The end of the CISA 2015, reduced military cybersecurity training mandates, and reassignment of CISA staff signal a larger minimizing of cybersecurity in the US.
The current government shutdown, starting on October 1st, 2025, has caused a cascade of effects with many ‘non-essential’ federal employees being furloughed. These consequences are only likely to worsen unless Congress comes to a decision soon. Airports might lose some of their key personnel as they stay home as a response to missing paychecks, passport renewals may be delayed, new parents relying on WIC (the Supplemental Nutrition Program for Women, Infants, and Children food program) may have a harder time with groceries, reports on labor and inflation have been delayed, and National Parks will likely have to reduce staffing. On top of this, President Trump has threatened mass firings in federal agencies as part of the shutdown, along with withholding back pay for “some” workers.
Besides these issues that are immediately affecting Americans, the shutdown also means a large shift in focus for Congress, who will now prioritize stopping the shutdown before any other legislation. This change is sensible, but can also have serious consequences for the laws undergirding the nation’s security. The Cybersecurity Information Sharing Act is one such law that was critical to national cybersecurity posture before it expired on September 30th, 2025.
The Cybersecurity Information Sharing Act (CISA 2015) was passed in 2015, and offered guidelines and legal protection against liabilities (including antitrust liabilities) for sharing cyber threat information between private entities and the federal government. The act was authorized for 10 years, with the possibility of extension - for months, years, or the foreseeable future - by lawmakers. Now that CISA 2015 is no more, the private sector will likely hesitate to share critical information about cyber threats with the government due to the risk of legal consequences. This is particularly concerning considering how the private sector owns nearly 85% of the nation’s critical infrastructures and key resources - “systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety”.
Already, the US’s cyber posture has been weakened by attacks by state-sponsored threat actors and administrative issues that came with the transition to the new administration. In the last month alone, the House Select Committee on China admitted that suspected Chinese cyber-attackers impersonated their chairman to gain access to the systems of groups and individuals involved in trade policy and diplomacy. Two weeks later, the US Secret Service dismantled tens of thousands of colocated and network cellular devices with the power to shut down the cellular network in the US’s most populous city, NYC. The devices held communications to “nation-state threat actors and individuals that are known to federal law enforcement”, suggesting more actors like those behind the Salt Typhoon and Volt Typhoon hacks could be targeting the US again.
The nation’s top cyber agency, the Cybersecurity and Infrastructure Security Agency (CISA) has also been limited by a lack of permanent leadership and the widespread government cuts championed by Trump and the Department of Government Efficiency (DOGE). Sean Plankey was nominated to be the Director of CISA in March 2025, but as the year inches toward the next, he still has not been confirmed due to Oregon Senator Ron Wyden (D) blocking the nomination (partly because of the historic Salt Typhoon Hack). CISA’s Joint Cyber Defence Collaborative (JCDC), along with the cybersecurity departments in the Office of the Director of National Intelligence (ODNI) and the Federal Emergency Management Agency (FEMA), have also weathered significant cuts to staff.
Senators Gary Peters (D-Mich.) and Mike Rounds (R-S.D.) both agreed that the end of CISA 2015 was a serious reduction in cyber defense, with Peters saying: “Every hour we delay is an open invitation to cybercriminals and hostile actors to attack our economy and our critical infrastructure”. Rounds referenced the more recent cyber attacks when he said the expiration “will dry up the sharing of information at a time in which we don’t need our adversaries to have another opportunity to mess with our cyber systems.”
Unfortunately, CISA 2015 is not the only reduction in cybersecurity protections that the US is seeing. As part of a series of memos released on September 20th, Secretary of War (previously the Secretary of Defense before the Department’s name was changed) Pete Hegseth announced that “Mandatory Department training will be directly linked to warfighting or otherwise be consolidated, reduced in frequency, or eliminated.”
In the memo, it’s clear that cybersecurity and information security aren’t seen as closely related to warfighting, at least not closely enough to be reinforced. Hegseth (who has found himself in the headlines for two cases of mishandling sensitive information) now directs the War Department’s Chief Information Officer to limit Records Management training, reduce the frequency of Cybersecurity training, and eliminate training requirements in information management systems. Training on Controlled Unclassified Information (CUI) will also be reduced, while the Privacy Act Training will be cut from the Common Military Training list.
The decision has been met with skepticism and concern for national cybersecurity. Tom Kellermann, Hitrust’s VP of cyber risk denounced the action: “Training is essential when defending the US in an ever changing cyberthreat environment. This directive undermines our national security." Bruce Jenkins, Black Duck’s chief information security officer (and former systems security director in the Air Force), said the change “may be an invitation to increased risk that will be felt months and years after the new policy becomes effective. "It also will not help us 'win wars'."
In the Department of Homeland Security (DHS), a comparable story emerges. Like other employees under DHS purview, employees at CISA and FEMA received ‘management directed reassignments’ directing hundreds of personnel to other branches of DHS, namely Immigration and Customs Enforcement (ICE), Customs and Border Protection, and the Federal Protective Service. In at least one case, a reassignment notice gave the employee one week to choose between a long distance reassignment or termination.
CISA, which has already lost a sizable portion of their workforce, will likely be even more limited as a result of these reassignments. Several tech leaders fear that the minimization of CISA will lead to disaster. Devroop Dhar, MD and co-founder of Primus Partners, predicted more cyber threats in the future: “CISA runs on specialized knowledge. These are analysts who understand federal networks, toolsets, and long-running threat patterns. Once these people are reassigned, a lot of system and institutional strength is lost, and threat intel slows down. Vulnerability scans may also pile up. Coordination with agencies may take a much longer time. You might not notice it immediately, but in quick time the gaps start to show, like slower responses, more threats slipping through.”
CEO and chief analyst at Greyhound Research, Sanchit Vir Gogia, anticipates a more immediate effect: “Periods of disruption in national cybersecurity are closely watched abroad. Adversarial groups, be it criminal or state-backed, have learned to map the US administrative cycles almost as carefully as they map networks. When they sense distraction or depleted capacity, reconnaissance typically increases. That pattern has repeated across past shutdowns and is likely recurring now.”
Between the expiration of CISA 2015, the reduction of cybersecurity training in the military, and the shrinking cyber personnel at the DHS, the first couple days of this October look like a grim start to Cybersecurity Awareness Month. Still, there are some organizations, like Halcyon and CrowdStrike that say they will continue to uphold national cybersecurity by sharing critical information the way they have before. Hopefully, other prominent cybersecurity groups in the private sector, like Google and Microsoft, will also agree to open communications about cyber threats in a time when cybersecurity seems to be less and less of a federal priority.