The ground for private and public organizations that rely on cyberthreat-information sharing programs continues to shift underneath them, with the federal government ending its support for one used by state and local agencies for two decades.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced this week that it was letting the cooperative agreement with the Center for Internet Security (CIS) expire September 30, saying it is transitioning to a new model that includes more direct funding and no-cost tools from the agency itself.

Through its 21-year agreement with the Department of Homeland Security (DHS), CIS operated the Multi-State Information Sharing and Analysis Center (MS-ISAC), a program CIS claims has more than 18,000 members and is used as a center for cybersecurity resources and cyberthreat information by state and local governments that can’t always afford to pay for services from cybersecurity vendors.

However, under the Trump Administration, DHS and CISA have been chipping away at the annual $48.5 million in funding for CIS, including taking away $1 million used for election security and then another $10 million, claiming much of the work done by CIS was “redundant.”

The rest went away when the agreement expired this week, and came at the same time that the 10-year-old Cybersecurity Information Sharing Act (CISA), a law that made it easier and safer for organizations to share cyberthreat information with each other and the government, was not renewed, with Senator Rand Paul (R-KY) blocking its reauthorization despite wide bipartisan support for the measure.

In addition, funding for the federal State and Local Cybersecurity Grant Program (SLCGP) also expired, though Congress reportedly is considering reauthorizing that, though as with everything in Capitol Hill, there are no guarantees.

Grant Funds, No-Cost Tools in New Model

According to the statement from CISA, the new model for state, local, tribal, and territorial (SLTT) governments – which have relied on the MS-ISAC program – is designed to “strengthen shared responsibility nationwide,” essentially putting a greater onus for cybersecurity on the agencies.

That includes access to grant funding from DHS funneled through CISA and the Federal Emergency Management Agency (FEMA) via the – now expired – SLCGP and Tribal Cybersecurity Grant Program (TCGP). They also with have access to no-cost tools and services, including cyber-hygiene scanning, phishing assessments, and vulnerability management, as well as cybersecurity performance goals and an evaluation tool to measure their progress.

There will be expertise coming from regional cybersecurity advisors and state coordinators through hands-on, local, and virtual means, professional services like vulnerability assessments and incident response coordination, and bi-monthly calls with the SLTT Operation Centers for cyber-defense updates.

“CISA is putting the power directly into the hands of our state and local partners,” Nick Andersen, executive assistant director at CISA, said in a statement. “By expanding shared responsibility nationwide, we are ensuring that every community – large or small – has direct access to the resources and expertise needed to defend against today’s threats and prepare for tomorrow’s.”

Wait and See

The response to CISA’s transition to the new model from some cybersecurity pros was tempered optimism.

“This isn’t inherently a bad thing; it’s a shift,” Deepwatch CISO Chad Cragle told Security Boulevard. “MS-ISAC has been a trusted partner for many years, so whenever a longstanding model ends, there’s a risk of disruption. But CISA is indicating that it aims to bring more consistency, scale, and direct support to state and local governments. … The new model shows potential.”

That said, the execution on the model will be key, with SLTTs continuing to get threat intel, incident coordination, and daily support, Cragle said.

“If that continuity is preserved, the impact could be neutral or even positive,” he said. “If there are gaps in communication or service handoffs, that’s where challenges are likely to arise.”

Kevin E. Greene, chief cybersecurity technologist for the public sector at BeyondTrust, said there is concern with MS-ISAC being defended but that letting CISA lead cybersecurity protection and wellness for SLTT aligns with the agency’s mandate.

“The goal and intent are to empower SLTT entities to build sustainable, in-house cyber capabilities aligned with their mission needs,” Greene told Security Boulevard. “These grant funds will help elevate protection for critical infrastructure resources and give SLTTs more direct control over how resources are applied to their unique priorities.”

He added that CISA will still be able to collaborate with CIS and MS-ISAC, through memorandums of understand (MOUs) and other means.

Expired SLCGP Funding a Worry

That said, Jason Soroko, senior fellow at Sectigo, told Security Boulevard that the expiration of funding for the SLCGP shouldn’t be overlooked. It will mean some companies will see a funding shortfall that will disrupt security roadmaps, pushing smaller IT teams to defer necessary upgrades and risk lapses in monitoring and response capabilities.

“Contracts for managed detection, endpoint licenses, and vulnerability scanning may expire without renewal, forcing agencies to scale back coverage or absorb costs with already tight budgets,” Soroko said. “Multiyear projects like network segmentation, zero trust pilots, multifactor expansion, and backup modernization could stall, creating unfinished work that increases exposure at the most fragile points of water systems, hospitals, schools, 911 centers, and local utilities.”

Without the grants, more of the risk to critical infrastructure is shifted back to communities that can’t carry it, and “every delayed patch and unmonitored alert may result into a wider window of opportunity for attackers,” he said.

CIS Looks to Make Up for Lost Funding

In the months leading up to the expiration of CISA’s agreement with CIS, many in the cybersecurity urged agencies and Congress to reconsider. More than two dozen cybersecurity pros sent a letter to Congress September 3 urging them continue the funding, a plea that fell on deaf ears.

For its part, CIS has been spending $1 million a month to make up for the initial cuts in federal funding. With the agreement with CISA expired, the organization is hoping to recoup some of the lost federal money through a tiered paid membership program based on a company’s size, budget, and needs.

The organization also noted that there are CIS services that continue to get funding, such as the Albert network monitoring and management sensors, malicious domain blocking and reporting, and endpoint detection and response (EDR).