The U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, will not participate in the upcoming RSA Conference in March. This decision was confirmed by CISA spokesperson Marci McCarthy, who stated that the agency is focusing on its core mission and ensuring effective use of taxpayer dollars. Historically, federal cyber officials have played active roles at the RSA Conference, but discussions within the White House Office of the National Cyber Director and CISA have indicated a potential boycott of the conference following the appointment of former CISA director Jen Easterly as the new CEO of the RSA Conference. This marks a notable shift in engagement for an agency that has regularly participated in the past.
Why do we care?
Cybersecurity doesn’t fail because of missing policy. It fails because of misinterpretation, misalignment, and silence.
RSA is one of the few places where federal cyber leadership shows up in a way that’s visible, repeatable, and grounding for the people actually doing the work. When CISA steps out of that room, it’s not saving money — it’s surrendering narrative control.
And make no mistake, that control doesn’t disappear. Vendors will happily pick it up. So will consultants.
For MSPs, this raises real risk. You’re expected to implement guidance, explain tradeoffs to customers, and absorb liability when something goes wrong — all while the primary federal voice becomes less present where interpretation actually happens. The real danger here is silent liability transfer. When MSPs act as interpreters of policy without pushing that responsibility into contracts, scope, and documentation, they inherit accountability without authority. That’s not leadership — that’s exposure.
If this absence is driven by political discomfort or optics management, that’s worse, not better. Cybersecurity coordination cannot afford pettiness. The threat landscape isn’t waiting for institutions to feel comfortable.
The danger isn’t that CISA skipped a conference.
The danger is normalizing the idea that engagement is optional while execution risk keeps moving downstream.
MSPs should read this as a warning: the further government leadership pulls inward, the more responsibility — and ambiguity — lands on you.