CISA kills agreement with nonprofit that runs MS-ISAC • The Register

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday will cut its ties to – and funding for –  the Center for Internet Security, a nonprofit that provides free and low-cost cybersecurity services to state and local governments.

“CISA’s cooperative agreement with the Center for Internet Security (CIS) will reach its planned end on September 30, 2025,” America’s lead cyber-defense agency said in a Monday announcement. “This transition reflects CISA’s mission to strengthen accountability, maximize impact, and empower SLTT [state, local, tribal, and territorial] partners to defend today and secure tomorrow.”

The Center for Internet Security did not immediately respond to The Register‘s questions. We will update this story when we receive a response.

The move is part of CISA’s “new model” to support state and local governments with “access to grant funding, no-cost tools, and cybersecurity expertise to be resilient and lead at the local level,” the announcement continued. 

It’s unclear, however, how cutting funding to programs that aim to boost local governments’ digital defenses will improve cybersecurity resiliency. 

CISA did not respond to The Register‘s questions, including if the federal dollars previously funneled to CIS services would instead fund existing state and local infosec efforts including the State and Local Cybersecurity Grant Program, along with other free services such as Cyber Hygiene scanning, phishing assessments, and vulnerability management.

ISACs at risk

In February, the Department of Homeland Security cut its funding for the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which was run by CIS and advised American election officials and voting machine makers about democracy-menacing cyber-threats. 

“Due to the termination of funding by the Department of Homeland Security, the Center for Internet Security no longer supports the EI-ISAC,” the website said at the time. 

It has since been changed to note: “In response to federal funding cuts, the EI-ISAC Executive Committee is exploring options to continue its vital support to election offices.”

The CIS also runs the Multi-State Information Sharing and Analysis Center (MS-ISAC), which has provided a critical, nationwide threat-intel network for officials at the state and local level for free since 2003, and received the bulk of its funding from the Department of Homeland Security.

In March, the feds cut $10 million in funding- about half the total budget – for the MS-ISAC, and more recently the CIS announced that it would shift to a fee-based model to support the state threat sharing program.

The ISAC funding cuts, along with the broader budget and staff reductions at CISA have led to worries about election security and how officials across all 50 states will be able to rapidly share threat information. 

“Where are we going to get this information, and how are states going to communicate if they see a cyber issue happening out in Oregon, how are they going to let Michigan know that that’s happening?” Tina Barton, a senior election expert with The Elections Group, an organization that advises election officials, told The Register in an earlier interview.

Of course, the CISA-CIS agreement isn’t the only thing expected to end on October 1. The US federal government is also expected to shut down and the 2015 Cybersecurity Information Sharing Act will lapse, barring some last-minute deals, which seems increasingly unlikely considering the state of American politics. ®