Executive Summary

A new study released by cybersecurity firm LevelBlue on March 18, 2026, indicates that public-sector organizations are dangerously unprepared for the modern threat landscape. The report, which surveyed 200 tech leaders in state and local government and education (SLED), found that 29% suffered a security breach in the past year, and 46% are seeing a higher volume of attacks. Two critical weaknesses were identified: a lack of readiness for AI-powered attacks and poor visibility into supply chain risks. While 45% expect to face AI-enabled threats, only 28% feel prepared to defend against them. Furthermore, 44% of agencies admit to a lack of full visibility into their vendor and partner ecosystems, creating a massive blind spot for supply chain attacks.

Regulatory Details

This report analyzes the current security posture of the U.S. public sector (SLED). Key findings include:

• Breach Frequency: 29% of SLED organizations experienced a security breach in the last 12 months.
• Attack Volume: 46% reported an increase in the volume of cyberattacks.
• AI Preparedness Gap: A significant gap exists between the expectation of facing AI-driven threats (45%) and the feeling of preparedness (28%).
• Supply Chain Blind Spot: 44% of organizations lack full visibility into their supply chain, which is described as a persistent "Achilles heel."

Affected Organizations

The report focuses specifically on the public sector in the United States, including:

• State government agencies
• Local and municipal governments
• Education institutions (K-12 and higher education)

These organizations are often under-resourced and manage large amounts of sensitive citizen data, making them attractive targets.

Impact Assessment

The lack of preparedness has direct consequences for public services and citizen data security.

• Increased Vulnerability to Sophisticated Attacks: AI enables attackers to craft highly convincing phishing emails and business email compromise (BEC) campaigns at scale, which under-trained public-sector employees may struggle to identify.
• Supply Chain Risk: Without visibility into vendor security, public agencies are exposed to breaches originating from their partners, as seen in numerous recent incidents. An attacker can bypass a well-defended agency by targeting a smaller, less secure vendor.
• Disruption of Public Services: Successful attacks can disrupt essential government services, from city administration to school operations, impacting citizens directly.
• Erosion of Public Trust: Each breach erodes the public's trust in the government's ability to protect their sensitive data.

Compliance Guidance

The report offers several high-level recommendations for public-sector leaders to address these gaps:

1. Elevate Cybersecurity to an Executive Responsibility: Cybersecurity should not be siloed within the IT department. Agency leaders and elected officials must treat it as a core operational responsibility and be actively engaged in strategy and oversight.
2. Improve Supply Chain Visibility: Organizations must proactively map their vendor ecosystem and conduct rigorous security assessments of all third-party partners. Security requirements should be baked into procurement and contract language.
3. Continuous Workforce Training: With AI making social engineering more effective, continuous and adaptive security awareness training is more critical than ever. Training should include simulations of sophisticated, AI-generated phishing attempts.
4. Adopt Modern Security Tools: Invest in security solutions that leverage AI for defense, helping to level the playing field. This includes advanced email security, EDR with behavioral analytics, and tools for monitoring third-party risk.