The White House has recently shifted the responsibility for cybersecurity risk management from federal agencies to state and local governments. On March 19, 2025, U.S. President signed an executive order to launch the National Resilience Strategy. This strategy gives states more control to make infrastructure choices that address cyberattack risks and other physical disasters. The goal is to involve state and local governments, as well as individuals, in enhancing national resilience and preparedness.
The executive order follows deep cuts to federal agencies, including those that supported election and infrastructure security.
These cuts have been criticized for defunding vital cybersecurity programs, leaving states and local governments vulnerable. Key services, such as real-time threat information sharing and vulnerability management, have been significantly reduced. Experts warn that the loss of these services will create gaps in cybersecurity defenses, forcing states to seek replacements, which could result in unequal resources across the country.
States, already struggling with budget constraints, now face additional challenges in managing cybersecurity risks without federal support. Experts stress the difficulty for states, particularly smaller ones, to develop their own cybersecurity infrastructure. With the loss of support from federal agencies like CISA, states are left to navigate a patchwork of external organizations for guidance.
This shift may create significant hurdles for municipalities, schools, and local governments in securing critical infrastructure.
The rollback of federal cybersecurity services has been called a major departure from the bipartisan approach taken in previous administrations. While CISA defends its decisions, critics argue that decentralizing cybersecurity will weaken the nation’s ability to respond to threats effectively. Experts warn that the move could result in fragmentation, delays, and inefficiencies, ultimately increasing the risk of cyberattacks. States must now take swift action to bolster their cybersecurity measures to avoid compromising national security.
