How Shrinking Federal Cyber Support Leaves U.S. Businesses Exposed

CISA has “gone off the grid” in many states. Officials report: “If all your CISA folks leave in your state, who are you supposed to call? … Nobody’s communicating that.”

CISA staffing dropped from roughly 3,700 employees at the start of 2025 to an estimated 2,600 by late 2025. The National Risk Management Center lost $70 million and 35 positions.

Insiders report they’re just trying to survive each day, with most saying they’re doing little to no good.

ProCircular has historically worked closely with the FBI when handling incidents for clients. Now we are hearing from inside the FBI that many special agents with cyber specialties have been reassigned to other agency priorities. Those who remain working in cyber face unmanageably large queues of attacks to investigate and process. Many others in the cybersecurity industry report that these resources are increasingly difficult to reach precisely when they are needed most — during active breach response.

Regional CISA advisers and points of contact have disappeared, leaving organizations without rapid response resources when incidents occur. 

You’ve suggested that private firms are increasingly becoming the “frontline defenders” for enterprise cyber incidents. What systemic risks does that shift introduce, both for individual organizations and for the broader cybersecurity ecosystem?

Protecting private industry isn’t in any of those agencies’ charters. For example, the NSA’s mission explicitly forbids it from operating domestically without a foreign nexus. That leaves private industry unprotected by anyone other than private cybersecurity firms.

Midmarket-focused cybersecurity and regulatory experts will likely shoulder much of the burden in defending private industry — especially small businesses and state and local governments — over the next several years.

Even where private cybersecurity succeeds, it doesn’t operate in a vacuum. Cyber firms need the FBI, National Guard, CISA and public-private partnerships like InfraGard to share the intelligence required to stay ahead of threat actors. Good cybersecurity isn’t about any one solution — it’s about layers of security, and removing the outermost layer leaves the private industry less secure and puts the economy more at risk.

Midmarket-focused security providers often serve organizations that have the budget and awareness to address growing cyber threats. But private firms with expensive technical talent and complex tooling cannot always afford to protect the segment that needs it most: small businesses. They simply can’t afford what’s required, and without federal support, they’re on their own.

Without adequate FBI cyber capacity, each organization fights alone, and attackers benefit from the lack of coordinated response.

While, in 2026, it may not be entirely relevant, none of what we’ve described above actually captures or convicts the threat actor. It’s not a part of cybersecurity that’s available to almost any player other than the FBI, even then sparingly. That said, it’s worth reminding ourselves that, compared to any other example of fraud (auto theft, violent crime, bank theft), there is often an opportunity to arrest and convict the criminal. The FBI may play that role in this equation, but sparingly and not often successfully with international threat actors.

Intelligence sharing under strain

Threat intelligence sharing has long been a cornerstone of effective cyber defense. How does reduced federal coordination affect intelligence visibility for DFIR teams, particularly when responding to ransomware campaigns or supply-chain attacks?

The public-private partnership that underpins effective cyber defense has fractured. As one industry leader described: “The partnership is in suspended animation. The partnership, at the end of last year, had reached a level of maturity that was promising, and now that’s all been pulled back.”

The Cybersecurity Information Sharing Act of 2015 gave companies liability protection for sharing cyber threat indicators with the federal government, FOIA exemptions for shared data, and antitrust safe harbors for private-sector threat intelligence exchange. The Act expired on October 1, 2025. It was not renewed until November 12, 2025, through a continuing resolution, leaving a six-week gap with no legal protections for information sharing.

The MS-ISAC transitioned to a paid membership model on October 1, 2025, ending 21 years of free federal funding ($48.5 million annually). As a result, two-thirds of member organizations are expected to leave.

The Cyber Safety Review Board (CSRB) was disbanded on President Trump’s first day in office, January 20, 2025. The board was in the middle of an investigation into the Salt Typhoon hacks — the massive Chinese breach of U.S. telecom companies — when it was dissolved.

Without shared threat indicators, security teams detect intrusions later, leading to increased data loss, longer dwell times and higher recovery costs.

This matters because FBI involvement gives clues to how an organization should handle a breach. When the FBI can identify a threat actor’s infrastructure, tactics, and targets, that information informs our approach to the situation.

As the federal cyber footprint shrinks, what responsibilities now fall more heavily on enterprises, and how should security leaders rethink preparedness, incident response planning and third-party relationships?

Security programs must be built on measuring risk from people, technology and processes. Organizations that rely solely on regulatory compliance are often “certified” as safe, but they frequently overlook the most current threats. It makes sense; regulations take years to develop, and new malware and threats appear each day. Organizations that base their security posture solely on current regulations will find themselves vulnerable when those regulations change — while the threats they were designed to address remain constant.

Good cybersecurity is about layers of defense. The outermost federal layer has been systematically removed. Organizations must strengthen their remaining defenses accordingly — and advocate for restoring the national cyber defense infrastructure that protects us all.

These risks heighten the priority for leaders to pursue both private and joint defensive measures against current threat actors and the most up-to-date cyber risks. This will include all levels of an organization, from the Board of Directors to the line-level employees.

Security gaps by company size

Do you see meaningful differences in how large enterprises versus mid-market organizations are affected by reduced federal cyber coordination? Where are smaller organizations most vulnerable in this new dynamic?

Organizations that can’t afford commercial threat intelligence offerings — predominantly small businesses and local governments — are now left without any viable alternative. Smaller jurisdictions often don’t even have IT staff, let alone cybersecurity expertise. A single breach can be business-threatening for mid-market organizations.

The average reported cost of a data breach in the U.S. has reached $10 million in 2025, more than double the global average. While this is skewed by some of the largest breaches of the “Target” variety, tens of thousands go unreported. It makes sense, often small companies don’t report their worst days.

The NSF CyberCorps Scholarship for Service program faces a 65% funding cut, from $63 million to $21.71 million, resulting in over 250 scholars losing government job offers. These reductions further limit the available talent pool, increasing competition and costs, especially for organizations outside major metropolitan areas.

The situation is particularly dire for communities near state-sponsor targets, such as military bases or power plants. As one cybersecurity researcher wrote: “Frankly, nation-states are targeting these organizations, and it seems unfair to put a town of 10,000, possibly near a military base, in a position to counter espionage on their own.”

Larger organizations, particularly those in the Fortune 500, are reasonably insulated from many common risks due to their budgets. They’re able to employ and contract larger security programs with a broader reach, and as such can focus on more specific threats.

Rethinking public-private coordination

Looking ahead, what models or mechanisms could help restore effective public-private collaboration without relying on the federal government to play the same operational role it once did, and are any promising approaches emerging today?

State, local and industry-led initiatives could partially fill these gaps. Some state governments have established their own cybersecurity task forces to provide guidance and support to local businesses. These patchwork solutions cannot replace the coordinated national defense achieved when private industry, federal, and state resources collaborate to achieve a common goal.