Bobbie Stempley
When an adversary strikes a hospital with ransomware or compromises a water system, it is not just a federal government problem, it is a community crisis. In moments like these, the public needs a capable, trusted partner – one that can support local leaders, bring technical expertise, understand the operational realities of industry, and respect civil liberties.
These scenarios are no longer rare. Over the past three decades, awareness of cyber threats has grown, information sharing has matured, and technical capacity across government and industry has expanded. And, one truth endures: trust, relationships, and collaboration remain the foundation of resilience. To sustain them, America must return to first principles, aligning with two of its greatest strengths: a federalist system of distributed authority and an entrepreneurial culture of innovation. Today, this approach means ensuring cybersecurity has a trusted, civilian face, one that empowers local governments delivering essential services and supports the industries driving our economy.
First Principles: Resilience Begins Locally
Resilience does not begin in Washington. It begins with those closest to the risk: the state and local governments that keep water safe, schools open, and transit running; the industries that drive economic growth and operate critical infrastructure; and the individuals whose vigilance makes a difference every day.
Recognizing this reality does not diminish the federal role. It clarifies it. Washington’s advantage is not in directing every move, but in providing the tools, intelligence, and standards that others need to succeed and having a broader vision and understanding across localities and sectors, nationally. Done well, federal engagement multiplies the efforts of local leaders, equips industry to innovate securely, and reinforces individual responsibility with national resources.
This intersection is precisely where the Cybersecurity and Infrastructure Security Agency (CISA) has value. As the nation’s civilian cybersecurity agency, CISA is not designed to compete with state or industry leadership but to complement and amplify it. Its greatest contributions lie in bridging communities, setting priorities, and enabling stakeholders.
By prioritizing risk through tools such as the Known Exploited Vulnerabilities (KEV) Catalog and National Critical Functions, by applying deep analytic expertise through programs such as the national cyber assessment teams, and by drawing on experience that ranges from rural water utilities to global cloud providers, CISA enables scarce resources to be allocated where they matter most. In doing so, the federal government fulfills its proper role: not commander of the system, but enabler of those already carrying the burden of resilience.
Industry Trust and Innovation
One of America’s defining strengths in the 21st century is its strength in innovation. Our digital ecosystem has transformed how humans work, live, and relate to one another. It has also fostered new partnerships and collaboration between government and industry. Effective two-way sharing of threat insights, collaborative response actions, and joint messaging now happen daily. But these are delicate negotiations and ones where industry must weigh domestic and international market considerations, customer privacy, and the consequences of sharing information with law enforcement or intelligence agencies.
These concerns may seem like throwbacks to 2001, but the 2024 ODNI Inspector General Semi Annual Report underscored ongoing concerns about the business and regulatory risks of sharing data with intelligence and law enforcement. Meanwhile, debates around FISA Section 702 [1]reauthorization and surveillance authority have hampered trust-building. Progress has been made in building trust between FBI, NSA, and industry, but trust remains fragile.
A civilian face and partner is indispensable. CISA’s focus is resilience, not prosecution or espionage. Its programs, from the early Cyber Information Sharing and Collaboration Program (CISCP) to today’s Joint Cyber Defense Collaborative (JCDC), have evolved from information sharing to coordinated action. JCDC has flaws, but it proved that when industry sees government as a partner aligned with common goals, the speed and scale of defense improve dramatically.
Bridging Industry and State/Local Governments
Focus matters. Not every partner brings value in every situation. CISA’s unique role enables it to bridge large industry partners with state and local governments that often face attacks with limited resources. Technology giants may develop cutting-edge defenses, but counties, municipalities, and school districts absorb the first and hardest blows. And the ability to translate those defenses to local action requires engagement.
CISA translates national and industry intelligence into warnings local operators can use. A striking example is its pre-ransomware notification program. In 2024, CISA issued over 2,100 such alerts — nearly double from the prior year. These early warnings have already been credited with enabling local entities to stop intruders before they could encrypt or exfiltrate data. Partnerships with organizations like the Multi-State Information Sharing and Analysis Center (MS-ISAC) ensure that these insights reach those who need them most and enable a two-way flow of insights.
Accountability and Measurable Outcomes
Credibility in cybersecurity does not come from issuing advisories alone. It comes from evidence of progress. In a world of scarce resources and fast-moving threats, only measurable outcomes, from local response to federal coordination, build trust. CISA has begun to prove its impact by pairing initiatives with clear measurement.
- Phishing-Resistant MFA at USDA: With CISA’s technical support, the Department of Agriculture rolled out phishing-resistant multifactor authentication across its workforce. Importantly, it tracked deployment rates, authentication success, and user feedback. Publishing this data created a model for others to emulate, showing that strong security could be scaled and adopted when measured transparently.
- Incident Response Lessons and Metrics: After a federal breach caused by a known software flaw, CISA’s “lessons learned” advisory (AA25-266A) went beyond generic warnings. It provided timelines for patching, detection intervals, and assessments of response effectiveness. These details allows other agencies and companies to benchmark themselves against real-world incidents.
- Nationwide Cybersecurity Review (NCSR): Each year, thousands of state, local, tribal, and territorial governments participate in the NCSR self-assessment. The aggregated results provide a national snapshot of maturity and progress, while individual communities gain insights into their own strengths and weaknesses. The NCSR has become a quiet but powerful accountability tool, turning self-assessment into a roadmap for measurable improvement.
These examples illustrate a larger truth: U.S. cyber defense cannot rely on rhetoric. Citizens and companies must see tangible progress. By institutionalizing measurement and sharing outcomes, CISA builds credibility as a civilian partner and reinforces trust in the system.
Reaffirming the Founding Narrative
Every federal program attracts both advocates and critics. Once launched, programs evolve, and they can be difficult to redirect. Revisiting the founding conditions of CISA is essential. It was created to be a civilian-facing, collaborative organization that would strengthen the resilience of critical infrastructure, including federal systems and networks.
That need still holds. Success lies in embracing the strengths of a decentralized system: increasing resilience through a civilian agency partner that empowers state and local governments, while supporting national security and public safety objectives through collaboration, prioritization, technical skill, and capacity-building.
Conclusion
America’s cybersecurity future depends not on centralized control but on empowered collaboration. It requires connective tissue that links federal insight with local action, translates innovation into resilience, and sustains trust through consistency and transparency. By focusing on what it does best: convening stakeholders, setting priorities, and measuring outcomes, CISA can fulfill its role as the nation’s civilian cybersecurity agency.
National security and public safety are best protected when the federal government enables, rather than directs; when industry collaborates as a partner rather than a suspect; and when communities can see that progress is not just promised but proven. That is the civilian presence and role that America needs, and the role CISA must continue to play.
[1] Section 702 of the Foreign Intelligence Surveillance Act permits the U.S. government to collect communications (emails, texts, phone calls) of non-Americans located outside the U.S. without an individual warrant.