The Agency That Protects the Internet Is Shrinking
CISA — the Cybersecurity and Infrastructure Security Agency — has lost roughly one-third of its staff over the past year, according to Federal News Network. The Stakeholder Engagement Division, which coordinates CISA's partnerships with private sector organizations and state/local governments, lost 96 of its 189 staff members since January 2025. Cyber partnerships face what Federal News Network describes as a 'standstill.'
CISA is the federal agency that maintains the Known Exploited Vulnerabilities (KEV) catalog — the authoritative list of vulnerabilities confirmed to be actively exploited in the wild. It is the agency that issues binding operational directives ordering federal agencies to patch critical vulnerabilities. It coordinates the national response to major cyber incidents. And it is being hollowed out by budget cuts at exactly the moment when attack surface is expanding and threat actor sophistication is increasing.
Why the KEV Catalog Matters
The CISA KEV catalog is one of the most important cybersecurity resources on the internet. When CISA adds a vulnerability to the KEV, it means there is confirmed evidence of active exploitation — not theoretical risk, but actual attacks in the wild. WebPulse uses KEV data to score framework threat exposure. Enterprise security teams use KEV to prioritize patching. Federal agencies are legally required to patch KEV-listed vulnerabilities within specified timelines.
In June 2026 alone, CISA added six vulnerabilities to the KEV catalog across three updates: the Chrome V8 zero-day (CVE-2026-11645), the LiteSpeed cPanel root escalation (CVE-2026-54420), the Joomla JCE CVSS 10.0 (CVE-2026-48907), two Cisco SD-WAN flaws, and an Arista vulnerability. Each addition requires analysis, verification, coordination with affected vendors, and publication. This work continues despite the staff reductions — but the capacity to sustain it is contracting.
The Timing Problem
CISA's staffing cuts coincide with an expanding threat landscape. CVE disclosures hit a record 48,185 in 2026. Supply chain attacks (Shai-Hulud, Miasma, TrapDoor) are running simultaneously across multiple package ecosystems. AI-driven bot traffic now exceeds human traffic. The attack surface that CISA monitors is growing exponentially while its capacity to monitor it is shrinking linearly.
The GovSec Summit USA 2026, held June 11, framed this tension explicitly: 'Cyber Defense at Scale: Aligning National Security Urgency With Fiscal Reality.' The urgency and the fiscal reality are moving in opposite directions.
What This Means for Web Infrastructure
Organizations that rely on CISA KEV data for vulnerability prioritization should prepare for potential delays in catalog updates. More broadly, the contraction of federal cybersecurity coordination capacity means private sector organizations bear more responsibility for their own threat intelligence. The frameworks and infrastructure choices that minimize attack surface — static sites, modern frameworks with zero CVEs, isolated deployment models — reduce dependency on external threat intelligence. When the agency that tracks threats is shrinking, having fewer threats to track is a strategic advantage.
