The Cybersecurity and Infrastructure Security Agency is on the verge of going a full year without a permanent leader, as cyber experts say the void is preventing CISA from moving forward on key issues and leaving an already reeling workforce in the lurch.

The Senate earlier this month returned Sean Plankey’s nomination to the White House after lawmakers failed to vote on it during last year’s session. President Donald Trump formally nominated Plankey in March of last year.

Plankey is a widely respected official whose nomination had broad backing from industry and bipartisan support on Capitol Hill.

But his nomination was placed under multiple holds, some of them unrelated to CISA or cybersecurity. Most recently, Sen. Rick Scott (R-Fla.) had reportedly placed a hold on Plankey after the Department of Homeland Security terminated a Coast Guard cutter contract with a shipyard in Florida. Plankey has been serving as a senior advisor in the Coast Guard while he awaits confirmation.

On Tuesday, Trump re-nominated Plankey to lead the cyber agency. CISA is currently being led in an acting capacity by Deputy Director Madhu Gottumukkala, who was chief information officer for the state of South Dakota when Homeland Security Secretary Kristi Noem was governor there.

Mark Montgomery, the executive director of the Cyberspace Solarium Commission 2.0, said the uncertainty comes at a time when CISA “desperately needs strong leadership.”

“I think they can’t focus,” Montgomery said. “They can’t come up with a strategic plan that’s going to drive a four-year administration. They’ve already lost a year. Every day, every week, every month, that you don’t have your Senate confirmed person, you take risk. This is the civilian cyber defense agency. It needs strong, focused leadership.”

Senate-confirmed leaders are typically more capable of advocating for their agencies, both within the administration and on Capitol Hill in front of lawmakers. Plankey’s nomination fell by the wayside as cyber threats to U.S. critical infrastructure continued to rise last year, noted Bob Ackerman, a venture capitalist who founded AllegisCyber Capital.

“CISA owns the essential national security mission of protecting the homeland from such society-crippling cyber-attacks,” Ackerman said. “Yet, while we wouldn’t charge the U.S. Marines with executing their missions without a leader, CISA’s mission to block and deter our adversaries has been left leaderless at this urgent moment of need.

Over the past year, Montgomery said CISA has not advanced public-private collaboration “in any meaningful way.”

For instance, he said the cyber agency has yet to take significant actions to address Volt Typhoon. U.S. officials have accused the China-linked group of hacking into critical infrastructure networks, like power and water systems. In January 2024, then-FBI Director Chris Wray said the goal of the hacks was to “destroy or degrade” those systems during a future conflict.

“We’re 24 months since [Director] Wray laid out the Volt Typhoon challenge, and we still don’t have an integrated policy to address it,” Montgomery said. “That should come from CISA. It should have come from the Joint Cyber Defense Collaborative, the Joint Cyber Planning Office, and we haven’t gotten it. And the reason is it takes interagency leadership, which you’re not going to get from an acting director.”

Cyber experts also pointed to stalled efforts like the reinstatement of the Critical Infrastructure Partnership Advisory Council (CIPAC) as an example of where Plankey could make a difference.

The Department of Homeland Security disbanded CIPAC last spring as part of a broader purge of federal advisory councils. CIPAC had provided authorities for government officials and industry to collaborate on cybersecurity issues through various sector coordinating councils.

Industry officials had been encouraged by Noem’s speech at the RSA Conference in late April 2025, during which she said CIPAC would be reinstated and “will bring more people to the table and be much more action oriented.”

But since then, DHS has not acted to revive CIPAC or any related authorities. Since the council was disbanded, there has been “less engagement and less communication,” Ari Schwartz, coordinator of the Cybersecurity Coalition, told Federal News Network.

“I do think we do need to see some action on that,” Schwartz said. “I don’t think that that can really wait around at this point.”

CISA’s workforce, meanwhile, has experienced deep cuts under the Trump administration, driven by deferred resignation and early retirements. Many who left were experienced staff that led CISA programs.

Office of Personnel Management data shows CISA’s headcount has gone from a high of 3395 employees in 2024 to 2376 staff at the start of this year.

One CISA employee, who requested anonymity to speak candidly, said the last year at the agency was “extremely difficult.”

“From the onslaught of policy changes targeting us – like return-to-office, standard hours, contract delays and cuts – to the huge amounts of departures and the lack of new leadership in place, we as an agency made little to no progress and in some instances went backwards in my opinion,” the employee said. “For 2026, I was expecting to finally get some concrete leadership direction and priorities, but with the CISA director still not in place and another possible shutdown looming, I’m expecting another year of chaos and little progress.”

Both Montgomery and Schwartz said one positive at CISA over the last year has been Nick Andersen, who joined the agency in August as a political appointee leading CISA’s cybersecurity division. Andersen has spoken at multiple public events, briefed the media on agency cyber directives, and met with industry groups.

But Montgomery noted that doesn’t outweigh not having a Senate-confirmed director.

“You lead CISA from the top and to go fight battles within DHS for the restoration of manpower, to lead interagency work to develop and execute an integrated defense plan against Volt Typhoon’s operational preparation of the battlefield,” he said.

The post CISA director void leaves cyber agency embroiled in uncertainty first appeared on Federal News Network.