The US Cybersecurity and Infrastructure Security Agency’s decision to skip the 2026 RSA Conference marks an unprecedented departure from decades of federal participation in the information security industry’s flagship event. According to The Register, CISA confirmed through an agency spokesperson that it will not attend the annual gathering scheduled for March in San Francisco, raising questions about the future of public-private partnerships in cybersecurity and the agency’s strategic priorities under new leadership.

The RSA Conference has served as the primary venue for federal cybersecurity officials to engage directly with private sector security professionals, vendors, and researchers since its inception in 1991. CISA’s absence represents more than a scheduling conflict—it signals a potential recalibration of how the federal government approaches collaboration with the commercial security sector during a period of heightened cyber threats from nation-state actors and increasingly sophisticated ransomware operations targeting critical infrastructure.

A Historic Break From Tradition

Federal agencies have maintained a consistent presence at RSA Conference for more than three decades, using the platform to announce policy initiatives, recruit talent, and gather intelligence on emerging threats. The Department of Homeland Security, CISA’s parent agency, has historically deployed dozens of personnel to the event, staffing exhibition booths, participating in panel discussions, and conducting closed-door meetings with industry leaders. This year’s decision to forgo participation entirely represents the first time a sitting CISA director has chosen to skip the conference since the agency’s establishment in 2018.

The timing of CISA’s withdrawal coincides with broader organizational changes within the agency following recent leadership transitions. Industry observers note that the decision may reflect budgetary constraints, shifting priorities toward operational cybersecurity rather than industry engagement, or philosophical differences about the value of large-scale commercial conferences versus more targeted stakeholder interactions. The agency has not provided detailed reasoning for the decision beyond confirming its absence.

Industry Reaction and Immediate Implications

Security executives and conference organizers expressed surprise at CISA’s announcement, particularly given the agency’s expanded role in coordinating national cybersecurity efforts across critical infrastructure sectors. The RSA Conference typically attracts more than 40,000 attendees from over 130 countries, making it the largest gathering of cybersecurity professionals worldwide. Federal participation has traditionally provided attendees with direct access to policymakers and insights into government priorities that shape compliance requirements and security investments.

Private sector security leaders have voiced concerns that CISA’s absence could create a communication gap at a critical juncture. With artificial intelligence-enabled cyber attacks proliferating and geopolitical tensions driving increased nation-state hacking campaigns, the need for coordinated public-private defense strategies has never been more acute. The conference has historically served as neutral ground where government officials and industry representatives could discuss sensitive topics away from formal regulatory proceedings or congressional oversight.

Budget Pressures and Resource Allocation

Federal agencies face mounting pressure to justify travel expenditures and conference participation amid broader government efficiency initiatives. The cost of sending multiple staff members to a week-long conference in San Francisco—including registration fees that can exceed $3,000 per person, airfare, lodging, and per diem expenses—can quickly reach six figures for a modest delegation. CISA may be reallocating those resources toward operational priorities, including threat hunting, incident response, and infrastructure protection activities that directly support its mission.

The agency’s budget has come under scrutiny as lawmakers debate funding levels for civilian cybersecurity programs. While CISA’s appropriations have grown substantially since its creation, the agency faces competing demands for its resources, including mandates to secure federal networks, protect election infrastructure, and coordinate vulnerability disclosure across critical sectors. Conference participation, while valuable for relationship-building and information sharing, may have become a lower priority compared to operational imperatives.

Alternative Engagement Strategies

CISA has invested heavily in alternative mechanisms for industry engagement, including regional cybersecurity summits, sector-specific working groups, and virtual collaboration platforms. The agency’s Joint Cyber Defense Collaborative, launched in 2021, brings together private sector partners, federal agencies, and state and local governments in a more structured, ongoing dialogue rather than episodic conference interactions. These focused partnerships may provide more actionable intelligence sharing and operational coordination than broad industry conferences.

The agency has also expanded its use of digital communication channels, including regular threat briefings, advisory publications, and social media engagement to disseminate information to security practitioners. This shift toward distributed, continuous engagement rather than concentrated annual gatherings reflects broader changes in how organizations approach professional development and information sharing in an increasingly digital environment. However, critics argue that virtual engagement cannot fully replace the relationship-building and informal information exchange that occurs during in-person conferences.

The Broader Context of Federal-Industry Relations

CISA’s decision comes amid ongoing debates about the appropriate role of government in cybersecurity. The agency has faced criticism from both sides—privacy advocates who view its activities as potential overreach into private sector operations, and security hawks who argue it lacks sufficient authority to compel critical infrastructure operators to implement adequate protections. The agency’s relationship with the commercial security industry has occasionally been strained by tensions over vulnerability disclosure, encryption policy, and the boundaries of government surveillance capabilities.

Recent legislative proposals would significantly expand CISA’s authorities, including mandatory incident reporting requirements for critical infrastructure operators and enhanced information-sharing mechanisms. These policy debates have sometimes played out in conference settings, where industry representatives can directly engage with policymakers. The agency’s absence from RSA Conference may limit opportunities for informal dialogue that could help shape these regulatory frameworks in ways that balance security imperatives with operational realities and civil liberties concerns.

Impact on Recruitment and Talent Development

Federal cybersecurity agencies have traditionally used industry conferences as recruiting venues, seeking to attract experienced security professionals from the private sector to government service. CISA faces persistent challenges in competing with private sector compensation packages, making personal interactions and mission-focused appeals crucial for talent acquisition. The RSA Conference has provided an efficient venue to reach thousands of potential candidates in a concentrated timeframe, and the agency’s absence may complicate recruitment efforts during a period of high turnover in federal cybersecurity positions.

The conference also serves as professional development for federal employees who attend, exposing them to emerging technologies, threat intelligence, and industry best practices that inform government cybersecurity strategies. Junior and mid-level CISA personnel have benefited from training sessions, technical workshops, and networking opportunities that enhance their capabilities. Forgoing this development opportunity may have longer-term implications for the agency’s technical competency and its ability to keep pace with rapidly evolving threats and defensive technologies.

What This Means for Future Government Participation

Other federal agencies have not yet announced whether they will follow CISA’s lead in skipping the conference. The National Security Agency, Federal Bureau of Investigation, and Department of Defense typically maintain significant presences at RSA Conference, using the event to engage with vendors, researchers, and international partners. If CISA’s absence reflects a broader shift in federal policy toward conference participation, other agencies may reassess their own involvement in large-scale commercial events.

The decision raises questions about the future of public-private partnerships in cybersecurity, which have been foundational to national defense strategies since the recognition that most critical infrastructure resides in private hands. Industry conferences have served as important venues for building trust, establishing personal relationships, and creating informal communication channels that facilitate rapid information sharing during crises. Alternative engagement mechanisms, while potentially more efficient, may lack the serendipitous interactions and broad exposure that characterize large conferences.

Looking Ahead: Recalibrating Engagement Models

CISA’s decision to skip RSA Conference may ultimately prove to be an isolated incident driven by specific circumstances, or it could represent the beginning of a fundamental shift in how federal cybersecurity agencies engage with the commercial security industry. The effectiveness of this new approach will become apparent in the months following the conference, as stakeholders assess whether alternative engagement mechanisms can adequately substitute for the concentrated, high-bandwidth interactions that conferences facilitate.

The cybersecurity community will be watching closely to see whether CISA’s absence affects the quality of public-private collaboration, the timeliness of threat information sharing, or the agency’s ability to influence industry practices. If the experiment proves successful, other agencies may adopt similar strategies, potentially transforming the role of industry conferences in cybersecurity policy and practice. Conversely, if significant gaps emerge in coordination or communication, the agency may need to reconsider its approach to industry engagement and restore its traditional conference participation in future years.