TL;DR
- Federal pullback is real: CISA faces a proposed $495M cut and ~1,000 roles; MS-ISAC lost $10M; sector agencies trimmed; CIPAC dissolved.
- Expect less intel sharing and coordination, more fragmentation of standards, and slower joint response.
- Highest risk: critical infrastructure and small public orgs (schools, municipalities) that relied on federal support.
- Private sector must go self-reliant: build internal detection/response, harden identity, segment networks, and formalize incident playbooks.
- Double down on supply-chain security and third-party risk; assume attackers will pivot through weaker partners.
- Measure resilience, not box-checking: time-to-detect, time-to-contain, report rates, and tabletop outcomes.
- Near-term moves: join private ISAC/ISAO equivalents, run executive wire-fraud drills, tighten backups/MFA, upskill teams with targeted training
The cybersecurity landscape is undergoing a drastic change.
Long a stalwart partner in security initiatives, as well as a valuable source of threat monitoring and intelligence, the federal government is currently in the midst of a significant reduction in its cyber responsibilities. These cuts are taking place at every level:
- In its proposed budget for FY 2026, CISA will lose $495 million and eliminate roughly 1,000 positions — about one-third of its entire workforce.
- Last year, $10 million was cut from the Multi-State Information Sharing and Analysis Center (MS-ISAC), a critical information sharing program many states relied on.
- Multiple cuts have taken place or are being planned across sector-specific agencies, such as the unit that handles healthcare security at the Department of Health and Human Services.
This loss of federal cybersecurity support marks a dramatic shift that is already reverberating across public-sector entities in state and local governments. But in the private sector, many cybersecurity organizations have yet to feel the effects. In fact, a good amount may not even be aware of the extent of the government’s pull back from its previous cybersecurity efforts.
But this won’t likely last for long. The fallback from these cuts will soon be felt throughout the industry. What’s more, the shift that will happen may even spell a new age for how we think of cybersecurity. Here’s what this means.
How the cybersecurity landscape has changed
The origins of federal cyber initiatives can be traced as far back as the founding of the National Institute of Standards and Technology (NIST) in 1972. Called the National Bureau of Standards (NBS) at the time, NIST came to define cybersecurity guidance for both public and private groups for decades. It also began what eventually became a robust collaborative relationship between the government and private industry to develop more effective defenses against a range of threats. This relationship involved hundreds of millions of dollars in shared investments, constant and bidirectional information sharing, and the development of technology, such as public-key cryptography, that is now used across industries.
As the need for cybersecurity has grown in the past decade, so has the government’s involvement. Recent achievements include the Small Business Cybersecurity Act, the Cybersecurity Framework, and the formation of the Cybersecurity and Infrastructure Security Agency (CISA) in 2018. Despite its relative youth, CISA has played a particularly influential role in cybersecurity. Its notable accomplishments include the strengthening of federal government standards and networks following the SolarWinds attack in 2021, the establishment of the Joint Ransomware Task Force (JRTF) and the Ransomware Vulnerability Warning Pilot (RVWP) programs, and strategic coordination between public and private partners in order to protect critical infrastructure.
However, the recent cuts in federal cybersecurity funding are not only reducing its footprint, but entirely rearranging the public-private cybersecurity relationship. For instance, the proposed $495 million removal of funds from CISA’s budget would largely fall on programs that help outside organizations, such as its Stakeholder Engagement Division and National Risk Management Center. Moreover, the elimination of the Critical Infrastructure Partnership Advisory Council (CIPAC) in March 2025 sharply curtails the open sharing of important cyber intel. This has put a pause on a number of joint government-industry projects, such as research into AI-powered threat intelligence.
But even more significant may be the resulting loss of trust that these cuts engender. With funding suddenly pulled and previous legal safeguards preventing the disclosure of shared information now in flux, companies will likely be much less willing to share valuable information. This breakdown spells a potential cultural shift away from a collective mindset of cybersecurity protection and into one that instead encourages each company and organization to operate independently.
The impact to the nation, businesses, and industries
Now that these cuts are underway, where can we expect to see their impact most significantly? Let’s consider some of the most prominent potential effects across both public and private entities.
1. There will be downstream consequences to reduced intelligence sharing
With less information flowing from the government to businesses and vice versa, the ability of both public and private organizations to plan and prepare for major threats will become more limited. “Previously, from a security perspective, the view was that our nation’s businesses and core infrastructure were treated as one,” said Chris Murphy, SVP of Sales at Cybrary. “But the recent budget cuts will cause that mission to shrink.”
What will be the result? One consequence will be a lack of continued support for many of the common tools and guidance that businesses rely on, such as the NICE framework. In turn, this will lead to increased fragmentation as organizations begin following their own sets of preferred rules and regulations. “Private companies are going to take over,” said Jeremy Gehring, Cybrary’s CEO. “They’ll decide which rules they like better, regardless of what other companies are doing.”
As private companies limit the intelligence they share, the government will also be at a disadvantage when it comes to identifying and helping to mitigate large-scale threats. Just as private businesses won’t have as much guidance from the government, the state will have a much reduced understanding of what various industries need. The effects of this may make both private companies and the U.S. government more attractive targets to potential cyberattacks.
2. Critical infrastructure will face an increased risk of threats
Worth a particular mention are the vulnerabilities that federal cuts to cybersecurity will create across agencies and organizations in charge of essential services. These entities — whether they run hospital and healthcare services, public utilities like water or energy, or local municipalities — typically must rely on outside support for their cybersecurity needs, despite their obvious appeal as targets. Nevertheless, the federal cybersecurity cuts have already started to be felt by these groups as key cyber liaison positions are left vacant and cyber coordination meetings are canceled.
“It’s really unsettling to think about,” said Nick Misner, Cybrary’s COO. “In theory, you could have a private threat actor group locking down a water system or some other public utility. Without the right support in place, we could be leaving open backdoors for malware to get into our critical infrastructure. It will be far more likely to happen.”
While we’re fortunate that this hasn’t resulted in a major nationwide crisis yet, there is no shortage of recent examples that highlight this threat. In February, a “sophisticated cyberattack” shut down the computer systems of the Virginia Attorney General, while in December of 2024, hackers installed ransomware in Rhode Island’s state computer systems. As a result, many critical infrastructure leaders across government and private organizations are becoming worried about the increased possibility of attacks. But, like businesses, they can no longer rely on a coordinated effort and are instead looking to go it alone.
3. Small public organizations will be hit the hardest
Alongside critical infrastructure, smaller public organizations that largely lack their own cyber defense capabilities will be left to fend for themselves. For instance, although the public school system handles a trove of sensitive student information, it has relied on support from the federal government (in the form of funding and expert guidance) to detect and prevent malware, defend against ransomware attacks, and use other tools to bolster their cyber security. However, with millions now cut from the MS-ISAC budget, these resources are now in jeopardy.
State, local, tribal, and territorial governments all find themselves in the same predicament. But unlike larger organizations, they don’t have alternative plans to fall back on. “They don’t have the money for cyber defense technologies,” said Murphy. “And in many cases, they are very distributed, which just adds to the challenge. There are around 1,200 school districts in Texas alone, and only a small percentage of them get dedicated cyber support. The rest are on their own. Many of them don’t even have email security.”
And while many businesses may not think of this as a direct threat to their security, the fact is that any vulnerability anywhere can increase your risk. “For many threat actors, the best thing you can do is infiltrate a small organization, then wait,” said Murphy. “Once they get a contract with another company, it’ll be possible to move up the supply chain and get into more critical infrastructure as they move laterally. So there are definitely implications, but they may look different than you would think.”
Businesses must prepare for this new era
As the consequences of these cuts continue to roll out, it is becoming ever more apparent just how much cybersecurity practices within the US are set to change. Rather than the collaboration and open sharing that marked the past decade, this new era will be characterized by an increasing need to be self-reliant and focused on their own needs. This means there will be a need for more investments in in-house security and staffing, a more concerted push toward comprehensive upskilling and training, and thorough contingency planning in case of attacks.
That said, many businesses out there have yet to start adapting to these changes. Perhaps they’re waiting to see where the chips fall, or maybe it’s still too early for them to feel the impact these cuts will have on them. But among experts across industries, both private and public, there is an increasing consensus that even if organizations aren’t readying themselves for this era, the threat actors are.
“The bad guys may already be in your system,” said Misner. “You might not know it yet, but they may be in there already. And they’re waiting.”
Ready to start preparing your organization for this new era of cybersecurity? Cybrary can help you stay ahead. Learn about the most critical security risks your web applications face in our OWASP Top 10 course, work through realistic attack scenarios in our Threat Actor Campaigns collection, or get hands-on training for the latest vulnerabilities and exploits in our CVE Series.
