I’ve been going to RSA Conference for a long time. Long enough to remember when the CISA booth felt like a field hospital — staffed by actual practitioners who wanted to talk about threat actor TTPs while handing out pens with the agency logo on them. Long enough to remember when getting time with an FBI cyber agent at the conference felt like a real intelligence briefing, not a press opportunity.
This week in San Francisco, none of those people are there.
CISA, the FBI, and the NSA all skipped RSAC 2026. Not reduced presence. Not a smaller delegation. Not present. Security Boulevard first reported it back in January. eSecurity Planet confirmed it. And then basically everybody moved on, because there was no official statement and no clear explanation, and what are you going to do — file a complaint that a federal agency didn’t attend a private-sector conference?
But here’s the thing. I’ve talked to a dozen people in the past week who are at the conference or heading there, and the absence is the first thing that comes up in private conversation. Every single time. Before the agentic AI sessions. Before the threat intelligence panels. Before whatever Palo Alto is announcing this week.
The government not being there is the story everyone’s talking about and nobody wants to say out loud.
What Those Sessions Actually Were
Let me be specific about what’s missing, because I think the coverage has undersold it.
Federal agency sessions at RSAC were never product pitches. CISA wasn’t up there selling a SaaS platform. The FBI wasn’t running a vendor showcase. Those sessions were operational. They told working security teams how federal investigators approach incident response, what the threat intelligence picture looks like from the law enforcement side, how to actually work with CISA’s emergency response teams when something goes wrong at 3 AM.
For an MSP with federal clients — or honestly any MSP whose clients have supply chain exposure to federal contractors — those sessions were free intelligence. Straight from the people who see the threats from a different angle than any vendor report.
That’s what’s not in the room this year. And the timing is rough, because the 2026 threat landscape has ransomware operators targeting identity infrastructure, pivoting to Active Directory before encrypting data, running AI-generated phishing campaigns. These are exactly the categories where federal investigative visibility is irreplaceable.
The Three Possible Explanations
I’m not going to pretend I know why this happened. Neither CISA, the FBI, nor the NSA returned requests for comment before the conference opened. So we’re working with the three categories that federal policy observers offered: resource constraints, policy considerations, or strategic priorities.
Each one means something different.
Resource constraints means someone looked at the travel budget and made a cut. That’s annoying but not meaningful. Conferences are expensive and agencies are under pressure. If this is the explanation, expect them back next year once the internal optics get addressed.
Policy considerations is where it gets murkier. This could mean the current administration decided that visible federal presence at a major industry event sends a signal they don’t want to send right now. Maybe the signal is about regulation. Maybe it’s about enforcement posture. Maybe it’s about something completely unrelated to cybersecurity. But a deliberate policy decision to reduce public-private engagement — particularly at this moment — is a different category of story than a budget cut.
Strategic reprioritization could mean almost anything, which is why it’s the answer that makes me most nervous. Agencies don’t typically announce strategic pivots through conference absences. They announce them through official guidance, budget allocations, and reorganization announcements. The absence without explanation creates a vacuum. Vacuums get filled with assumptions, and in security, assumptions are the thing that kills you.
The Institutional Signal Problem
Here’s what I keep coming back to.
CISA has been building its identity around public-private collaboration since it was created in 2018. The agency’s whole operating model — the reason it exists as CISA and not just a renamed DHS unit — is the idea that government and industry have to work together on shared threats. That you can’t defend critical infrastructure by issuing advisories and hoping someone reads them. That actual coordination matters.
Showing up at RSA was part of how they demonstrated that. Not because the sessions were irreplaceable. But because the presence meant something. It said: we’re at the same table. We see the same threats. We’re working on this together.
The absence says something too. What it says isn’t entirely clear. But the channel, especially the part of the channel that sells into the public sector or manages security for companies that do, would be unwise to miss the signal.
I talked to one MSP owner before I wrote this. She serves a mix of federal contractors and regional healthcare systems. I asked her what she thought the absence meant.
She laughed, a little.
“I think it means I should stop assuming the cavalry is coming,” she said. “And just build like they’re not.”
That’s not a political statement. It’s an operational one. And honestly, for MSPs, it might be the most useful takeaway from the whole conference. The perimeter-focused security model is already breaking down without federal support gaps making it worse.
The cybersecurity M&A landscape is shifting in parallel, and the federal withdrawal from industry engagement adds another variable to an already uncertain market.
If you’re at RSAC this week and want to talk about what you’re seeing, you know where to find me. I’ll be at the bar asking people what they actually think, off the record. That’s where the real conference happens anyway.
For more on the federal compliance requirements currently hitting MSPs from a different angle, Jaxon’s piece on the GSA CUI requirements diverging from CMMC is worth the ten minutes.