It’s time to ‘Marie Kondo’ the CISA

There has been a lot in the news lately about the Cybersecurity and Infrastructure Security Agency (CISA). The agency is facing deep budget cuts—over $500 million proposed in the FY2026 budget—with more than 1,000 positions on the chopping block. Some lawmakers call it irresponsible. Others call it overdue.

This blog offers a critical look at whether CISA continues to deliver meaningful value. It outlines what a national cybersecurity coordination solution should accomplish and then evaluates whether CISA—after years of budget increases and mission sprawl—is delivering on that mandate.

Recent events make this question urgent: the FY2026 federal budget proposes slashing CISA’s funding by $495 million—roughly 17%—and eliminating over 1,000 staff positions. Lawmakers are split. Some see these cuts as overdue and justified. Others warn they could disrupt coordination with states and undercut national cyber readiness. Meanwhile, state officials have begun rethinking their own dependencies, citing concerns that federal support may simply not show up when needed.

Given that reality, I conclude that a scaled-down version of CISA focused exclusively on inter-agency coordination, federal protection, and crisis response is the most effective use of taxpayer funds. This model should be accompanied by a defined scope, measurable benchmarks, and sunset clauses to avoid unchecked expansion.

The proposed budget cuts are not reckless—they are long overdue. What remains is deciding whether to preserve a focused core or let inertia drag us deeper into costly inefficiency.

1. The Problem We Intended to Solve

Cyber threats are real. But do we need a massive federal agency trying to solve everything for everyone? The U.S. needs coordination and fast incident response, especially for federal networks and critical infrastructure. But much of what’s currently done under the CISA banner (public awareness campaigns, regional offices, and redundant toolsets) drifts far from these core goals.

1.1 Must-Haves for Any Viable Solution

To be worth the investment, any solution must:

• Support and secure federal civilian networks.
• Provide clear alerts and guidance during major cyber events.
• Coordinate with critical sectors where market failure exists.
• Share threat intel in a timely and actionable format.

1.2 Nice-to-Haves (That Should Be Cut)

These sound good in theory, but rarely justify the cost:

• National awareness campaigns.
• Public-private engagement with unclear outcomes.
• “Cyber hygiene” assessments offered to anyone who asks.
• Tools and services already available through the private sector.

1.3 Red Flags

What we've seen over the past seven years includes all the hallmarks of a program drifting from its mandate:

• Expanding far beyond the original scope.
• Delivering vague, unmeasured outcomes.
• Duplicating roles already filled by other agencies or the private sector.
• Straying into controversial territory like content moderation.
• Losing stakeholder trust due to political bias and unclear accountability.

2. Evaluating the Current Model

CISA has been effective at a few key things: issuing coordinated guidance during crises, sharing some threat intel, and helping federal agencies align their cybersecurity posture. These are useful—but limited—functions.

• Information sharing has improved, but mostly between federal actors.
• Incident coordination exists, but responsiveness is still uneven.
• Communication channels have been formalized, though not always effective.

Let’s be clear: these are not reasons to maintain a $3B+ operation, especially not one that’s already shrinking. A third of the workforce, around 1,000 employees, has already left through buyouts or voluntary exits. The FY2026 budget proposes cutting CISA staff from about 3,732 to 2,649 and stripping away $495 million from its budget. These cuts hit core teams: $216M and 204 roles from the cybersecurity division, a 62% drop in stakeholder engagement funding, eliminating 127 jobs, and a 73% slash to national risk management, eliminating another 70 roles. These aren’t theoretical trims. They’re already happening.

2.1 Where It’s Bloated

CISA has been slow to adapt to AI and cloud-native environments. Many of its programs are unmeasured, underused, or redundant. Worse, some actions, like social media coordination, have overstepped the scope and mission of the agency under the auspices of cybersecurity. This has led many to question the value of the agency altogether instead of focusing on the net benefits of CISA.

Where the bloat is most obvious:

• Oversized public outreach efforts with no ROI.
• “Free” services that waste taxpayer dollars.
• Repeated missteps around content moderation.
• Branding and visibility efforts masquerading as mission impact.
• A budget no one can fully explain.

Cutting these is not a threat. It’s a correction.

2.2 What It’s Costing Us

With an annual price tag north of $3B, at least before the proposed cuts, and thousands of staff and contractors, the hidden costs are real:

• Businesses feel pressured to comply with non-binding guidance.
• Compliance costs go up as CISA shifts priorities.
• Innovation stalls as organizations lock into outdated systems.
• Field offices and engagement teams add overhead with little measurable impact.
• Political favoritism undermines neutrality.

A $3B program without clear ROI wouldn’t survive day one of a private-sector budget review.

3. What CISA Is Still Doing

Despite its downsizing, CISA continues to execute on parts of its core mission. Recently, it:

• Added CVE‑2025‑5777 to the Known Exploited Vulnerabilities catalog and issued patch directives for Citrix “Bleed 2.”
• Published multiple ICS security advisories for products from Siemens, AVEVA, and PTZOptics.
• Worked with NSA and FBI to release alerts on nation-state threats, including recent Iran-linked cyber activity.
• Published findings for preventing FRED/EOT exploits in train derailment.

These are legitimate outputs, but they come from a narrow lane: publishing CVE lists, issuing ICS advisories, and sharing alerts with federal agencies. They raise the question: do we need a $3B+ agency to do this, or can a smaller, more focused entity deliver the same without the excess?

4. Recommendations

The most viable path forward is not to eliminate CISA entirely, nor to maintain its sprawling structure, but to refocus it. I recommend a strategic paring down to its foundational responsibilities:

• Inter-agency coordination
• Federal network protection
• National-level cyber crisis response
• Actionable threat intelligence sharing

The rest—awareness campaigns, non-essential public services, and regional field offices—should be sunset or transferred to other entities. This targeted approach would preserve what CISA does best while avoiding redundancy, overreach, and continued cost ballooning. If any part of it is retained, it must be subject to SMART (Specific, Measurable, Achievable, Relevant, Time-bound) performance metrics so that results are visible, priorities are clear, and the agency can be held accountable for measurable outcomes.

With the right guardrails, this streamlined version of CISA could be reauthorized with clear metrics, sunset provisions, and defined scope limits. Instead of trying to be everything to everyone, it can focus on being essential to those who need it most.

If Congress wants to preserve federal involvement, it should start fresh with a new mandate and only preserve the core functions essential to national security. Any preserved operations must be subject to SMART (Specific, Measurable, Achievable, Relevant, Time-bound) metrics to ensure accountability and demonstrable impact. Sunset clauses should be built in to prevent unchecked expansion and force periodic reevaluation of value and scope.

What Needs to Be Decided

As with most polarizing questions, the answer is somewhere in the middle. We don’t need to destroy the house. We need to tear off the overbuilt extensions, rebuild the foundation, and start holding the structure accountable.

The current cuts are overdue, not dangerous. If anything, they’re a sign of maturity: we’ve tried the all-in-one model. Now it’s time to get focused, get lean, and stop spending big on small returns. But to make that viable, we need clear threshold modeling so we can tell whether things are working or failing, before they spiral, regular third-party audits, and clear performance benchmarks. That’s how we make sure the lean model actually delivers—and doesn’t just quietly bloat all over again.

About the authors

Hadas Cassorla, JD, MBA, CISSP has a lot of letters after her name, but the three letters she cares the most about are Y-E-S. Marrying her improv and legal background into technology and business, she helps organizations build strong, actionable and implementable security programs by getting buy-in from investors, the boardroom and employees. She has founded her own business, Scale Security Group, and has built corporate security offices from ground-up.