The Cybersecurity and Infrastructure Security Agency (CISA) is maneuvering through the Department of Homeland Security (DHS) shutdown, which began at 12:01 a.m. on February 14, 2026, by maintaining operations, albeit at a diminished capacity. Despite the constraints imposed by the Antideficiency Act, which restricts federal spending without congressional appropriation, certain functions remain active under exception clauses.
Operational Adjustments During the Shutdown
While the Antideficiency Act prohibits expenditure without congressional approval, it allows certain exceptions where federal employees can work unpaid in critical areas. Consequently, CISA has furloughed a significant portion of its workforce, while 888 out of 2,341 employees continue to perform essential duties without remuneration. These employees can be recalled if their expertise is necessary for safeguarding human life, property, or national security.
The Immigration and Customs Enforcement (ICE) operations, which were central to the shutdown debate, remain unaffected due to their funding through the President’s One Big Beautiful Bill Act. In contrast, CISA’s efforts to maintain cybersecurity are hindered by the shutdown, restricting its ability to launch new initiatives and curtailing ongoing projects.
Impact on CISA’s Key Operations
CISA’s operations, including the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and Known Exploited Vulnerabilities (KEV) Catalog, face differing impacts during the shutdown. Regulatory activities like finalizing CIRCIA’s cyber incident reporting rule are likely to be paused, as they are not directly linked to national security or active threats.
The KEV Catalog, however, remains accessible online, continuing to list vulnerabilities that require patching by Federal Civilian Executive Branch (FCEB) agencies. Updates to the KEV are labor-intensive, involving validation and coordination with federal entities, and are expected to proceed at a slower pace. Priority will be given to new threats affecting national security, while older vulnerabilities may see delayed attention.
Challenges and Future Outlook
Despite the continuation of the KEV Catalog, CISA’s ability to enforce compliance among FCEB agencies is weakened, as oversight activities are not considered essential operations under the Antideficiency Act. This may hinder enforcement of critical industry compliance with the KEV’s guidelines.
CISA’s primary mission of enhancing FCEB cybersecurity and extending these efforts to critical infrastructure remains crucial. Although its direct impact on private businesses is limited, the KEV Catalog serves as a vital resource for cybersecurity professionals globally. While CISA’s operations are reduced, the agency remains a key player in cybersecurity efforts.
Acting CISA head Madhu Gottumukkala emphasized the continuing threats, stating, “When the government shuts down, our adversaries do not.” The agency is determined to maintain its role in cybersecurity, even as resource constraints pose significant hurdles.
