CISA Reframes SLTT Cyber Support as MS-ISAC Moves to Paid Membership

  • Thread Author
The Cybersecurity and Infrastructure Security Agency (CISA) has announced a major operational shift in how it supports state, local, tribal, and territorial (SLTT) governments — one that moves core SLTT-facing services directly under CISA’s expanded service model as a cooperative agreement with the Center for Internet Security (CIS) reaches its planned end on September 30, 2025. The agency says the transition will pair continued access to federal grant funding with no-cost tools, technical expertise, and regional engagement to shore up local cyber defenses, even as the protective functions historically delivered through MS‑ISAC and EI‑ISAC transition toward a fee-based membership model administered by CIS.

Background​

State and local governments, school districts, tribal nations, public utilities, and other SLTT entities operate a broad set of services that are high-value targets for cyber adversaries. Over the last decade, federal support and public–private partnerships have furnished many SLTT organizations with threat intelligence, incident response support, and free security tools. Those services have been delivered through a combination of CISA programs, cooperative agreements, and partnerships with non‑profit organizations, most notably the Center for Internet Security’s (CIS) Multi‑State Information Sharing and Analysis Center (MS‑ISAC) and the Elections Infrastructure ISAC (EI‑ISAC).
In 2025, significant funding changes and program decisions precipitated an operational turning point. Federal funding that previously underpinned many MS‑ISAC functions has been reduced or reprioritized, creating a sustainability gap that CIS has moved to address through a paid membership model. Concurrently, CISA is asserting a more direct operational posture for certain SLTT services, emphasizing grant access, no‑cost tooling, and regional advisory capability. Both the federal funding reductions and the membership model have immediate implications for continuity of services, operational availability, and the cost of maintaining cyber defense capabilities at the local level.

What CISA announced and what it means​

CISA’s announcement on September 29, 2025, summarized the agency’s intent to transition SLTT support into a new model focused on shared responsibility. Key commitments listed by CISA include continued access to Department of Homeland Security (DHS) grant funding through the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP); no‑cost services such as cyber hygiene scanning, phishing assessments, and vulnerability management; and expanded regional and professional services including vulnerability assessments and incident response coordination. CISA also emphasized tools used to measure and prioritize cybersecurity posture such as the Cybersecurity Performance Goals (CPGs) and the Cyber Security Evaluation Tool (CSET).
Why this matters: CISA’s promise to provide no‑cost tools and regional support attempts to blunt the immediate operational impact of the end of the cooperative agreement with CIS on September 30, 2025. For many SLTT organizations, federal grant channels and no‑cost scanning tools are the difference between buying time to harden defenses and facing escalating exposure. The short‑term continuity of scanning, advisory, and assessment services is crucial to preventing operational outages, ransomware events, and cascading impacts to public health, safety, and elections.

The CIS / MS‑ISAC change and the move to fee‑based membership​

CIS — which runs the MS‑ISAC and EI‑ISAC — has publicized a shift from a federal funding model to a sustainable, fee‑based membership model. CIS states that reductions in federal appropriations have placed historic free services at risk and that certain functions previously funded by the cooperative agreement would cease after federal funding expiration on September 30, 2025. CIS’s membership FAQ and service pages outline tiers, pricing, and a timeline for enrollment; they also note temporary transition rules and grandfathering of certain services for organizations that purchase membership.
Key operational points from CIS’s published membership materials:
  • MS‑ISAC membership tiers are based on an organization’s annual operating budget, with scaled pricing intended to be affordable for small jurisdictions. Sample pricing bands for “Single Organization Membership” were published to provide predictability for procurement.
  • CIS emphasized that some services (such as Albert network monitoring sensors and Malicious Domain Blocking and Reporting) were still federally funded through September 30, 2025, but warned that several services had already been defunded in March 2025 and that ongoing services will require paid membership after the federal cooperative agreement ends.
CIS’s pivot aims to preserve core threat intelligence and incident support capabilities, but it marks a significant departure from an expectation that federal funds would sustain those services at no cost to SLTTs.

Independent reporting and the policy context​

Multiple news organizations reported on the federal funding decisions and the resulting transitions for MS‑ISAC and EI‑ISAC. Independent outlets documented the March 2025 cuts to certain MS‑ISAC functions and covered growing concern among state and local officials about potential service interruptions and added costs. Coverage also emphasized the political and budgetary context shaping DHS and CISA funding choices, including administration priorities and congressional action (or inaction) on appropriation lines supporting SLTT cyber programs.
Why cross‑checks matter: For SLTT leaders and CISOs, the practical question is not whether the programs exist — they do — but whether the funding, scope, and delivery model will continue unchanged. Reporting corroborates that federal funding for some MS‑ISAC functions was materially reduced earlier in 2025 and that MS‑ISAC is transitioning to membership fees to close an emergent funding gap. These independent reports, together with CIS and CISA communications, create a consistent public record of the shift.

What SLTTs stand to gain under CISA’s new model​

CISA’s announced approach offers several tangible benefits for SLTT governments that engage with the agency proactively:
  • Continued access to DHS grant funding streams through SLCGP and TCGP, which can be used for technology upgrades, workforce development, and contracting for services. Grant funding remains the largest lever to accelerate security modernization in underfunded jurisdictions.
  • No‑cost security services such as cyber hygiene scanning, phishing assessments, and basic vulnerability management tools. These tools help SLTTs discover low‑hanging fruit and remediate high‑priority misconfigurations.
  • Access to Cybersecurity Performance Goals (CPGs) and CSET to prioritize investments and measure progress with established federal baselines. These frameworks support grant justification and programmatic reporting.
  • Localized expertise through Regional Cybersecurity Advisors and Cybersecurity Coordinators, which can provide hands‑on support and act as rapid escalation points during incidents.
Collectively, these elements reduce the upfront financial burden to many jurisdictions and increase the capacity of smaller IT teams to implement prioritized defensive measures.

Significant risks and operational gaps​

Despite the strengths above, the transition also introduces near‑term and medium‑term risks that could degrade local resilience if not managed carefully.
  • Service discontinuity and access gaps: Organizations that do not secure paid MS‑ISAC membership may lose access to threat distribution, incident response assistance, 24/7 SOC support, and member‑to‑member operational collaboration after October 1, 2025. This creates a cliff‑edge risk for jurisdictions that rely on MS‑ISAC for real‑time intelligence and coordinated incident response.
  • Cost pressure on small budgets: Even scaled membership fees create new recurring obligations for jurisdictions with small operating budgets. While CIS has tiered pricing and temporary discounts, the cost of membership may force IT leaders to reallocate limited resources away from other priorities such as staffing or legacy system modernization.
  • Fragmentation of services: A bifurcated support model — with some services remaining free from CISA and others moving behind paid CIS membership — risks creating inconsistent coverage and confusion at the local level about where to turn during incidents. Fragmentation reduces the predictability of response timelines and can complicate mutual aid during large events.
  • Transition management and trust: The shift is occurring against a backdrop of political scrutiny and budget reallocation. Rapid operational changes, coupled with public debate over the scope of federal engagement in election security and misinformation, may reduce trust between SLTT officials and federal partners. That trust erosion could hamper voluntary information sharing, which is critical during active compromises.
These risks are not hypothetical: the published timelines and membership notices from CIS, and the federal notices, set concrete deadlines and operational thresholds that SLTT leaders must address immediately to avoid coverage gaps.

Practical implications for incident response, threat intelligence, and SOC coverage​

Operationally, the most visible impacts will be in three core areas:
  • Threat intelligence distribution and alignment. Real‑time feeds, curated indicators of compromise, and coordinated alerting help local defenders spot and stop attacks early. If certain threat distribution mechanisms are discontinued or limited to paying members, non‑members will have delayed or incomplete visibility into emerging threats.
  • Incident response augmentation. Many SLTT organizations rely on MS‑ISAC for escalation support during incidents — triage guidance, evidence preservation, and coordination with federal partners. Without membership, jurisdictions may have to depend on local vendors or higher‑cost incident response retainers that may be slower and less integrated into national awareness.
  • 24/7 SOC services and automated blocking. Federally funded services such as network sensors, Malicious Domain Blocking and Reporting (MDBR), and Albert monitoring have been flagged as still funded through the cooperative agreement into the transition date. After that, continuity hinges on membership uptake or new federal appropriations. Losing these automated protections would degrade baseline detection for many organizations.
In short, the day‑to‑day defensive posture of many SLTT environments will depend on whether organizations transition to paid membership, leverage CISA’s offered no‑cost services, or pursue alternative commercial options — each with distinct cost, coverage, and integration tradeoffs.

Financial and procurement realities: grants, budgets, and membership fees​

CISA is leaning on DHS grant programs — principally the SLCGP and TCGP — to help jurisdictions finance improvements and third‑party services. Grant dollars can be used for technology upgrades, consulting, training, and contracting for cybersecurity services. However, grant funds are competitive, cyclical, and require matching or sustained budget commitments to capitalize on longer‑term managed services.
CIS’s membership pricing structure is simple on its face but variable in practice: fees scale with organizational operating budget, and the “pricing if no cooperative agreement” table shows significantly higher amounts for each tier should federal funding not be restored. Many jurisdictions will need procurement approvals, board votes, or council resolutions to allocate funds toward membership, which takes time — and creates another potential cliff if decisions are delayed.
Key procurement implications:
  • Short procurement cycles can be a problem: jurisdictions may not be able to process membership purchases in the days left before service changes take effect.
  • Grants can help but rarely cover recurring subscriptions without a long-term plan.
  • Smaller jurisdictions may need to explore shared services, county or state-wide contracts, or cooperative purchasing vehicles to spread costs.

Strategic recommendations for SLTT leaders and CISOs​

Local leaders must triage immediate operational exposure while building longer-term resilience. The most actionable steps are pragmatic, sequential, and focused on continuity of operations.
  • Inventory and triage: Immediately document all dependencies on MS‑ISAC/EI‑ISAC services (threat feeds, SOC escalation, MDBR, Albert sensors, EDR services). Map which dependencies are covered by current federal funding, which are scheduled to end, and what replacement options exist.
  • Short-term procurement: Evaluate the cost of MS‑ISAC membership against commercially available incident response retainers and managed SOC offerings. For many jurisdictions, negotiating an interim membership through state‑level procurements or through consortium agreements can deliver faster coverage at scale.
  • Use grants strategically: Apply SLCGP/TCGP funding to secure recurring services where allowed, staff training, and accelerated modernization (e.g., network segmentation, EDR/EDR+ upgrades) that reduce dependence on external monitoring alone. Ensure grant proposals explicitly link investments to service continuity.
  • Strengthen mutual aid and regional sharing: Where direct membership is cost‑prohibitive, jurisdictions should develop regional mutual aid agreements, shared SOC capabilities, or state‑led MS‑ISAC purchase arrangements to centralize procurement and maximize buying power.
  • Harden the basics: Focus on prioritized remediation using CISA’s Cyber Hygiene scanning and CSET/CPG frameworks to eliminate easy attack vectors. Patching, multifactor authentication, and phishing resilience are high-leverage investments with immediate risk reduction.
  • Documentation and tabletop exercises: Conduct regular tabletop exercises with incident response partners and ensure SLTT organizations understand escalation paths — whether through CISA regional advisors, contracted vendors, or paid MS‑ISAC membership.
These steps are not mutually exclusive and should be pursued in parallel to minimize the chance of catastrophic service interruptions.

Opportunities for innovation and public‑private collaboration​

Although the transition poses risks, it also opens avenues for innovation:
  • States and regional consortia can create shared managed detection and response (MDR) contracts that centralize SOC functions and reduce per‑entity costs.
  • Vendors and non‑profit consortia may offer scaled “lightweight” subscriptions tailored for the smallest jurisdictions — a market gap that should be prioritized.
  • Public procurement reforms that allow rapid, cooperative purchasing for cybersecurity services would reduce lead times and improve continuity during federal transitions.
CISA’s emphasis on no‑cost tooling and regional advisors could act as a foundation for hybrid public–private models that preserve the benefits of nationwide coordination without requiring every jurisdiction to shoulder full subscription costs. The challenge will be fostering transparent, interoperable integrations between federal tools and commercial platforms.

What to watch next: policy, appropriations, and operational milestones​

Several near‑term signals will determine how this transition unfolds:
  • Congressional appropriations and DHS budget decisions: any restoration or reallocation of funding for MS‑ISAC functions would materially change the membership calculus. Watch for budget amendments and committee actions that specifically address SLTT cyber programs.
  • CIS membership adoption rates: the number and diversity of jurisdictions that purchase MS‑ISAC membership by the September 30, 2025 deadline will indicate the model’s viability and whether critical mass exists to sustain services.
  • CISA operational rollouts: the speed and quality of CISA’s no‑cost services, regional engagements, and incident response handoffs will determine whether federal action sufficiently mitigates coverage gaps. SLTT organizations should monitor CISA service pages and regional contact channels.
  • Vendor and market responses: expect to see new commercial offerings and cooperative purchasing vehicles designed to serve SLTTs at scale — these could meaningfully reduce costs and speed deployment.

Final analysis: achieving resilience in the new landscape​

The CISA announcement frames the change as an opportunity to "maximize impact" and "empower SLTT partners." That framing is truthful to an extent: CISA is expanding direct offerings and leveraging grant programs to reinforce local defenses, while CIS is seeking a sustainable revenue model to preserve specialized intelligence and SOC functions. Yet the transition shifts previously implicit federal responsibilities into a mosaic of free federal tools, grant‑funded procurement, and paid membership — a mixed economy that requires active management.
The strengths of the new landscape:
  • Clear federal pathways for grants and no‑cost baseline tools, which reduce barriers to immediate remediation.
  • A realistic sustainability plan from CIS that ties membership fees to organizational budgets and attempts to preserve high‑value intelligence functions.
  • Opportunities for states and regions to innovate with shared services and purchasing consortia.
The major risks:
  • Coverage gaps and cliff effects if jurisdictions miss enrollment deadlines or cannot rapidly allocate budget.
  • Unequal access as smaller or under-resourced jurisdictions struggle to pay for membership or sustain recurring contracts.
  • Operational fragmentation that complicates incident response and mutual aid during large, multi‑jurisdiction events.
The bottom line: this is a moment that requires rapid, strategic action from SLTT leadership. Jurisdictions that inventory dependencies, align grant strategies, pursue cooperative procurement, and harden foundational controls will emerge stronger. Those that delay decisions risk losing access to critical threat intelligence, response coordination, and automated protections — precisely the capabilities that reduce dwell time and limit the damage from ransomware and other high-impact cyber incidents.

Immediate checklist for SLTT decision‑makers (recommended 7‑day action plan)​

  • Run a dependency inventory: list all services tied to MS‑ISAC/EI‑ISAC, noting contractual end dates and technical owners.
  • Contact regional CISA advisors to confirm available no‑cost scanning, assessment, and escalation options.
  • Apply for appropriate grants (SLCGP or TCGP) and document how funds will maintain continuity and cover membership/subscription costs.
  • Evaluate membership pricing and procurement pathways; consider state or regional pooled purchasing to lower per‑entity costs.
  • Prioritize immediate remediation tasks identified by cyber hygiene scans and CSET assessments (MFA, patching, segmentation).
The coming weeks will test whether federal, non‑profit, and local leaders can coordinate a pragmatic, equitable transition that preserves the nation’s distributed cyber defense posture. The tools, grants, and expertise CISA promises are valuable — but they must be matched with rapid procurement, clear escalation channels, and cooperative funding strategies so that every city, tribe, school district, and public utility can maintain the capabilities necessary to protect citizens and services in an increasingly hostile cyber environment.
Source: CISA CISA Strengthens Commitment to SLTT Governments | CISA
 
Click to expand...
You must log in or register to reply here.