Cybersecurity specialists warn that staffing reductions and organizational changes at the Cybersecurity and Infrastructure Security Agency have diminished CISA’s capacity to collaborate with private industry on vital cyber concerns, even as legislators consider fresh measures to tackle growing threats to areas like space infrastructure and data centers.
A hearing held Wednesday before the House Homeland Security cybersecurity and infrastructure protection subcommittee centered largely on how CISA fulfills its responsibilities as a sector risk management agency, a function granted to the Department of Homeland Security.
Delia Ramirez (D-Ill.), who recently assumed the role of ranking member on the cybersecurity subcommittee, noted that CISA has shed approximately one-third of its workforce over the past year. Specifically, its Stakeholder Engagement Division saw its headcount drop from 189 employees to just 93 since January 2025.
“It’s absurd to discuss upgrading DHS’s role as a Sector Risk Management Agency while Trump has been waging a retaliatory effort to gut CISA — the very agency he once created but began undermining the moment it stood in the way of his agenda,” Ramirez stated.
CISA’s proposed fiscal year 2027 budget would shrink the Stakeholder Engagement Division down to merely 62 positions. The plan calls for eliminating the division’s Council Management offices, its various Stakeholder Engagement teams, and the International Affairs external engagement offices.
“This reorganization refocuses CISA’s stakeholder engagement mission to exclusively support SRMA initiatives and reflects CISA’s commitment to fortifying critical infrastructure security while streamlining operational efficiency,” according to CISA’s budget proposal.
However, Mark Montgomery, who serves as senior director and senior fellow at the Center on Cyber and Technology Innovation within the Foundation for Defense of Democracies, contended that the work of the Stakeholder Engagement Division has become even more essential given the ongoing cuts.
“Without the Stakeholder Engagement Division, the infrastructure for establishing information-sharing agreements and engaging with industry sectors simply doesn’t exist,” Montgomery testified during Wednesday’s hearing.
Cyber attacks ‘have not stopped’
The Council Management offices within the Stakeholder Engagement Division had previously backed CISA and DHS’s collaboration with a range of organizations, including the Critical Infrastructure Partnership Advisory Council. That council offered essential legal authorities for DHS and CISA to partner with private companies on security challenges, including cyber threats.
However, DHS dissolved CIPAC last year, and a promised successor organization has yet to surface.
Scott Algeier, who leads the Information Technology-Information Sharing and Analysis Center as its executive director, urged DHS to advance plans for a CIPAC replacement.
“When DHS terminated CIPAC, it dismantled the legal framework that empowered and safeguarded strategic cooperation between CISA and industry,” Algeier explained during his Wednesday testimony. “Consequently, the vast majority of collaborative efforts with CISA have ground to a halt. Our adversaries have not backed off. They have not slowed down. They continue attacking without facing any consequences.”
CISA officials have additionally cautioned that the current government shutdown has severely undermined the agency’s ability to coordinate with private sector partners and other stakeholders.
On a more positive note, Robert Mayer, who serves as senior vice president of cybersecurity and innovation at USTelecom, praised what he described as a “notable jump” in the volume of intelligence briefings CISA has delivered to the private sector over the past two years.
“We’ve made real headway on that front,” Mayer said. “One area that needs greater focus is transmitting that intelligence to local and regional providers within the communications sector. There are hundreds of these companies, and receiving timely information is critical to their operations. That said, CISA has also done a stronger job releasing cybersecurity advisories at the unclassified level, and that has been extremely valuable.”
Montgomery highlighted that CISA’s partnerships with state and local governments have suffered due to a combination of factors: the termination of CIPAC, the withdrawal of federal funding for the Multi-State Information Sharing and Analysis Center, and Congress’s decision not to reauthorize the State and Local Cybersecurity Grant Program.
“When you stack those three setbacks together… there’s simply no way that small public utilities — which already have minimal cybersecurity budgets — can invest adequately to defend themselves against ransomware and nation-state cyber campaigns,” Montgomery said. “This means public health and safety at the most fundamental, most vulnerable levels remains dangerously exposed.”
Space and data centers
At the same time, numerous cybersecurity advocates continue pushing for an expansion beyond the 16 currently designated critical infrastructure sectors, with proposals emerging to separately classify both the space sector and data centers.
Over recent years, several House members have put forward bills that would instruct the Secretary of Homeland Security to formally designate space systems, services, and technology as a distinct critical infrastructure sector.
Sam Visner, who chairs the board of directors for the Space Information Sharing and Analysis Center, argued that the country must “acknowledge that space systems are integral to every dimension of our national defense, our economic stability, and the security of our critical infrastructure.”
Visner additionally referenced a Council on Foreign Relations study calling for a thorough assessment of space-related vulnerabilities and corrective action plans.
“DHS should certainly play a role in that effort. Despite the staffing reductions, there are individuals at DHS and CISA who have already worked extensively with the Space-ISAC and the broader space systems community, and who have demonstrated real dedication to the cause,” Visner said.
In parallel, as the artificial intelligence sector surges forward, Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andy Ogles (R-Tenn.) observed that the existing U.S. policy landscape “lacks a clear, cohesive framework for data center security” — including which federal agency would bear primary responsibility for managing data center risks.
Data center security currently resides under the broader IT sector umbrella. However, Montgomery argued that the U.S. should create a standalone designation for data centers, following the model already adopted by the United Kingdom.
“There should be serious discussion about whether data centers and cloud infrastructure warrant classification as their own distinct national critical infrastructure sector,” Montgomery said. “There’s been momentum behind this idea in the past. It stalled out when it came to cloud. But now the broader category of data centers deserves the same consideration. We can all see the outsized and rapidly expanding role they are poised to play in America’s future — potentially as an independent national critical infrastructure sector encompassing data centers and cloud systems apart from the communications sector.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
