The agency responsible for defending American critical infrastructure is operating at a fraction of its capacity during the most active threat period in recent memory.

CISA Acting Director Nick Andersen testified to Congress in late March 2026 that approximately 60% of the agency’s workforce is now furloughed due to the ongoing DHS shutdown. One thousand positions remain vacant. In a single day, six members of a highly technical threat hunting and incident response team submitted their resignations.

CISA has received approval for 329 “mission critical hires,” but can only fill excepted positions during the shutdown. The hiring process, which is already slow in government, is now effectively frozen for most roles. Meanwhile, the agency’s core mission, helping federal agencies and critical infrastructure operators detect, respond to, and recover from cyber threats, continues with less than half the workforce it needs.

The timing is not unfortunate. It is dangerous. Q1 and Q2 2026 have produced a volume and severity of cyber threats that would strain a fully staffed CISA. With the agency at 40% capacity, the gap between what is needed and what is available has become a national security liability.

The Threat Landscape CISA Cannot Fully Address

Nation-State Operations at Scale

Salt Typhoon, linked to China’s Ministry of State Security, breached the FBI’s Digital Collection Systems Network in March 2026, gaining access to law enforcement surveillance data. This followed Salt Typhoon’s earlier campaign that compromised all three major U.S. cellular providers between 2019 and 2024, accessing CALEA wiretap infrastructure.

Volt Typhoon remains embedded in critical infrastructure including ports, water facilities, and energy substations, pre-positioned for potential disruption during a conflict. The FBI has warned that these intrusions represent strategic pre-positioning, not intelligence collection. The intent is to have the capability to disrupt American critical infrastructure when a geopolitical trigger is pulled.

These operations require sustained CISA engagement: threat hunting across federal networks, coordination with private sector critical infrastructure operators, and issuance of advisories and indicators of compromise. With 60% of the workforce furloughed, the agency’s capacity to conduct these operations is fundamentally degraded.

Edge Device Authentication Bypasses

The first half of 2026 has seen a pattern of authentication bypass vulnerabilities in enterprise edge devices that CISA would normally coordinate response to at scale. Palo Alto GlobalProtect (CVE-2026-0257) saw active exploitation just four days after disclosure, with attackers forging authentication cookies to bypass VPN login. Fortinet FortiGate, Ivanti Connect Secure, and Cisco ASA have all faced similar exploitation patterns. Each of these vulnerabilities was added to CISA’s Known Exploited Vulnerabilities catalog, but the catalog is only effective if federal agencies have the staffing to act on its directives.

The federal remediation deadline for CVE-2026-0257 was June 1, 2026. Whether furloughed IT teams across federal agencies met that deadline is an open question that a fully staffed CISA would be positioned to verify and enforce.

AI Infrastructure Under Attack

The LangChain, Langflow, and LiteLLM attack cluster of late March 2026 demonstrated that AI infrastructure is now a primary attack surface. Langflow’s critical RCE (CVE-2026-33017) was weaponized within 20 hours of disclosure. The LiteLLM supply chain compromise led to the Mercor breach, exposing AI training data for frontier labs.

CISA added both Langflow vulnerabilities to its KEV catalog, but the broader coordination effort, working with AI companies to understand the scope, issuing guidance for AI framework security, and monitoring for downstream compromises like Mercor, requires resources the agency does not currently have.

Ghost CMS Mass Exploitation

Over 700 websites, including properties belonging to Harvard, Oxford, and DuckDuckGo, were compromised through a critical Ghost CMS SQL injection (CVE-2026-26980). The attack turned trusted websites into malware distribution networks using the ClickFix social engineering technique. CISA’s role in coordinating response to mass CMS exploitation, notifying affected organizations, and issuing public advisories, is exactly the type of work that requires a fully operational team.

The Talent Hemorrhage

The most alarming detail in Andersen’s testimony was not the furlough percentage. It was the resignations.

Six members of a “highly technical threat hunting and incident response team” resigned in a single day. These are not easily replaced positions. Threat hunters with the skills to identify nation-state intrusions in federal networks represent years of training, clearance processing, and institutional knowledge. Each resignation creates a capability gap that takes 12 to 18 months to fill under normal hiring conditions. Under shutdown conditions, it may take years.

The talent pipeline problem is structural. Government cybersecurity salaries are not competitive with private sector offerings. The clearance process takes months. The shutdown introduces uncertainty that drives candidates toward more stable private sector employment. And the political dynamics surrounding DHS create a perception that government cybersecurity careers are subject to forces outside the professional’s control.

When building the CIAM platform that scaled to serve over a billion users, retaining specialized security talent was one of the most persistent challenges. The people who can hunt for Salt Typhoon intrusions or analyze zero-day exploit chains are the same people that every major tech company, consulting firm, and defense contractor wants to hire. The government has always competed at a disadvantage for this talent. The shutdown has transformed that disadvantage into a crisis.

What This Means for Enterprise Security

Federal Agencies Are More Vulnerable

CISA’s reduced capacity directly increases the risk for every federal agency and critical infrastructure operator that depends on CISA for threat intelligence, incident response coordination, and vulnerability management guidance. The Known Exploited Vulnerabilities catalog continues to be updated, but the advisory development, stakeholder coordination, and compliance verification that make the catalog effective require staffing that is not currently available.

Federal agencies and critical infrastructure operators should not assume that CISA is monitoring their networks or will respond to incidents at previous service levels. Organizations should increase their own monitoring, threat intelligence consumption, and incident response readiness to compensate for reduced federal support.

The Advisory Gap

CISA produces some of the highest-quality cybersecurity advisories in the world. Joint advisories with NSA, FBI, and international partners provide actionable intelligence on threat actor techniques, indicators of compromise, and mitigation guidance. The volume and quality of these advisories is directly proportional to CISA’s staffing levels.

During the shutdown, organizations should diversify their threat intelligence sources. Private sector threat intelligence providers, vendor security advisories, and international CERT organizations (NCSC-UK, ANSSI, BSI) can partially compensate for reduced CISA output. But the coordination function that CISA uniquely provides, synthesizing intelligence from across the federal government into actionable guidance, has no direct substitute.

Vulnerability Management Timelines Are Compressing

The trend toward rapid exploitation of disclosed vulnerabilities, 20 hours for Langflow, four days for GlobalProtect, continues to accelerate. CISA’s KEV catalog and binding operational directives create enforceable timelines for federal agencies to patch critical vulnerabilities. With reduced staffing, the enforcement mechanism is weakened.

Enterprise organizations should not calibrate their patching timelines to CISA’s KEV deadlines. Those deadlines represent the maximum acceptable response time, not the recommended one. For edge devices, VPN gateways, and internet-facing infrastructure, the target should be 24 to 72 hours from advisory to patch, regardless of CISA’s enforcement capacity.

What Needs to Happen

Short Term: Maintain Critical Operations

CISA’s 329 approved “mission critical hires” should be processed with maximum urgency. The positions that directly support threat hunting, incident response, and KEV catalog management represent the agency’s core operational capability. Every day these positions remain unfilled increases the risk of a missed intrusion or a delayed response to a critical vulnerability.

Medium Term: Structural Funding Protection

Cybersecurity defense is not a function that can be safely interrupted by political disputes. CISA’s mission, protecting federal networks and critical infrastructure from cyber threats, should have funding protections that insulate it from the effects of government shutdowns. The threats CISA defends against do not pause for congressional negotiations.

Long Term: Competitive Talent Retention

The cybersecurity talent crisis in government will not be solved by hiring approvals alone. Compensation structures, career development pathways, and work environment stability must be competitive with private sector alternatives. The six threat hunters who resigned in a single day represent a symptom of a structural problem that predates the shutdown and will persist after it ends.

The Bottom Line

Every major cyber incident in 2026 has occurred against the backdrop of a degraded CISA. The FBI surveillance breach. The Salt Typhoon telecommunications campaign. The AI framework attack cluster. The Ghost CMS mass exploitation. The Palo Alto GlobalProtect authentication bypass. The DarkSword iPhone exploit affecting 270 million devices.

CISA did not cause these incidents, and a fully staffed CISA would not have prevented all of them. But a fully staffed CISA would have provided faster coordination, broader threat intelligence distribution, more thorough advisories, and stronger enforcement of remediation timelines. Each of these capabilities reduces the blast radius of each incident and improves the collective defense of American organizations.

At 40% capacity, with 1,000 vacancies and its most skilled operators resigning, CISA cannot fulfill its mission. The adversaries know this. The question is whether the political process will restore the agency’s capacity before a major incident demonstrates, in a way that cannot be ignored, exactly what happens when America’s cyber shield goes down.

Key Takeaways

• CISA is operating at approximately 40% capacity with 60% of its workforce furloughed during the ongoing DHS shutdown
• 1,000 positions remain vacant; six highly technical threat hunters resigned in a single day
• CISA has approval for 329 “mission critical hires” but can only fill excepted positions during the shutdown
• The reduced capacity coincides with the most active threat period in recent memory: Salt Typhoon FBI breach, AI framework attacks, edge device exploitation, and mass CMS compromise
• Exploitation timelines have compressed to hours (20 hours for Langflow, four days for GlobalProtect), requiring faster response than a 40% staffed agency can provide
• Federal agencies and critical infrastructure operators should increase their own monitoring and threat intelligence consumption to compensate for reduced CISA support
• The talent hemorrhage represents a structural crisis: government cybersecurity compensation and stability cannot compete with private sector alternatives
• Enterprise organizations should target 24-72 hour patching for edge devices and internet-facing infrastructure, regardless of CISA’s KEV enforcement capacity
• Cybersecurity defense functions should have funding protections that insulate them from government shutdowns

The post CISA at 40%: America's Cyber Shield Is Down While Attackers Accelerate appeared first on Deepak Gupta's notebook.

*** This is a Security Bloggers Network syndicated blog from Deepak Gupta's notebook authored by Deepak Gupta. Read the original post at: https://guptadeepak.com/cisa-40-percent-capacity-cyber-shield-down/