The budget proposal for fiscal year 2026 from President Donald Trump’s administration calls for cuts to the Cybersecurity and Infrastructure Security Agency (CISA) that reduce its workforce by nearly a third and its budget by as much as $495 million.
It scales back or eliminates major programs, ranging from regional operations to election security. At the same time, directives shift more cybersecurity responsibilities to states and local governments.
Congress has not yet passed a final funding bill, and the House Appropriations Committee’s proposed version preserves investments in core federal cybersecurity programs such as continuous diagnostics, mitigation, and zero trust architecture. But the uncertainty creates an operational strain on state governments. The goal of returning CISA to its original mission of protecting U.S. infrastructure is commendable. But taking away resources while shifting responsibility to the states creates new risks nationwide.
Varying Levels of Cyber Preparedness
The 50 states differ in their ability to defend against cyber threats. Wealthier states draw from larger talent pools, invest in stronger defenses, and offer pay and benefits packages comparable to the private sector. Other states struggle to find qualified security professionals to fill open positions.
Critical infrastructure isn’t always located where the cybersecurity talent is. A rural state’s power plant faces the same level of risk as one in a major city, yet often lacks the resources needed to guard against a sophisticated cyberattack.
A few states have tried creative approaches to attract talent, such as offering federal service credit. However, without the pay scales, training opportunities, and career paths that come with federal support, building a strong team is challenging.
Fragmentation is an Issue
Uneven readiness leaves some states more exposed. Limited cyber capacity can heighten the risk to election systems, particularly as federal funding for election security shrinks, and disputes over voting machine standards drag on. The same gaps threaten critical infrastructure, from water treatment facilities to the power grid.
Adversaries don’t need to breach the strongest defenses. All they have to do is look for the weakest link. That weakest link might be an underfunded state system tasked with protecting a national asset.
The impact of losing large numbers of experienced personnel extends beyond the need to replace headcount. You also lose what I call the “collective IQ,” or the institutional knowledge, informal networks, and muscle memory that allow an organization to respond quickly to incidents. Multiplying that loss across multiple agencies and states weakens our collective resilience.
Wasted Opportunities
The federal government and the states have an opportunity to stretch existing budgets by eliminating inefficiencies. I’ve seen agencies pay $340,000 a month for website updates that an in-house employee could complete for $10 an hour. Organizations lose millions of dollars to unused software licenses, often due to fragmented procurement systems.
Overlooked inefficiencies represent missed strategic opportunities. Savings from efficiency gains, sometimes worth hundreds of millions of dollars, shouldn’t vanish into a state’s general fund. Redirecting that money into cybersecurity can pay for skilled staff, modernized systems, and stronger digital infrastructure.
Consider this: Centralizing software procurement alone could save hundreds of millions of dollars nationwide. Redirecting even a portion of that toward cybersecurity could close critical gaps without raising taxes or cutting other essential services.
Zero Trust and Modernization Aren’t Optional
While Washington debates funding, the push for zero-trust architectures mandated during former President Joe Biden’s administration remains in effect. But uncertainty about future funding and staffing is slowing progress across many agencies.
Too often, organizations still focus almost exclusively on preventing breaches. Prevention is essential, but it’s not enough. Every defense has limits. The real question is: What happens after an attacker gets in?
To build true resilience, agencies must shift toward containment-first strategies. Techniques like segmentation can limit how far attackers can move inside a network and how much damage they can cause. Identity management, endpoint protection, and real-time visibility are all important, but without containment, a single compromised account or system can still trigger a crisis.
Rethinking Grants and Accountability
Federal and state grant programs remain an important funding source, although the current processes are too slow, complex, and rigid. While distributing funds equally to all states may seem fair, it ignores the reality that some states face far greater risks and require more support.
Grants should prioritize impact, not just geography, and allow flexibility for adopting new technologies that can make an immediate difference.
Finally, every program should have measurable, public metrics for success. Taxpayers deserve to know whether a program delivers results. If it’s not possible to measure a program’s effectiveness, it’s fair to ask whether it merits continued funding.
The Stakes and the Path Forward
What’s unfolding in Washington, D.C., carries national consequences. Shifting more cybersecurity responsibility to states without ensuring adequate resources and coordination is risky.
Cyber threats evolve fast, and states can’t afford to spend years building capacity. They need to hire skilled people, implement containment-first strategies, and modernize defenses immediately.
But they can’t do it alone. Federal leaders must stay engaged, not just as funders, but also as strategic partners who help coordinate efforts, direct resources to the areas of greatest risk, and set short-term goals that lead to measurable progress.
Our adversaries aren’t waiting, and neither should we.
