Article-At-A-Glance: Federal Cyber Defense Leader Resigns from CISA & Program Impact
- Shelly Hartsook, acting associate director of CISA’s cybersecurity division, resigned effective March 6, 2026 — leaving a critical gap in federal cyber defense capacity.
- CISA has lost roughly one-third of its staff since January 2025, creating compounding vulnerabilities across governmentwide cybersecurity programs.
- Key programs like the Continuous Diagnostics and Mitigation (CDM) program that protect federal agency systems are now at risk of losing experienced oversight.
- The agency still has no Senate-confirmed director, with Sean Plankey’s nomination pending and Nick Anderson currently serving in an acting capacity.
- The pattern of departures reveals something deeper than routine turnover — keep reading to understand what is really happening inside CISA right now.
CISA is hemorrhaging experienced leadership faster than it can replace them, and the latest departure signals a federal cyber defense apparatus under serious strain.
The Cybersecurity and Infrastructure Security Agency lost another critical voice on March 6, 2026, when Shelly Hartsook, the acting associate director of CISA’s cybersecurity division, submitted her resignation. Her exit is one in a long line of senior-level departures that have left the agency struggling to maintain its core mission. Understanding what her role actually covered — and what gets left behind — matters enormously for anyone tracking the state of U.S. federal cybersecurity. Organizations like CISA that sit at the intersection of government-wide cyber defense and critical infrastructure protection cannot afford this level of leadership turnover without consequences rippling outward.
“The workforce cuts and the lack of a Senate-confirmed leader have left the cyber agency adrift over the past year.”
— Federal News Network, February 2026
CISA Just Lost Another Key Leader
Shelly Hartsook’s resignation did not come out of nowhere. It arrived amid an already turbulent period for CISA, where the combination of budget pressure, personnel reshuffling, and an absence of confirmed leadership at the top had been building for months. Two sources who spoke to Federal News Network confirmed her departure, both noting it was voluntary — but voluntary does not mean pressure-free.
The timing is what makes this resignation particularly significant. Hartsook was not a peripheral figure. She sat at the operational center of CISA’s cybersecurity division, overseeing programs that tens of federal agencies rely on daily to identify vulnerabilities and maintain a defensible security posture. Losing her is not just a personnel gap — it is a programmatic one.
Who Is Shelly Hartsook and What Did She Do at CISA
Hartsook first joined CISA in 2020, bringing with her 15 years of private sector cybersecurity experience. She rose to the role of acting associate director for the cybersecurity division’s capacity building function — a deceptively broad title that covered some of the most consequential work in federal cyber defense.
In practical terms, she managed CISA programs that provide cybersecurity capabilities to other federal agencies. The crown jewel among these is the Continuous Diagnostics and Mitigation (CDM) program, a DHS-backed initiative that gives federal civilian agencies real-time visibility into their own network assets, vulnerabilities, and potential threats. Without effective leadership over CDM, agencies lose a critical layer of active defense.
Her portfolio essentially served as the connective tissue between CISA and the rest of the federal government’s cybersecurity posture. When that connection weakens, the downstream effects are not abstract — they show up as unpatched systems, delayed threat responses, and reduced situational awareness across federal networks.
Why Her March 6 Departure Date Matters
March 6 was not just a calendar date — it landed during one of the most politically and operationally unstable periods in CISA’s short history. The agency was simultaneously dealing with the fallout from forced reassignments of its CIO and acting chief human capital officer, a budget reduction agenda from the Trump administration, and a leadership vacuum at the director level. Hartsook’s departure added fuel to an already burning situation.
The Resignation Is Voluntary, But the Timing Is Not Coincidental
Calling a resignation voluntary is technically accurate, but it can also obscure the conditions that make staying untenable. The environment at CISA in early 2026 was one defined by uncertainty, reduced resourcing, and a workforce that had watched colleagues either leave on their own terms or be pushed out through reorganization directives.
Internal Friction and Management Conflicts Behind the Scenes
Reports from inside the agency pointed to growing friction between career professionals and political appointees over the agency’s direction and mission priorities. The Trump administration had been vocal about scaling back CISA’s scope, particularly around programs that career officials viewed as core to national cyber resilience. That ideological tension created an environment where experienced professionals found their institutional knowledge increasingly sidelined.
CIO and Chief Human Capital Officer Forced Out Before Hartsook Left
Just before Hartsook’s resignation, Federal News Network reported that CISA’s Chief Information Officer, Bob Costello, and the acting Chief Human Capital Officer, Kevin Diana, had been given a stark choice: accept reassignment to new roles within the Department of Homeland Security or resign. That kind of directive — essentially a managed exit — sent a clear signal to the rest of CISA’s senior staff about job security and agency direction.
CISA Has Lost One-Third of Its Staff Since January 2025
The Hartsook resignation is one data point in a much larger pattern of attrition. Since January 2025, CISA has shed approximately one-third of its total workforce — a staggering figure for any organization, but especially alarming for one responsible for defending federal civilian networks and coordinating critical infrastructure protection across the country.
How Voluntary Workforce Transition Programs Gutted the Agency
The bulk of CISA’s staff losses came through what the administration framed as voluntary workforce transition programs — essentially deferred resignation offers that encouraged employees to leave with some financial incentive. On paper, voluntary. In practice, these programs systematically hollowed out institutional knowledge that took years to build. Career cybersecurity professionals who understood federal network architecture, threat landscapes, and inter-agency coordination protocols walked out the door in waves.
What makes this particularly damaging for CISA is that cybersecurity expertise is not fungible. You cannot quickly replace a threat analyst who spent five years mapping vulnerabilities across federal civilian networks with someone hired off the street. The compounding effect of losing dozens of mid-to-senior level professionals in a compressed timeframe creates capability gaps that do not show up immediately — they surface six to twelve months later when an incident occurs and the institutional memory to respond effectively is simply gone.
Budget Cuts Under Kristi Noem Accelerated the Talent Drain
Former DHS Secretary Kristi Noem’s tenure brought with it a renewed push to reduce CISA’s budget and narrow its operational mission. The Trump administration’s position was that CISA had overreached — particularly around its election security and disinformation-related work — and needed to be scaled back. But budget cuts do not selectively target the programs an administration dislikes. They hit staffing, tools, contracts, and morale across the board. For career professionals who joined CISA to do meaningful national security work, watching the agency’s resources and mandate shrink made the decision to leave far easier.
The Threat Hunting Leader Who Left Just Weeks Earlier
Hartsook’s resignation did not arrive in isolation. Just weeks before her departure, CISA’s associate director for threat hunting announced they were leaving for a private sector role. Threat hunting — the proactive process of searching federal networks for adversaries who have already breached defenses — is one of CISA’s most operationally critical functions. Losing the leader of that program, followed immediately by the head of capacity building, means two of the most consequential cybersecurity functions inside the federal government are now operating without experienced permanent leadership simultaneously.
No Permanent Director, No Stability
At the center of all of this instability sits one structural problem that has persisted for over a year: CISA has no Senate-confirmed director. Leadership at the top sets the tone, prioritizes resources, and provides the political cover career officials need to do their jobs effectively. Without it, every decision at the agency becomes provisional, every program priority becomes uncertain, and every senior official has less reason to stay.
Sean Plankey’s Nomination Was Blocked Once and Renominated in January 2026
Sean Plankey, Trump’s nominee for CISA director, had his confirmation stalled once before his renomination in January 2026. Plankey brings a background in energy sector cybersecurity and previously served in national security roles, but his path to confirmation has been anything but smooth. Every week the director’s seat sits empty is another week CISA operates without the authority and stability a confirmed leader provides. For an agency already losing senior staff at an alarming rate, that absence has a multiplying effect on morale and mission execution.
What Nick Anderson Inherits as Acting Director
In the interim, Nick Anderson — previously serving as executive assistant director for cybersecurity at CISA — stepped into the acting director role after Madhu Gottumukkala, who had been named deputy director in May 2025, departed. Anderson now leads an agency dealing with:
- A workforce reduced by approximately one-third since January 2025
- No Senate-confirmed director providing institutional authority
- The simultaneous loss of leaders in threat hunting and capacity building
- A CIO and acting CHCO who were pressured to accept reassignment or resign
- Budget reduction pressure from DHS that has narrowed the agency’s operational scope
- Critical programs like CDM operating without their experienced program leadership
Anderson’s position is not enviable. Acting directors carry the responsibilities of the role without the confirmed authority, political capital, or long-term mandate that comes with Senate confirmation. Every major decision he makes can be reversed, reframed, or undermined the moment a permanent director arrives — which creates a chilling effect on bold action precisely when bold action is most needed.
The practical result is an agency in a holding pattern. Programs continue running on institutional inertia, but strategic direction, inter-agency coordination at the senior level, and the kind of proactive cyber defense posture CISA was built to project are all operating at diminished capacity. For foreign adversaries actively probing federal networks — and they are — a leaderless, understaffed CISA is an opportunity, not a deterrent.
What Hartsook’s Exit Means for Federal Cyber Defense Programs
Strip away the bureaucratic language and Hartsook’s departure means this: the person who managed the systems that help federal agencies see and respond to cyber threats inside their own networks is gone, with no confirmed replacement announced. That is not a procedural inconvenience — it is a genuine operational risk for every federal civilian agency that depends on CISA’s capacity building programs to maintain basic cybersecurity hygiene.
Governmentwide Cybersecurity Capacity at Risk
The CDM program that Hartsook oversaw is not a single tool — it is a layered architecture of dashboards, sensors, and agency-specific deployments that gives federal IT teams visibility into what is on their networks, what is vulnerable, and what needs immediate attention. Managing that program requires deep knowledge of federal procurement, agency-specific IT environments, and evolving threat intelligence. That expertise does not transfer automatically when someone new takes over. There is an unavoidable learning curve, and during that curve, program momentum slows, agency support requests take longer to resolve, and the overall security posture of dozens of federal agencies quietly degrades.
Critical Infrastructure Protection With Fewer Experienced Leaders
Critical infrastructure protection is where CISA’s mission becomes most consequential — and most vulnerable to leadership gaps. Hartsook’s capacity building role extended beyond just federal civilian agencies. It touched the frameworks and tools that support sectors like energy, water, transportation, and financial services in understanding and reducing their cyber exposure. With fewer experienced leaders at the helm, the coordination between CISA and these sectors becomes slower, less informed, and less proactive.
Key CISA Programs Impacted by Leadership Attrition
Program Function Risk from Leadership Gap Continuous Diagnostics and Mitigation (CDM) Real-time network asset and vulnerability visibility for federal agencies High — program momentum and agency support slow without experienced oversight Threat Hunting Operations Proactive search for adversaries already inside federal networks Critical — associate director position vacant after recent departure Capacity Building Programs Providing federal agencies with scalable cybersecurity capabilities High — Hartsook’s exit leaves no confirmed replacement announced Critical Infrastructure Coordination Cyber risk guidance for energy, water, transport, and financial sectors Moderate to High — senior-level liaison capacity reduced
The compounding effect here is what cybersecurity professionals call a capability cliff — a point where enough institutional knowledge has walked out the door that the remaining team cannot fully execute the mission, even with the best intentions. CISA is approaching that cliff faster than the public discourse reflects. When the people who built and managed these programs leave, they take with them undocumented processes, agency relationships, and hard-won threat context that no onboarding manual can replicate.
The private sector is already noticing. Security vendors and contractors who work alongside CISA programs report slower response cycles, delayed contract renewals, and reduced strategic engagement from the agency’s senior staff. These are early warning signs — not of a single failure, but of systemic degradation that accumulates quietly until a high-profile incident forces the conversation.
CISA’s Ability to Protect Federal Systems Is Weakening in Real Time
The cumulative picture painted by Hartsook’s resignation, the earlier threat hunting director’s departure, the forced reassignment of the CIO and acting CHCO, the one-third workforce reduction, and the absence of a Senate-confirmed director is not ambiguous. CISA’s operational capacity to protect federal systems is measurably weaker today than it was twelve months ago. That is not speculation — it is the logical outcome of systematically removing the people and resources that make cyber defense possible.
Foreign adversaries do not pause their operations while the U.S. government reorganizes its cyber defense apparatus. State-sponsored groups from China, Russia, Iran, and North Korea have demonstrated persistent interest in penetrating federal networks, and they are sophisticated enough to recognize when their target’s defenses are in disarray. A hollowed-out CISA is not just an internal management problem — it is a national security vulnerability with real-world consequences for every American whose personal data lives on a federal government server.
Frequently Asked Questions
Here are direct answers to the most common questions about Shelly Hartsook’s resignation and what it means for CISA’s cybersecurity mission.
What programs did Shelly Hartsook lead at CISA?
Hartsook led CISA’s cybersecurity division capacity building programs, which include the Continuous Diagnostics and Mitigation (CDM) program — a critical initiative that gives federal civilian agencies real-time visibility into network assets, software vulnerabilities, and active threats. Her portfolio essentially served as the operational bridge between CISA and dozens of federal agencies that rely on the agency for cybersecurity tools, guidance, and support. She joined CISA in 2020 after 15 years in the private sector.
Why did Shelly Hartsook resign from CISA?
Her resignation was confirmed as voluntary by two sources who spoke to Federal News Network. However, the departure came during an intensely turbulent period for the agency — following the forced reassignment of CISA’s CIO and acting CHCO, a significant workforce reduction, budget pressure from the Trump administration, and an extended period without Senate-confirmed leadership at the director level.
While no public statement attributed her exit to specific internal conflicts, the broader pattern of senior departures at CISA in early 2026 strongly suggests that institutional instability, reduced mission scope, and political friction played a role in making continued service less viable for experienced career professionals.
How many staff has CISA lost since 2025?
CISA Workforce Attrition Timeline
Period Key Departure or Event Impact Level January 2025 onward Voluntary workforce transition programs initiated; approx. one-third of total staff lost Severe Early 2026 Associate Director for Threat Hunting departs for private sector Critical February 2026 CIO Bob Costello and acting CHCO Kevin Diana pressured to reassign or resign High March 6, 2026 Shelly Hartsook, acting Associate Director for Cybersecurity (Capacity Building), resigns Critical
Since January 2025, CISA has lost approximately one-third of its total workforce. That figure encompasses both the targeted departures of senior officials and the broader attrition driven by voluntary workforce transition programs offered across DHS. For an agency whose effectiveness depends entirely on the depth and continuity of its technical expertise, that scale of staff loss in such a compressed timeframe is operationally catastrophic.
The losses are not evenly distributed across seniority levels either. The most visible departures have been at the associate director and division chief level — exactly the layer of experienced leadership that translates executive policy into operational execution. Junior staff may remain, but without experienced managers to direct and develop them, capability degradation accelerates.
Rebuilding that kind of institutional knowledge takes years, not months. Federal cybersecurity hiring is notoriously slow due to clearance requirements, limited salary competitiveness against private sector roles, and bureaucratic onboarding timelines. CISA will not simply hire its way back to operational strength in the near term.
Who is now leading CISA after the latest shakeup?
Nick Anderson, who previously served as executive assistant director for cybersecurity at CISA, is currently serving as acting director. He stepped into the role after Madhu Gottumukkala, who had been named deputy director in May 2025, departed. Anderson is managing an agency that is simultaneously navigating workforce reduction, program leadership vacancies, and budget constraints — all without the authority or mandate that comes with Senate confirmation.
On the confirmed director front, Sean Plankey — Trump’s nominee for the permanent CISA director role — was renominated in January 2026 after an earlier nomination stalled. Plankey has a background in energy sector cybersecurity and has held national security positions previously, but his confirmation timeline remains uncertain. Until he is confirmed, CISA continues operating under acting leadership at its most consequential operational moment in years.
What happens to federal cybersecurity programs when key CISA leaders resign?
When experienced CISA leaders resign, the programs they managed do not stop — but they slow down, lose strategic direction, and become reactive rather than proactive. The CDM program, for example, requires active management of agency deployments, vendor relationships, and evolving technical requirements. Without a steady hand at the top, agencies experience delayed support, stalled capability expansions, and reduced coordination on emerging vulnerabilities.
The broader consequence is a shift from offense to defense in the worst possible sense. Rather than proactively hunting threats and pushing new security capabilities to federal agencies, CISA increasingly finds itself just trying to maintain existing operations with a reduced and disrupted team. That reactive posture is exactly what sophisticated nation-state adversaries exploit — they do not need to break through CISA’s defenses if CISA’s defenses are already breaking from within.