Eight months after the Multi-State Information Sharing and Analysis Center lost its federal funding, the cybersecurity threat intelligence sharing group for state and local governments has lost dozens of states and more than ten thousand local jurisdictions that can no longer afford its vital cybersecurity services, even as the hacking threats they face have grown more numerous and more dangerous.
The MS-ISAC, run by the nonprofit Center for Internet Security (CIS), says it’s working hard to recruit new members, including through discounted fees, and it stresses that it’s still collecting enough data from its remaining members to produce high-quality cyber threat intelligence for that community. But the MS-ISAC’s membership drain could leave thousands of small jurisdictions and their critical infrastructure more vulnerable to nation-state sabotage and ransomware attacks — local impacts that could resonate nationally at a time when China and Iran are using cyberattacks as a tool of foreign policy in their conflicts with the U.S.
“Community security is national security,” said Sarah Powazek, program director of public interest cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity. “I cannot overstate the local instability caused by critical services [being] forced offline by a cyberattack — schools close, water stops flowing and public life grinds to a halt.”
Experts say the MS-ISAC’s struggles are a stark example of how the Trump administration’s abandonment of traditional federal responsibilities is undermining U.S. cybersecurity.
“Just as the threat environment is poised to accelerate at an exceptional rate,” Samir Jain, the vice president of policy at the Center for Democracy and Technology, said at a recent House hearing, “the federal government has dramatically pulled back.”
Membership cut by more than half
For more than 20 years, federal subsidies allowed the MS-ISAC to offer free memberships to state and local governments. But after the Department of Homeland Security (DHS) abruptly canceled that funding last year, the group had to start charging membership fees. Between cities and counties that couldn’t afford the new fees and states that had already passed budgets for the year, the MS-ISAC’s membership roster plummeted.
Today, 21 states, two territories and roughly 2,700 local jurisdictions — including cities, counties, school districts, library systems, hospitals and police departments — are members of the MS-ISAC, according to CIS. Fifteen states pay for memberships that include all of their localities, adding another 2,895 organizations to the group. That puts the current total at 5,618 organizations. On the day that the MS-ISAC lost its federal funding, it had 18,574 total members, including all 56 states and territories. Since then, it has lost roughly 70% of its membership.
Connecticut found the money to cover the unexpected new MS-ISAC expense, but “we are not sure if we will be able to continue,” said John McKay, a spokesman for the state’s administrative-services agency. Virginia is hammering out a new membership agreement but has had to “scale down our agreement due to the loss of federal funding,” said Jennifer Guild, a spokeswoman for the state’s IT agency.
Washington State’s budget deficit forced it to leave the MS-ISAC, depriving nearly 500 local entities of “a shared operating picture,” said Vickie Sheehan, the communications director for the state’s technology agency.
Meanwhile, Kentucky left the MS-ISAC after reviewing its own cybersecurity programs and determining that a membership “did not represent an effective return on investment,” said Kinsey Woodson, the communications director for the state’s finance division.
Colorado and Michigan also said they left the group.
In an interview with Cybersecurity Dive, CIS president and CEO John Gilligan said he considered it a “huge success” that the MS-ISAC had been able to retain almost half of its state members. “Given the short notice, the lack of planning for funding [and] the fact that the states and the local jurisdictions are generally under severe financial pressures, we’re not far from what our projections were.”
CIS continues to subsidize MS-ISAC fees for some of the nation’s smallest localities. The group has 1,592 “tier one” jurisdictions — those with annual operating budgets below $25 million — and 254 of them receive subsidies, in the form of either free memberships or discounted rates.
Thousands of localities still haven’t canceled or begun paying for their memberships. “In the last month, we have begun to offboard them,” Gilligan said, starting with jurisdictions that don’t use many of the MS-ISAC’s services.
Growing risks to state and local infrastructure
The MS-ISAC’s services form a major protective barrier for many U.S. states and cities. Losing those protections could dramatically weaken their cyber defenses, leading to more disruptions at local hospitals, courts, water systems and emergency-dispatch centers and increasing the risk of regional or national cyber crises.
Many local governments already struggle to fund essential services like water, trash collection and emergency services. Every new expense threatens to upend that delicate balancing act. “It’s definitely creating challenges that folks were hoping they would not have to face,” said John Matelski, chief information officer and managing director at the National Association of Counties.
Even larger counties may struggle to afford the MS-ISAC’s fees. “They may have more in their coffers, but they also have more things in their queue,” Matelski said. “This really isn’t a big-versus-small issue. It really is an issue that affects everybody.”
Organizations that leave the MS-ISAC lose access to a vast network of cyber threat data that is vital for maintaining situational awareness amid growing threats. The group publishes alerts about ransomware attacks, shares indicators of compromise for intrusion campaigns and recommends defensive measures.
“Without these types of services,” Matelski said, “we’re all just that much more vulnerable.”
Local governments that lose access to MS-ISAC services and intelligence will also struggle to maintain affordable cyber insurance or get payouts after incidents, because insurers consider factors like ISAC membership and access to third-party incident-response support.
The Cybersecurity and Infrastructure Security Agency (CISA) might be able to fill part of the void left by the loss of MS-ISAC services, but over the past 16 months, the Trump administration has dramatically downsized CISA and reorganized its partnership programs, leaving many state and local officials unsure of how much they can rely on the agency. (CISA “communicates with our state and local partners regularly and provides them with timely threat intelligence, expertise, no-cost tools and resources,” Christine Serrano Glassner, the agency’s chief external affairs officer, told Cybersecurity Dive.)
Some lawmakers want to act. Senate Intelligence Committee ranking member Mark Warner, D-Va., has drafted a bill that would require the government to resume funding the MS-ISAC. “Defunding critical infrastructure protections has led to information silos and deprived communities across the nation of the ability to collaborate on securing our critical infrastructure,” Warner wrote to DHS Secretary Markwayne Mullin
Funding loss transforms MS-ISAC
The loss of federal subsidies has sparked several changes at the MS-ISAC.
Facing a tighter budget, the Center for Internet Security reduced staff at the ISAC and began looking for ways to automate more tasks. The onboarding process now involves a self-guided tour through a portal rather than a human-led welcome session. “We’ve put a lot more emphasis” on automation, Gilligan said, “because we just don’t have as many people to do the the outreach activities.”
At the same time, the MS-ISAC says it’s still receiving plenty of threat intelligence from its members and publishing a steady stream of reports and guidance based on that data. The group collects telemetry from roughly 400,000 endpoint security devices, thousands of protective DNS users and nearly 1,100 intrusion-detection sensors, although all three of those data sources have seen slight dips as state and local governments have canceled their memberships.
“We’re getting as good quality threat information as we have in the past,” Gilligan said. “We’ve actually increased the analysis and the breadth of types of reporting that we’ve been providing to the state and local community.”
Still, the loss of federal subsidies has ratcheted up the pressure on CIS, which spent roughly $1 million per month subsidizing the MS-ISAC in 2025. Gilligan said the nonprofit still provides “some subsidies” to the ISAC, but he wouldn’t say for how long that would continue. “We’re looking at the end of this year to start seeing more stability.”
To demonstrate its value to current and prospective members, the MS-ISAC is touting its focus on the full spectrum of physical and cyber threats facing state and local governments; educating a wider range of local leaders outside of IT and security offices; and pushing a “whole-of-state” model that encourages states to extend their memberships to typically overlooked entities such as court systems and legislatures.
“It’s definitely creating challenges that folks were hoping they would not have to face.”
John Matelski
Chief Information Officer and Managing Director, National Association of Counties
Pivotal summer
The summer months will prove a crucial test of the MS-ISAC’s ability to demonstrate its value. When many states’ annual budgets take effect on July 1, CIS hopes to see them include money for membership fees.
At the local level, meanwhile, IT and cybersecurity leaders are scrambling to fund either MS-ISAC memberships or replacements. “There is still concern about, how do we maintain some level of minimum baseline cyber capability?” Matelski said.
Meanwhile, questions remain about the long-term viability of CIS’s subsidies to cash-strapped jurisdictions. If those discounts end, experts said, local governments’ cybersecurity woes will skyrocket.
With foreign adversaries constantly probing U.S. networks for weaknesses, some state leaders say the federal government’s attempts to distance itself from the MS-ISAC will only make things worse.
“No state can tackle cyber defense alone,” said Colin Ahern, New York State’s director of security and intelligence. “These moves will shrink visibility, reduce information sharing and threaten operational collaboration at a time when we can least afford it.”
