It's a Tuesday morning at a county IT department in rural Virginia. Three staff members — the entire security team for 40,000 residents — are watching system logs when a ransomware signature fires on the network. Six months ago, MS-ISAC's 24/7 Security Operations Center would have flagged that pattern before it detonated. As of June 15, 2026, that line is silent for thousands of American jurisdictions.
Reporting by Cybersecurity Dive documents the scale of what's unraveled: the Multi-State Information Sharing and Analysis Center (MS-ISAC) — the only cybersecurity organization dedicated exclusively to state, local, tribal, and territorial (SLTT) governments — has lost dozens of states and more than 10,000 local jurisdictions in the eight months since CISA terminated its 21-year cooperative agreement with the Center for Internet Security on September 30, 2025.
The Threat: Actor, Vector, and What's Now Exposed
The threat vector here isn't a single adversary. It's a structural hole in the nation's defensive architecture. CISA ended its $10 million annual funding relationship with MS-ISAC, with an agency spokesperson arguing that its services "are redundant with other services offered directly by CISA." That $10 million represented approximately half of MS-ISAC's operating revenue base. FY2025 total operating budget stood at $27 million, per figures reported by Cybersecurity Dive as of June 15, 2026.
StateScoop's coverage adds a compounding layer: former DHS Secretary Kristi Noem went further than simply ending CISA's direct contribution — she specifically prohibited state and local governments from using federal grant funding to pay MS-ISAC membership fees, closing the secondary backstop many jurisdictions might otherwise have used. The result, documented by StateTech Magazine, is an exodus of states including Virginia, Washington, Kentucky, Colorado, and Michigan from full membership.
What's actually exposed is not difficult to quantify. As of June 15, 2026, MS-ISAC's SOC had detected and prevented nearly 60,000 malware and ransomware incidents targeting local government networks in 2024 alone. Between 2018 and 2024, 525 ransomware attacks struck federal, state, or local entities — generating $1.09 billion in cumulative downtime costs — hitting water treatment plants, emergency dispatch systems, school networks, and county health databases holding citizen records. That is the data protection gap now widening.
Blast Radius: Who Bears the Asymmetric Cost
At its peak, MS-ISAC served approximately 19,000 SLTT government members at no cost. As of June 15, 2026, only 11 states have committed to paid statewide memberships under the fee-based model that took effect in October 2025. That leaves thousands of counties, municipalities, school districts, and tribal governments operating without the threat intelligence (the practice of gathering and analyzing data about active adversaries to inform defensive decisions) layer they previously relied upon.
The new pricing structure — membership fees ranging from $1,495 per year for small districts to tens of thousands annually for larger counties and states — creates a coverage map that closely tracks budget capacity rather than threat exposure. Rural counties and tribal water authorities face the same automated ransomware campaigns as well-resourced urban departments. The adversary doesn't tier its attacks by jurisdiction size.
States like Texas and Kansas have stepped up by funding statewide memberships from state budgets, ensuring local jurisdictions within their borders retain access. They are the exception. As Terry Loftus, Chair of the MS-ISAC Executive Committee, stated: "Cybersecurity is no longer just an IT issue, it's a national security issue." Senator Mark Warner (D-VA) introduced the Guaranteeing Universal Access to Cybersecurity Act in June 2026, proposing $50 million in annual federal funding to restore MS-ISAC support — five times the original contribution. As of June 15, 2026, it has not been enacted. The National Association of Counties has sent multiple letters to Capitol Hill throughout 2025 and 2026 urging appropriations action, with no enacted result so far.
Chart: MS-ISAC served approximately 19,000 SLTT members at its peak under the free federal model. More than 10,000 local jurisdictions have since lost access, eight months after the September 2025 funding termination. Source: Cybersecurity Dive, as of June 15, 2026.
The Defense Stack That's Actually Missing — and What Partially Fills the Gap
The loss is architectural, not just financial. MS-ISAC's SOC ran AI-powered threat detection and machine learning models across thousands of government networks simultaneously, surfacing coordinated attack patterns before individual jurisdictions could identify them locally. Nation-state actors and ransomware gangs now deploy their own AI-assisted reconnaissance — automated scanners that probe millions of government IP ranges for unpatched systems and misconfigured remote access services. The asymmetry between attacker and defender AI capability widens when the shared SOC goes dark.
CISA's free alternatives — the Cyber Hygiene (CyHy) vulnerability scanning program, the Known Exploited Vulnerabilities (KEV) catalog, and the Shields Up advisory portal — are useful baseline tools. None of them constitute a 24/7 SOC. For the thousands of jurisdictions now relying solely on CISA's direct services, cybersecurity best practices require layering those free tools with state-level mutual aid frameworks and, where budgets allow, pre-negotiated managed security service provider (MSSP) retainers for incident response coverage during off-hours.
Security awareness training becomes more critical when the automated detection layer is removed. Front-line government employees — clerks, dispatchers, library staff, utility workers — become the effective first detection point when phishing (fraudulent emails designed to steal credentials or deploy malware) campaigns land in inboxes that no longer benefit from upstream behavioral filtering. This is not a theoretical concern: ransomware operators frequently gain initial access through credential theft before any technical scanning begins, meaning the human layer matters as much as the technical one.
Harden This Today
One control. Ship it this week.
Any jurisdiction that has lost MS-ISAC access should immediately verify active enrollment in CISA's free Cyber Hygiene scanning program. Request a CyHy scan covering all public-facing IP ranges — the external attack surface that ransomware operators probe first in automated campaigns. If your jurisdiction is already enrolled, confirm the last scan report is less than 30 days old. Stale external vulnerability data creates the same exposure as having no program at all. This doesn't restore what MS-ISAC provided, but it closes the most obviously exploitable doors while the congressional debate over the Guaranteeing Universal Access to Cybersecurity Act works its way through appropriations.
Frequently Asked Questions
What cybersecurity services did MS-ISAC provide free to state and local governments?
At its peak serving approximately 19,000 SLTT members, MS-ISAC provided around-the-clock Security Operations Center monitoring, threat intelligence feeds, incident response coordination, malware analysis, and early-warning alerts calibrated specifically for government environments. As of June 15, 2026, these services now require paid membership — fees ranging from $1,495 per year for small districts to tens of thousands annually for larger entities — amounts that most rural and small jurisdictions cannot absorb without state-level subsidy.
Why did CISA stop funding MS-ISAC after 21 years of the cooperative agreement?
CISA's stated rationale was that MS-ISAC services were "redundant with other services offered directly by CISA," citing free tools including CyHy vulnerability scanning, the Known Exploited Vulnerabilities catalog, and Shields Up advisories as functional substitutes. Critics including the National Association of Counties and Senator Mark Warner argue those tools do not replicate the 24/7 SOC coverage or active threat detection scale — nearly 60,000 incidents prevented in 2024 alone — that local governments depended upon. The compounding factor, documented by StateScoop, was former DHS Secretary Kristi Noem's separate prohibition on using federal grant funding for MS-ISAC memberships, which closed a secondary funding pathway jurisdictions might have used to bridge the gap.
How can local governments protect against ransomware without MS-ISAC membership?
As of June 15, 2026, the most accessible compensating controls (security measures that substitute for a missing primary defense) are: enrolling in CISA's free CyHy vulnerability scanning at cisa.gov, activating state-level cyber mutual aid agreements if available, and pre-negotiating an incident response retainer with a regional managed security service provider so an escalation path exists during off-hours incidents. For longer-term resilience, local government associations should advocate for statewide MS-ISAC funding through state legislatures — the pathway Texas, Kansas, and nine other states have already taken to maintain coverage for all jurisdictions within their borders.
Bottom line: The MS-ISAC funding collapse isn't a budget line item dispute. It's a structural change to the defensive posture of thousands of governments that face the same automated ransomware campaigns and nation-state reconnaissance probes as well-resourced targets — but now without the shared AI-enhanced monitoring layer that served as their first and often only active detection capability. The adversaries running those campaigns did not reduce their activity when the appropriation ended.
Explore Our Network
Disclaimer: This article is editorial commentary based on publicly reported information and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs. Research based on publicly available sources current as of June 15, 2026.
No comments:
Post a Comment