4 critical cybersecurity strategies for state and local governments in 2026

If you work in state or local government, you’ve probably felt the cybersecurity squeeze, and 2026 will tighten it even more. New standards like the NIST Cybersecurity Framework (CSF) 2.0 are raising the bar, AI-driven threats are accelerating, and agencies face mounting pressure to sustain progress beyond initial grant cycles. With evolving requirements, higher performance expectations, and the need for long-term resilience, the question is no longer whether to invest in cybersecurity, but how to do it strategically and sustainably.

The stakes are higher than ever.

Cyber incidents aren’t just more frequent; they’re more expensive. IBM’s Cost of a Data Breach Report 2025 found the average U.S. data breach now costs $10.22 million, the highest globally. For public agencies, entering 2026 without a clear plan for sustaining progress isn’t just a technical risk — it’s a financial and operational one.

The evolving threat landscape

If 2026 feels like a crossroads, it’s because the threat landscape is evolving faster than ever. Ransomware remains the dominant risk, and it’s hitting governments hard. Between 2018 and 2024, U.S. federal, state, and local agencies experienced 525 ransomware attacks, costing an estimated $1.09 billion in downtime. On average, each incident disrupted operations for nearly a month.

And attackers are getting smarter. Generative AI has become part of the attacker’s toolkit, making phishing campaigns faster and more convincing.

IBM reports that one in six breaches last year involved AI, and the time to craft a realistic phishing email has dropped from hours to minutes.

Supply chain compromises add another layer of risk, as breaches at major vendors ripple across dozens of state and local systems. Even agencies with strong internal controls aren’t immune. Smaller jurisdictions are hit hardest — nearly 80% of state and local entities have fewer than five dedicated security staff, with most citing funding as their top challenge. Adversaries are moving faster, using smarter tools, and exploiting every gap.

Strategic imperatives for 2026

To reduce risk and build resilience, agencies must focus on fundamentals. Many still lag in basics like asset inventory, incident response testing, and disaster recovery planning. These gaps collide with aging technology, thin staffing, and the rise of AI-driven attacks, creating a perfect storm.

Here’s where to start:

1. Modernize legacy infrastructure

Legacy systems pose serious security risks. For the twelfth year running, state CIOs rank cybersecurity as their top priority, and outdated technology remains one of the biggest barriers to progress. Old platforms make it harder to implement zero trust, test recovery plans, or deploy modern defenses like endpoint detection and response (EDR).

Threats are now so pervasive that some CISOs describe their job as “looking for a needle in a stack of needles” — not a haystack. Every system, every connection, every vendor could be the next entry point for an attack, and legacy technology only multiplies those needles.

The path forward doesn’t have to be all or nothing. Staged modernization — moving critical workloads to secure cloud environments, regional data centers, or state-managed platforms — can dramatically reduce risk. Frame ROI around dollars invested now to avoid far greater losses later.

2. Build cyber workforce capacity

The talent gap is not closing anytime soon. ISC2 reports a global shortfall of 4.7 million cybersecurity professionals, with the U.S. still facing hundreds of thousands of unfilled roles. Public sector agencies feel this strain most acutely. Many local governments still rely on a single IT generalist to manage everything from patching to incident response.

Closing this gap requires creativity. Agencies can forge partnerships with colleges to develop tailored degree programs, create regional security operations centers (SOCs) that pool expertise, and lean on managed services to supplement thin teams. These fixes allow smaller agencies to scale without waiting for a miracle.

3. Strengthen governance and policy alignment

Cybersecurity has moved from a back-office concern to a boardroom priority. NIST’s Cybersecurity Framework 2.0 makes governance a core function, signaling that boards, agency heads, and elected officials must own cyber risk. At the same time, states are rolling out new AI and privacy laws, and federal directives on cloud security and supply-chain risk are reshaping procurement.

Agencies must move beyond compliance checklists. Align policies with CSF 2.0, clarify roles across state and local levels, and treat audits as strategic inputs. Done right, governance turns cybersecurity from an IT silo into an enterprise-wide priority.

4. Secure sustainable funding

The State and Local Cybersecurity Grant Program (SLCGP) has been a lifeline, injecting $1 billion into state and local initiatives from 2022 through 2025. Now, thanks to the bipartisan PILLAR Act (Protecting Information by Local Leaders for Agency Resilience), the program has been extended. After passing the House in November 2025, the bill reauthorizes SLCGP through at least 2033 and broadens its scope to include operational technology and AI systems. It now heads to the Senate.

While this renewal offers stability, it doesn’t eliminate all funding challenges. Federal dollars won’t cover rising costs or new compliance requirements. Agencies need to plan ahead, building cybersecurity into baseline budgets and creating multi-year funding strategies tied to risk assessments and maturity goals. Planning for sustainability now will help avoid scrambling when the next mandate or breach hits.

Building resilience

Cyber resilience means readiness. The Nationwide Cybersecurity Review shows agencies are making progress, but gaps remain in risk management, incident response testing, and disaster recovery. Resilience also means trust. Organizations like MS-ISAC and EI-ISAC stress the importance of sharing threat intelligence, running joint exercises, and communicating openly with the public.

Start treating cyber risk like any other enterprise risk. Assume disruptions will happen. Build recovery plans into budgets. Design processes and communication strategies that keep operations moving even under pressure.

Turning strategy into action with SHI

SHI helps public sector agencies turn strategy into measurable progress through assessments — including our Security Posture Review —  aligned to NIST CSF 2.0, StateRAMP/GovRAMP, and sector-specific standards. These assessments identify gaps and produce prioritized roadmaps for modernization, zero trust, and incident response readiness.

Because staffing and funding challenges are structural, SHI offers managed and co-managed security services like 24/7 SOC operations, endpoint protection and response, vulnerability management, and SIEM tuning — all designed to integrate with existing teams instead of replacing them. Training is built in, so internal teams grow stronger over time.

On the funding side, SHI helps agencies navigate SLCGP requirements, identify grant opportunities, and align procurement strategies to funding timelines. Whether you need quick advisory guidance or hands-on support, we’re here to help.

A critical moment for public sector cybersecurity

The rise of AI-driven threats and the adoption of NIST CSF 2.0 create a narrow window where decisions will have long-term impact. The cost of inaction is rising, and under-resourced jurisdictions remain the most vulnerable link.

By modernizing infrastructure, investing in people, and planning for resilience, you can strengthen your agencies’ defenses and recover faster when incidents occur. And you don’t have to do it alone. With the right partners who understand public sector realities, you can balance risk and cost without chasing every new tech trend.

The question isn’t whether cyber risk will grow, it’s whether your organization will be ready. 2026 is the moment to act.

NEXT STEPS
Ready to accelerate your agency’s security and modernization goals? Connect with an expert today.