
govinfosecurity.com
Open sourceOne-third of U.S. cyber agency CISA has left since Trump took office
axios.com
Open sourceCISA loses nearly all top officials as purge continues | Cybersecurity Dive
cybersecuritydive.com
Open sourceTrump continues federal purge, gutting cyber workers who combat disinformation - POLITICO
politico.com
Open sourceDhs
dhs.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Capacity Degraded by Personnel Cuts, Program Closures, and Leadership Vacancies
Bipartisan lawmakers and private-sector cybersecurity leaders warned that the U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has been significantly weakened after roughly a year of personnel cuts and layoffs under the second Trump administration, with reporting indicating the agency has lost about **one-third of its workforce** and shuttered or reduced entire divisions. Sources described diminished ability to execute core missions such as coordinating with industry and protecting federal civilian networks, with some organizations reportedly seeking alternatives (industry alliances, outside consultants, or direct government-to-government partnerships) rather than relying on CISA support. Reporting also tied the degradation to a prolonged **leadership vacuum**—with the administration’s nominee **Sean Plankey** not confirmed and Acting Director **Madhu Gottumukkala** criticized by some sources as struggling to lead—alongside political and operational pressures that deprioritized the agency. Specific capability impacts cited include reduced **counter-ransomware** efforts, work to promote **secure software development**, and losses affecting **election security** functions; additional strain was attributed to reassignment of staff to other DHS priorities and to a partial federal government shutdown that further reduced available staffing levels, raising concerns about CISA’s readiness to respond to a major cyber crisis.
Mar 21, 2026
Acting CISA Director Warns DHS Shutdown Would Curtail Cyber Defense Operations
Acting CISA Director **Madhu Gottumukkala** told House appropriators that a potential Department of Homeland Security funding lapse would materially reduce CISA’s ability to support public- and private-sector partners, warning that “when the government shuts down, cyber threats do not.” He said a shutdown would degrade timely, actionable guidance; curtail core missions such as digital response; and limit work to activities deemed essential to protecting life and property—shifting the agency from proactive efforts (including vulnerability scanning) to a more reactive posture. He also said a shutdown would force more than a third of CISA’s frontline security experts and threat hunters to work without pay and would impede progress on CISA’s long-awaited cyber incident reporting rule. In the same congressional context, Gottumukkala also acknowledged that **about 70 CISA staff** were reassigned to other DHS offices over the last year (including a “handful” to **ICE**), while “30 plus” personnel were transferred into CISA; a December 2025 staffing chart cited in reporting reflected **27 inbound** and **65 outbound** reassignments. Separately, Congress reauthorized the **Cybersecurity Information Sharing Act of 2015 (CISA 2015)**—which provides liability protections, FOIA exemptions, and other safeguards for sharing cyber threat indicators and defensive measures—extending it from its planned January 2026 sunset to **September 30, 2026**. Reporting on the Senate Intelligence Committee advancing a nominee to lead **U.S. Cyber Command/NSA** is related to federal cyber leadership but is not part of the shutdown/CISA operational-impact story.
Mar 21, 2026
DHS Leadership Upheaval and Uncertainty Over CISA’s Direction
The Department of Homeland Security is undergoing a significant IT and cybersecurity leadership realignment, including the reported departures of **DHS CISO Hemant Baidwan** and **Deputy CISO Amanda Day**. The shakeup follows broader turbulence across DHS and **CISA**, including the reassignment of acting CISA Director Madhu Gottumukkala to a DHS headquarters role and the resignation of CISA CIO Bob Costello; Day has since moved to the private sector as VP of cybersecurity and trust at *Workday*. Separately, President Donald Trump nominated Sen. **Markwayne Mullin** to lead DHS after firing Secretary Kristi Noem, a move that DHS and CISA personnel described as adding uncertainty to an agency already strained by workforce reductions, leadership instability, and operational impacts from a recent DHS shutdown. While Mullin has supported some cybersecurity-related legislation, employees cited ongoing concerns about CISA’s ability to stabilize without a permanent, Senate-confirmed leader; an unrelated report noted the IRS has launched a “thorough” cybersecurity review amid congressional scrutiny of taxpayer-data sharing and privacy compliance, but that issue is not part of the DHS/CISA leadership event.
Mar 21, 2026