Full Report
From school districts to state agencies, 2025 cyber incidents were a wake-up call about asset visibility. Discover five actionable lessons SLG leaders can use to close the cyber exposure gap and move from reactive threat detection and response to proactive exposure management.Key takeawaysEffective cyber defense in 2026 requires state and local government agencies (SLGs) to move beyond scheduled scans to continuous, real-time discovery of all managed and unmanaged digital assets.Consolidating data from siloed cybersecurity tools into a unified visibility layer helps security teams proactively identify the identity, cloud, and network weaknesses attackers are likely to exploit.The 2026 SLG cybersecurity blueprint should focus on identifying and remediating specific exposures that create viable attack paths.Shifting focus from reactive threat detection and response to unified exposure management helps SLGs mitigate risks before they escalate into breaches and cause disruption.In 2025, cyberattacks against state and local governments (SLGs) reached an alarming scale. Publicly reported incidents impacted organizations in 44 U.S. states, disrupting critical services, exposing sensitive data, and straining already limited IT and security resources. From state, local, and education (SLED) to utilities and public safety agencies, the breadth of attacks made one thing clear: cyber risk is systemic.While the tactics varied, the outcomes were strikingly consistent. Attackers exploited security blind spots. They moved laterally across fragmented environments. And in many cases, SLG agencies didn’t realize the true scope of exposure until attackers had already compromised their systems.As state and local leaders look ahead to 2026, the most important question is not whether attacks will continue, but what lessons to apply now to reduce risk moving forward.The 2025 cyber snapshot for SLGsThe most significant cyber incidents of 2025 shared several common characteristics:Unknown or unmanaged assets exposed to the internetUnpatched vulnerabilities in legacy systemsMisconfigured cloud services introduced during modernization effortsDecentralized environments with limited centralized oversightDelayed detection, allowing attackers to escalate privileges and expand impactIn many cases, agencies had security tools in place, but those tools operated in silos. Vulnerability scanners, endpoint detection and response tools, cloud security platforms, and identity systems all generated isolated signals, yet no unified view existed to connect them. This left security teams reacting to alerts rather than understanding how real risk moved through their environments.The result was a widening cyber exposure gap between what agencies thought they had secured and where they actually had exposures.Learn how to apply lessons learned to your 2026 cyber roadmap. Register for the "Bridging the Cyber Gap" webinar now.Why 2025 was a turning point for SLG cybersecurityFor years, state and local government organizations prioritized reactive cybersecurity approaches. Limited budgets, staffing shortages, and aging infrastructure made it difficult to move beyond compliance checklists and point-in-time security assessments.But the 2025 attacks demonstrated that reactive security no longer matches the speed or sophistication of modern cyber threats.Attackers don’t exploit single vulnerabilities in isolation. They chain together weaknesses across identity systems, endpoints, cloud workloads, and network infrastructure. They target what defenders can’t see, including the weaknesses they don’t realize are connected.This is where many SLGs found themselves in 2025: responding to incidents without a clear understanding of how attackers gained access, where else they could move, or which exposures posed the greatest risk next.From vulnerability management to exposure managementWhile vulnerability management remains an essential foundation for cyber hygiene in any agency, the evolving threat landscape of 2026 requires building upon those basics with a comprehensive exposure management strategy. Rather than replacing vulnerability management, exposure management provides the critical visibility and context needed to scale security efforts across a diverse, modern attack surface.Traditional vulnerability management answers an important question: Which vulnerabilities exist? Exposure management answers a more critical one: Which vulnerabilities actually put the organization at risk, and how could attackers exploit them?A proactive exposure management approach focuses on:Complete asset visibility: Identifying known, unknown (shadow IT), on-prem, cloud, and remote assetsContextual risk prioritization: Understanding which exposures matter most based on exploitability and business impactAttack path analysis: Seeing how individual weaknesses connect across systemsContinuous monitoring: Adapting as environments change, not just during scheduled scansFor state and local governments, this shift is especially important. Decentralized governance models, independent local agencies, and mixed infrastructure make it nearly impossible to manage cyber risk without a unified view.Learn how to build a 2026 exposure management roadmap for SLGs. Register for the webinar now.5 cyber lessons for SLG leaders in 2026SLG leaders can use lessons learned from last year’s cyber incidents to drive action in 2026:1. You can’t protect what you can’t seeIn many of the most damaging cyber attacks, threat actors exploited assets agencies didn’t realize were exposed, including S3 buckets in the cloud and network devices on premises. Continuous asset discovery is no longer optional.2. Cyber risk lives between toolsSiloed cloud, identity, OT, AI, and network security tools leave gaps attackers are happy to exploit. Attack surface visibility must extend into AI tools, across systems, teams, and environments, whether cloud or on-prem.3. Decentralization requires central insightEven when security operations are local, leadership needs centralized visibility into risk across agencies, counties, and districts.4. Prioritization is everythingSecurity teams can’t fix everything, but they can fix what matters most using threat and business context.5. Proactive beats reactive, every timeAgencies that proactively identify and close exposures dramatically reduce their risk.Preparing SLGs for 2026: Closing the cyber exposure gapAs state and local governments move into 2026, cloud adoption will expand, AI tools will introduce new risks, regulatory scrutiny will grow, and attackers will keep targeting the public sector.The agencies best positioned to meet these challenges will be those that move beyond reactive defense and embrace exposure management as a whole-of-state cybersecurity strategy.Bridging the cyber exposure gap doesn’t start with more tools. It starts with better visibility, richer context, smarter prioritization, and a proactive understanding of how risk truly exists across the environment.The lessons of 2025 are clear. The opportunity in 2026 is to act on them.Is your agency ready to build a proactive cybersecurity strategy for 2026? Join us at 2 p.m. ET Feb. 5 for our webinar, "Bridging the cyber gap: From 2025 hits to 2026 threats," where you can dive deeper into these SLG cyber trends and get a blueprint for a proactive defense.Register now for the webinar.
Analysis Summary
# Best Practices: State and Local Government (SLG) Exposure Management
## Overview
These practices address the "cyber exposure gap" identified in 2025, moving State and Local Government (SLG) agencies from reactive threat detection to proactive exposure management. The goal is to eliminate security blind spots caused by unmanaged assets, siloed tools, and fragmented environments across decentralized agencies.
## Key Recommendations
### Immediate Actions
1. **Perform Internal/External Asset Discovery:** Identify all internet-facing assets, including forgotten S3 buckets, cloud instances, and network devices.
2. **Audit "Shadow IT":** Locate unmanaged digital assets and AI tools introduced without IT oversight.
3. **Patch Critical Legacy Vulnerabilities:** Prioritize unpatched vulnerabilities in legacy systems that are known to be exploited in the public sector.
### Short-term Improvements (1-3 months)
1. **Break Down Tool Silos:** Consolidate data from vulnerability scanners, Endpoint Detection and Response (EDR), and identity systems into a single visibility layer.
2. **Implement Attack Path Analysis:** Move beyond simple lists of vulnerabilities to map how an attacker could move laterally from a cloud misconfiguration to a sensitive database.
3. **Centralize Reporting:** Establish a unified dashboard for leadership to view risk across different counties, districts, or sub-agencies.
### Long-term Strategy (3+ months)
1. **Transition to Continuous Monitoring:** Replace scheduled, point-in-time scans with real-time, continuous discovery and assessment.
2. **Adopt a "Whole-of-State" Strategy:** Align local agency security operations with state-level visibility to ensure consistent protection across the entire public sector ecosystem.
3. **Integrate Business Context into Prioritization:** Rank remediation efforts based on the criticality of the service (e.g., emergency services vs. administrative archives) and the likelihood of exploitation.
## Implementation Guidance
### For Small Organizations (School Districts, Small Towns)
- **Focus on Visibility:** Prioritize knowing what is on your network over buying complex new tools.
- **Hygiene First:** Focus on securing cloud misconfigurations and unpatched internet-facing devices.
### For Medium Organizations (Counties, Utilities)
- **Tool Consolidation:** Integrate existing identity and cloud security platforms to see "between the tools."
- **Prioritize Vulnerabilities:** Use threat intelligence to fix only what is actively being exploited in the wild to save limited manpower.
### For Large Enterprises (State Agencies, Major Cities)
- **Exposure Management Platform:** Deploy a unified platform that covers Cloud, OT/IoT, Identity, and AI.
- **Decentralized Governance/Centralized Insight:** Allow local control over remediation while maintaining a centralized "Single Pane of Glass" for state CISO oversight.
## Configuration Examples
*While specific technical code was not provided in the source text, the following high-level configurations are recommended:*
- **Cloud Security:** Verify that all S3 buckets and cloud storage are set to "Private" by default.
- **Identity:** Configure Identity Exposure tools to alert on privilege escalation attempts and lateral movement patterns.
- **Scanning:** Adjust vulnerability scanner configurations from "Monthly/Quarterly" to "Triggered/Continuous."
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Aligns with "Identify" and "Protect" functions through asset management and risk assessment.
- **CIS Controls:** Supports Inventory and Control of Enterprise Assets (Control 1) and Vulnerability Management (Control 7).
- **Whole-of-State Models:** Align with emerging state-level regulatory mandates for centralized cybersecurity oversight.
## Common Pitfalls to Avoid
- **Point-in-Time Scans:** Relying on monthly reports that miss new exposures introduced in between scans.
- **The "Tool Overload" Trap:** Adding more security tools without integrating them, which creates more siloed data and noise.
- **Focusing on "Low-Risk" Vulnerabilities:** Wasting resources fixing thousands of vulnerabilities that have no viable attack path to critical data.
- **Ignoring AI Risks:** Failing to monitor the introduction of AI tools within the agency environment.
## Resources
- **Tenable One Exposure Management Platform:** hxxps://www.tenable[.]com/products/tenable-one
- **NIST Asset Management Guidelines:** hxxps://www.nist[.]gov/cyberframework
- **SLED Cyber Resilience Documentation:** hxxps://www.tenable[.]com/exposure-management/resource-center