TL;DR:

  • CISA furloughed 1,453 employees (62%) when the DHS shutdown began at 12:01 AM on February 14, 2026
  • Only 888 of 2,341 staff remain working (the agency operates at 38% capacity)
  • This follows 1,000+ departures over the past year due to Trump administration workforce cuts
  • Vulnerability scanning of federal networks and critical infrastructure: stopped
  • Cybersecurity advisories and guidance: paused
  • Training exercises and stakeholder engagements: cancelled
  • CIRCIA incident reporting rule: further delayed beyond May 2026 deadline
  • 24/7 operations center remains active for responding to imminent threats

What Happened at Midnight

At 12:01 AM on Saturday, February 14, 2026, the Department of Homeland Security shutdown began. For CISA (the Cybersecurity and Infrastructure Security Agency) it meant immediate furloughs for the majority of its workforce.

Of CISA's 2,341 employees, 1,453 were sent home. That's 62% of America's primary civilian cybersecurity agency. The remaining 888 staff (38%) continue operations at severely reduced capacity.

The timing couldn't be worse. CISA coordinates cybersecurity across all 16 critical infrastructure sectors: energy grids, water systems, hospitals, banks, transportation networks, and telecommunications. When CISA goes dark, the entire country's cyber posture weakens.

An Already Gutted Agency

The shutdown hit an agency that was already bleeding talent.

Over the past year, CISA lost approximately 1,000 employees through Trump administration workforce reduction programs. Before the shutdown, the agency was down to around 2,200 staff, roughly two-thirds of where it stood in early 2025.

The FY2026 budget proposal called for cutting another 1,000 positions, dropping the agency from 3,292 to 2,324 employees, a 29% reduction. The election security program was slated for complete elimination: 14 positions and $39.6 million gone. Cyber defense education and training faced a $45 million cut.

Now, on top of those losses, 62% of whoever remained just got furloughed.

What Stopped When the Lights Went Out

Here's what CISA is no longer doing:

  • Proactive vulnerability scanning: CISA routinely scans federal networks and critical infrastructure systems for vulnerabilities before attackers find them. That scanning stopped.
  • Cybersecurity guidance: Advisories, best practice documents, and new security recommendations are paused. If a major vulnerability drops tomorrow, the guidance might not come.
  • Training exercises: CISA runs tabletop exercises and simulations that help organizations prepare for cyberattacks. All cancelled.
  • Stakeholder engagements: Meetings with critical infrastructure operators, state governments, and private sector partners, stopped.
  • New capability development: No new technical tools or defensive capabilities can be developed or deployed.
  • Critical infrastructure assessments: Physical and cyber assessments of hospitals, utilities, and other essential services are on hold.

What's Still Running

CISA hasn't completely shut down. A skeleton crew handles "excepted" functions deemed critical to life and safety:

  • 24/7 operations center: The watch floor stays staffed to respond to imminent cyber threats
  • Incident response: If something's actively on fire, they'll respond
  • Vulnerability and incident information sharing: Critical alerts still go out
  • Cybersecurity shared services: Basic defensive tools remain operational

But here's the catch: responding to active incidents isn't the same as preventing them. CISA's proactive work (the scanning, the assessments, the training) is what keeps threats from becoming incidents in the first place.

The Incident Reporting Rule Delay

Remember CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act signed into law in 2022? It requires critical infrastructure operators to report cyber incidents and ransomware payments to CISA.

The rule was supposed to be finalized by October 2025. CISA pushed it to May 2026, citing the need to "reduce scope and burden" after receiving significant public comments.

Now, with 62% of staff furloughed? That May 2026 deadline looks increasingly fictional. The rule that would give CISA visibility into cyberattacks across critical infrastructure keeps slipping further away.

For context: CISA estimated the rule would apply to over 300,000 entities across 16 critical infrastructure sectors. Getting that right requires staff. Staff that are currently home without pay.

Meanwhile, the Threats Don't Stop

Nation-state hackers don't observe U.S. government shutdown schedules. Neither do ransomware gangs.

Salt Typhoon, the Chinese hacking group that compromised major U.S. telecommunications companies in 2024, remains active. Russian groups continue targeting critical infrastructure. AI-powered malware is emerging as a new threat vector.

This is happening while America's lead civilian cybersecurity agency operates at less than 40% capacity, after losing a third of its workforce over the past year, with another third furloughed.

What Happens Now

Every day the shutdown continues, the gap widens:

  • Unscanned vulnerabilities accumulate in federal systems and critical infrastructure
  • Training and exercises get pushed back: leaving organizations less prepared
  • Institutional knowledge walks out the door: some furloughed staff won't return
  • The CIRCIA reporting rule falls further behind: delaying visibility into actual attacks
  • State and local governments lose federal support: they're on their own

Congress needs to fund DHS. Until that happens, America's cyber guardians remain largely sidelined, watching from home while the threats keep coming.

Sources