The Cybersecurity and Infrastructure Security Agency is on the verge of going a full year without a permanent leader, as cyber experts say the void is preventing CISA from moving forward on key issues and leaving an already reeling workforce in the lurch.

The Senate earlier this month returned Sean Plankey’s nomination to the White House after lawmakers failed to vote on it during last year’s session. President Donald Trump formally nominated Plankey in March of last year.

Plankey is a widely respected official whose nomination had broad backing from industry and bipartisan support on Capitol Hill.

But his nomination was placed under multiple holds, some of them unrelated to CISA or cybersecurity. Most recently, Sen. Rick Scott (R-Fla.) had reportedly placed a hold on Plankey after the Department of Homeland Security terminated a Coast Guard cutter contract with a shipyard in Florida. Plankey has been serving as a senior advisor in the Coast Guard while he awaits confirmation.

On Tuesday, Trump re-nominated Plankey to lead the cyber agency. CISA is currently being led in an acting capacity by Deputy Director Madhu Gottumukkala, who was chief information officer for the state of South Dakota when Homeland Security Secretary Kristi Noem was governor there.

Mark Montgomery, the executive director of the Cyberspace Solarium Commission 2.0, said the uncertainty comes at a time when CISA “desperately needs strong leadership.”

“I think they can’t focus,” Montgomery said. “They can’t come up with a strategic plan that’s going to drive a four-year administration. They’ve already lost a year. Every day, every week, every month, that you don’t have your Senate confirmed person, you take risk. This is the civilian cyber defense agency. It needs strong, focused leadership.”

Senate-confirmed leaders are typically more capable of advocating for their agencies, both within the administration and on Capitol Hill in front of lawmakers. Plankey’s nomination fell by the wayside as cyber threats to U.S. critical infrastructure continued to rise last year, noted Bob Ackerman, a venture capitalist who founded AllegisCyber Capital.

“CISA owns the essential national security mission of protecting the homeland from such society-crippling cyber-attacks,” Ackerman said. “Yet, while we wouldn’t charge the U.S. Marines with executing their missions without a leader, CISA’s mission to block and deter our adversaries has been left leaderless at this urgent moment of need.

Over the past year, Montgomery said CISA has not advanced public-private collaboration “in any meaningful way.”

For instance, he said the cyber agency has yet to take significant actions to address Volt Typhoon. U.S. officials have accused the China-linked group of hacking into critical infrastructure networks, like power and water systems. In January 2024, then-FBI Director Chris Wray said the goal of the hacks was to “destroy or degrade” those systems during a future conflict.

“We’re 24 months since [Director] Wray laid out the Volt Typhoon challenge, and we still don’t have an integrated policy to address it,” Montgomery said. “That should come from CISA. It should have come from the Joint Cyber Defense Collaborative, the Joint Cyber Planning Office, and we haven’t gotten it. And the reason is it takes interagency leadership, which you’re not going to get from an acting director.”

Cyber experts also pointed to stalled efforts like the reinstatement of the Critical Infrastructure Partnership Advisory Council (CIPAC) as an example of where Plankey could make a difference.

The Department of Homeland Security disbanded CIPAC last spring as part of a broader purge of federal advisory councils. CIPAC had provided authorities for government officials and industry to collaborate on cybersecurity issues through various sector coordinating councils.

Industry officials had been encouraged by Noem’s speech at the RSA Conference in late April 2025, during which she said CIPAC would be reinstated and “will bring more people to the table and be much more action oriented.”

But since then, DHS has not acted to revive CIPAC or any related authorities. Since the council was disbanded, there has been “less engagement and less communication,” Ari Schwartz, coordinator of the Cybersecurity Coalition, told Federal News Network.

“I do think we do need to see some action on that,” Schwartz said. “I don’t think that that can really wait around at this point.”

CISA’s workforce, meanwhile, has experienced deep cuts under the Trump administration, driven by deferred resignation and early retirements. Many who left were experienced staff that led CISA programs.

Office of Personnel Management data shows CISA’s headcount has gone from a high of 3395 employees in 2024 to 2376 staff at the start of this year.

One CISA employee, who requested anonymity to speak candidly, said the last year at the agency was “extremely difficult.”

“From the onslaught of policy changes targeting us – like return-to-office, standard hours, contract delays and cuts – to the huge amounts of departures and the lack of new leadership in place, we as an agency made little to no progress and in some instances went backwards in my opinion,” the employee said. “For 2026, I was expecting to finally get some concrete leadership direction and priorities, but with the CISA director still not in place and another possible shutdown looming, I’m expecting another year of chaos and little progress.”

Both Montgomery and Schwartz said one positive at CISA over the last year has been Nick Andersen, who joined the agency in August as a political appointee leading CISA’s cybersecurity division. Andersen has spoken at multiple public events, briefed the media on agency cyber directives, and met with industry groups.

But Montgomery noted that doesn’t outweigh not having a Senate-confirmed director.

“You lead CISA from the top and to go fight battles within DHS for the restoration of manpower, to lead interagency work to develop and execute an integrated defense plan against Volt Typhoon’s operational preparation of the battlefield,” he said.

The post CISA director void leaves cyber agency embroiled in uncertainty first appeared on Federal News Network.

© Getty Images/Techa Tungateja

The past year in federal cybersecurity policy was full of uncertainty, as a change in administration, expiring authorities and the emergence of artificial intelligence converged and led to plenty of questions about the future of the cybersecurity landscape.

Going into 2026, cyber policymakers and experts are expecting some clarity, especially around the interplay of AI and cyber. Here are five things to watch when it comes to federal cyber issues as the new year gets underway:

New national cyber strategy

The White House is expected to issue a new national cyber strategy early in the new year. During an appearance at the Aspen Institute’s Cyber Summit in November, National Cyber Director Sean Cairncross said the strategy won’t be a lengthy document.

“It’s going to be a short statement of intent and policy and then it will be paired very quickly with action items and deliverables under that,” Cairncross said. “As a topline matter, it’s going to be focused on shaping adversary behavior, introducing costs and consequences into the mix.”

Cairncross said the strategy will feature six pillars. And he said the Office of the National Cyber Director is also working on a “workforce initiative” to address cyber talent gaps.

“There’s over half a million cyber jobs just on the decks now that need filling and there will be a need for more,” Cairncross said. “We need to align industry incentives, academic incentives, vocational school incentives, [venture capital] and bring them together collaboratively to better the workforce for the country.”

Morgan Adamski, a former National Security Agency leader and executive at PWC, said the cyber strategy’s expected focus on influencing adversarial behavior and offensive cyber operations points toward a shift toward “active defense.”

“Active defense is essential because it shifts security from a passive, reactive posture to a proactive one that actively reduces risk,” Adamski told Federal News Network. “Instead of waiting for threats to materialize and cause damage, active defense emphasizes continuous monitoring, rapid detection, and timely response. This approach shortens the window between intrusion and containment, limits the attacker’s ability to escalate, and protects critical assets before harm spreads. In an environment where threats evolve quickly and adversaries adapt, relying solely on static controls is insufficient.”

AI and cyber

Industry will be closely reading the strategy for what it says about the multifaceted issue of AI. Cyber experts generally divide the issue into three broad categories: securing AI systems and data; defending against AI-enabled cyber attacks; and using AI for cyber defense.

Drew Bagley, Crowdstrike’s vice president for privacy and cyber policy, pointed to how federal agencies have embraced the “zero trust” concept in recent years, as well as technologies like endpoint detection and response, and log management.

“Now it’s going to be increasingly important to think about how those same concepts are applied to AI,” Bagley told Federal News Network. “If AI is going to continue to be embraced at this rapid speed without there being visibility into what’s going out the door with AI, then you have a problem. You have another attack surface.”

Bagley said he’s watching for the Cybersecurity and Infrastructure Security Agency to provide the federal government with leadership on AI security.

“CISA can provide guidance to those who are implementing AI in federal agencies as far as what the security standards need to be to make sure that that AI is secure and that AI is not introducing a security threat in and of itself,” he said.

Meanwhile, agency chief information security officers are also considering how they can use AI to improve cyber defenses. Adamski said CISOs will have to focus on both securing AI systems and harnessing AI for cybersecurity at the same time.

“AI is becoming a genuine force multiplier for defense, especially in security operations where teams are overwhelmed and attackers move fast,” she said. “It can improve detection, speed up investigation, enhance threat hunting, and help prioritize what matters most. In many environments, that kind of leverage is the difference between containing an incident quickly and getting buried by volume.”

CISA 2015 reauthorization

While Congress typically doesn’t move major pieces of legislation during an election year, the reauthorization of cybersecurity information sharing authorities remains a pressing priority when lawmakers return from their holiday recess.

The Cybersecurity Information Sharing Act of 2015 lapsed on Oct. 1. Congress gave it a temporary revival as part of the continuing resolution to reopen the government, but the CISA 2015 authorities are set to expire again on Jan. 30.

Reauthorizing the law has broad bipartisan support, including from the White House. But House Homeland Security Committee Chairman Andrew Garbarino (R-NY) has acknowledged the path to reauthorizing CISA 2015 remains murky at best.

In the House, lawmakers have advanced Garbarino’s bill, the Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG Act), through the committee. The bill would extend CISA 2015 for another decade and provide key definitional updates.

“Our colleagues in the Senate have different ideas. Some of them want to do a 10-year clean [reauthorization]. I don’t know if I can get that passed in the House, with concerns from the Freedom Caucus,” Garbarino said at an event hosted by Auburn University’s McCrary Institute in December.

Meanwhile, Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) also opposes a “clean” reauthorization due to his concerns about agencies working with social media companies on disinformation, which occurred under separate authorities from CISA 2015.

“I don’t know how it gets done on its own,” Garbarino said. “I feel like we have to attach it to another piece of legislation, whether that’s government funding. But we need it passed and unfortunately I don’t think we’re close enough with the discussions on the Senate to figure out which bill will pass and what will get done.”

The upshot, Garbarino continued, is another possible short-term extension of CISA 2015.

“Which is unfortunate because we worked very hard to get our bill out of committee,” he added. “It took a lot of requests or advice from the private sector on updates. So we love our piece of legislation that we got done. When you get the trial attorneys to not object to your bill giving liability protection, that’s a pretty good thing.”

CIRCIA rule

CISA the agency, meanwhile, is set to issue a landmark cyber incident reporting rule that will apply to vast swaths of the 16 U.S. critical infrastructure sectors.

Congress passed the Cyber Incident Reporting for Critical Infrastructure Act in 2022. The law generally requires critical infrastructure organizations – in sectors like energy, water and telecommunications – to report significant cyber incidents to CISA within 72 hours.

The law represents the most far-reaching federal cybersecurity regulation ever passed by Congress.

In 2024, CISA released a proposed rule to implement the law. At the time, the agency estimated the rule will apply to some 316,000 entities across the country.

Industry has criticized the proposed rule for being overly broad and is also encouraging CISA to “harmonize” the rule with many existing cyber incident reporting mandates.

The Trump administration has delayed the release of the final rule until May 2026, providing CISA with more time to respond to those concerns.

Cyber leader gaps

Meanwhile, CISA also heads into 2026 without a Senate-confirmed leader. Trump nominated Sean Plankey to serve as CISA director in March. But Plankey’s nomination has been held up in the Senate for various reasons.

Most recently, Sen. Jacky Rosen (D-Nev.) has placed a hold on Plankey’s nomination due to concerns about the Coast Guard’s implementation of a new hate speech policy. Plankey has been serving as a senior advisor in the Coast Guard.

Meanwhile, the National Security Agency and U.S. Cyber Command is also still under acting leadership at the start of the new year.

The dual-hat role of NSA director and CYBERCOM commander is a key cybersecurity post, especially with the Trump administration’s emphasis on offensive cyber operations. The role had been held by Air Force Gen. Timothy Haugh, but Trump ousted Haugh in April, reportedly at the behest of far-right influencer Laura Loomer.

According to multiple reports, Trump now intends to nominate Army Lt. Gen. Joshua Rudd to lead the NSA and CYBERCOM.

And in Congress, Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) announced that he will not seek re-election in 2026, meaning he will retire effective January 2027. Peters has been one of the most influential members of Congress on cyber policy over the last decade.

The post Five things to watch in cybersecurity for 2026 first appeared on Federal News Network.

© Getty Images/iStockphoto/chainatp