States, CISA Face a Tough Cyber Environment
In the era of adversarial artificial intelligence- (AI-) cyber attacks, states and the federal government’s Cybersecurity and Infrastructure Security Agency (CISA) face a difficult environment with workforce skills gaps, reduced personnel and budgetary concerns.
A recent study from the National Association of State Chief Information Officers (NASCIO) and Deloitte found that state chief information security officers (CISOs) are navigating more intense threats and the proliferation of AI.
“State CISOs are protecting public data systems at a time when cyber threats are growing in sophistication, as foreign adversaries, sophisticated hackers, and cybercriminals are increasingly using new AI-based tools to probe for weaknesses,” noted the report entitled the 2026 NASCIO-Deloitte Cybersecurity Study.
The organizations have prepared the biennial study since 2010.
“Compared with recent survey cycles, CISOs tell us that their funding shortfalls are growing more dire, while continuing to face challenges around maintaining a cyber workforce with the needed skills,” the report stated.
State CISO confidence in protecting state information and data assets dropped by more than half in four years. As challenges, CISOs cited legacy infrastructure, increasing sophistication of threats and insufficient funding for cybersecurity. And none of the state CISOs indicated that they were “very confident” in the cybersecurity practices of local governments.
In addition, in only one in five states do CISOs believe their cyber workforce has the skills to meet the threats that they are facing, a significant drop from just two years ago.
Some states, such as California, Florida, Tennessee and New York are taking measures to educate its workforce and next generation of students about cybersecurity, according to recent testimony before Congress. Cyber experts testified during a May 21 House Subcommittee on Cybersecurity and Infrastructure Protection hearing, led by Chairman Andy Ogles, R-Tennessee.
For example, one of the newest California community colleges, Calbright College, is offering a cybersecurity program with free tuition and paid certification test fees. Rep. Vince Fong, R-Bakersfield, is also working with the Cerro Coso Community College in his Central Valley district to increase cyber workforce education, Fong stated at the hearing.
He helped secure $1.1 million in federal funding for expansion of the community college’s cybersecurity training and education, along with approval for a cybersecurity baccalaureate degree, according to a press release from his office.
The community is in proximity to Naval Air Weapons Station China Lake, Edwards Air Force Base and other regional defense and public sector entities.
Meanwhile, the state of Florida spends about $35 million a year for public employees in a cyber education workforce development program, explained Warren Sponholtz, chief information officer for the state of Florida.
The program provides certifications, training, tabletop exercises and “lots of different cybersecurity-related education,” Sponholtz stated.
“It is across the board, and we have had a lot of great participation in that,” he said. “It has been effective to be able to upskill the workforce around the state, to have us better prepared.”
In New York, several community colleges have added cyber clinics to their programs, according to testimony from Colin Ahern, director of Security and Intelligence for New York State.
“We have a deep and longstanding relationship with our community colleges and we have numerous cyber clinics across the state, including several that are part of the National Security Agency Cyber Clinics program, which is fantastic,” Ahern stated.
In addition, Utica University, outside of Rome, New York, just unveiled a cyber range for students and organizations. “At the associate’s, bachelor’s and the graduate levels, students and community members can participate in real-life cyber exercises, but in a safe and controlled environment,” he noted.
The education curriculum in New York State, for K-12 students, also includes cybersecurity education.
“Through our partners in the legislature and our state education department, we have a K-12 computer science for all curriculum, which includes cyber bullying, social media awareness, banking online and cybersecurity best practices,” he shared. “I have two kids in public school, and to hear my daughter ask me if my Gmail had multifactor authentication warmed my heart.”
Meanwhile, Tennessee is taking a multiprong approach to cyber education, noted Kristin Darby, chief information officer for the state of Tennessee.
“With the AI Council that the state has, we have set up two different subcommittees this year,” she noted. “One focused specifically on education, which is for both K-12 and higher education, and part of that focus is not only cybersecurity but also AI education and the convergence of both.”
That effort is focusing on bringing practical, applied learning solutions to individuals and leveraging vocational schools across the state.
“We are also focusing on workforce development, and how we start to proactively develop programs around particular job areas that we expect may have disruption,” Darby noted. “How do we upskill and transition employees and workforces to be readied for the future, and the expectations of those roles? There are working groups focusing on that.”
A grant program for innovation schools is also working to train students in AI, cyber and networks.
“We have a high school in Williamson County that is actually opening in August, and I think is well-positioned to be a national landmark of vocational schools,” she said. “One of the areas of focus is AI and cybersecurity. Through dual enrollment with Tennessee universities, students will graduate from high school with certifications where they are employable at the day of graduation.”
The Department of Energy’s Oak Ridge National Lab in Tennessee also has a strong partnership with the state. “They also serve on the AI Council and are active participants in many of the programs that I just mentioned,” she said.
However, the main issue for the states is that CISA, the federal organization they have turned to for the last two decades, has undergone downsizing, restructuring and budget cuts.
States rely heavily on the Multi-State Information Sharing and Analysis Center, which CISA, until recently, has funded since 2004, in collaboration with the Center for Internet Security, the state cyber experts testified.
The Multi-State Information Sharing and Analysis Center served as the central cybersecurity resource for the nation’s state, local, territorial and tribal governments, aiding government agencies, law enforcement, educational institutions, public utilities and transportation authorities, according to CISA’s website. The center had been providing cyber threat and response information, cybersecurity best practices, information sharing and incident response.
Also, the states leverage CISA’s State and Local Cybersecurity Grant Program (SLCGP) to add key protections.
In Florida, for instance, the federal program is managed through the Florida Division of Emergency Management and cybersecurity subject-matter expertise from the Florida Digital Service, Sponholtz explained.
Their current focus areas for the SLCGP are law enforcement and critical infrastructure, areas that fall outside the standardized technology bundles provided through the state’s program.
“One proposed water treatment project would make a high-service pump remote input/output system independent from its main controller, helping the process continue operating during a controller failure or cyber incident,” he reported. “Another project would modernize a city’s water and wastewater telemetry system by replacing outdated radio units at a master control site and 35 remote lift stations with more secure and redundant communications. A rural sheriff’s office proposed securing mobile data terminals used by deputies to access dispatch, records, and license plate reader systems in the field.”
Trump’s proposed fiscal year 2027 budget, which was released in April, includes another round of significant cuts to CISA—and specifically targets the SLCGP.
The House passed the FY26 budget on April 30, funding CISA at $2.6 billion, a cut of about $400 million from its $3.01 billion FY 2025 budget.
For the FY 2027 presidential budget request, the proposed cuts to CISA go deeper, subtracting $385 million more. Another 766 staff roles are also proposed for elimination, in addition to the 1,000 positions cut since 2025, essentially cutting the agency’s workforce by one-third.
The FY 2027 proposed changes to a further-weakened agency seem inexplicable, given the advancing risks to U.S. public infrastructure, the state cyber experts told Congress.
“It is a strategic failure that our primary federal partners and resources are being sidelined as threats escalate,” Ahern said. “From the imminent expiration of the SLCGP, the shrinking of CISA and the lack of a Senate-confirmed CISA director, to the cancellation of funding for the Multi-State Information Sharing and Analysis Center, tools designed to keep our communities safe are being dismantled.
CISA’s second acting director this year, Nick Andersen, expressed appreciation for the remaining personnel at the agency, telling reporters during a May 5 call that they exemplify the best of public service.
“The employees here at CISA remain unwavering in their mission to strengthening federal network defense, empowering businesses and fortifying critical infrastructure, nationwide,” the acting director said. “This has been an exceptionally trying time for those that rely on CISA to perform our mission, and it has also been an exceptionally trying time for our employees, who have been personally impacted.”
In addition, he announced that the agency was adding back 329 positions from the first round of cuts. “Our current staffing plan allows for the increase of an additional 329 positions,” Andersen said. “Our DHS leadership, including Secretary [Markwayne] Mullin, had provided support for moving forward as an initial tranche of additional hiring. And I think that is really an indication of his continued support for this significant part of the DHS mission that CISA provides.”
Andersen clarified that CISA still has its regional and field offices across 10 areas aligned with Federal Emergency Management Agency regions that contain regional and deputy directors, cybersecurity and proactive security advisers, and emergency communications coordinators. Some of the 329 personnel additions will repopulate some of those locations.
“Where we have any vacancies, those regional offices are high on that priority list for that initial 329 position hiring plan,” he stated.
The agency is pursuing a new program called Critical Infrastructure (CI) Fortify. The program is aimed at providing guidance to public utilities, telecommunications, operational technology systems and other critical infrastructure, to help them prepare for and continue to operate during an attack or crisis, Andersen said. The policy directs the stakeholders to invest in so-called isolation and recovery capabilities.
“This initiative focuses on ensuring continued delivery of essential services during periods of cyber duress, as well as minimizing impact and accelerating recovering from a significant cyber attack,” he noted.
And, as part of the effort, CISA will conduct an initial series of “targeted assessments” under a pilot program that prioritizes military-related critical infrastructure—before public infrastructure.
CI Fortify does not include any specific measures for election security, even for the upcoming midterms. However, Andersen indicated that CISA considers election security a critical infrastructure. State and local governments can access the agency’s existing election security resources, Andersen said.
CISA, under previous administrations, had made election security a priority—given the cyber threats and information warfare targeting U.S. elections from Russia, North Korea and Iran—and worked closely with state and local authorities.
The proposed FY 2027 budget further calls for the elimination of CISA’s election security program and the discontinuation of the Elections Infrastructure Information Sharing and Analysis Center.
This has been an exceptionally trying time for those that rely on CISA to perform our mission, and it has also been an exceptionally trying time for our employees, who have been personally impacted.
Comments