A new SANS Institute survey has found that only one in three government cybersecurity programs is fully funded, with chronic staffing shortfalls compounding risk to critical infrastructure amid rising threat activity. The findings, published in the SANS 2026 Cybersecurity Readiness in Government Survey, reveal a widening gap between agencies' documented security strategies and their operational capacity to execute them - a gap that report author Ryan Nicholson describes as the point where modernization efforts stall.

Background

Public agencies face mounting pressure to modernize aging IT infrastructure, adopt zero-trust architectures, and expand threat monitoring capabilities, driven by a series of high-profile intrusions targeting government systems and critical infrastructure. This modernization push has coincided with new and expanded regulatory demands, including frameworks that carry direct enforcement consequences.

Despite that urgency, structural barriers within government - including protracted hiring processes, compensation gaps relative to the private sector, and mandatory security clearance requirements - have persistently constrained talent pipelines. A parallel SANS workforce report, released in early 2026 and covering nearly 1,000 global practitioners, found that skills gaps have decisively overtaken headcount shortages as the primary workforce challenge, with 60% of organizations identifying capability deficits as the greater problem. An earlier analysis of how these OT-focused capability gaps threaten critical infrastructure can be found in SANS 2026 Flags OT Cybersecurity Workforce Gaps as Critical Risk.

Details

The government-specific findings are stark. Only one in three government cybersecurity initiatives is fully funded, despite mounting pressure from evolving cyber threats and operational demands. 63% of respondents cite budget limitations as their primary obstacle, forcing security leaders into hard trade-offs on which risks to address.

Staff training and awareness (41%) and threat detection and response (40%) are the most resource-constrained functions, and more than half of organizations struggle to recruit and retain qualified cybersecurity talent. Government entities face compounding structural barriers: lengthy hiring processes, private-sector pay competition, and security clearance requirements that narrow the eligible candidate pool.

The execution deficit is particularly acute. While 55% of organizations report a fully implemented strategy, only 22% rate themselves as capable of executing it at scale - the gap between having a plan and having the capacity to act on it is where most programs stall. As Nicholson stated in the report's release, "Converting governance into working capability is where efforts stall."

Outdated infrastructure, disconnected systems, and slow procurement processes prevent full integration of security tools across government environments, leaving organizations with multiple independent measures in place of a coordinated defense.

The implications extend beyond individual agencies. Staffing constraints directly undermine core security functions such as threat detection, incident response, and security monitoring - all of which depend on skilled analysts to interpret alerts and coordinate responses. Separate SANS workforce data reinforces the severity: 27% of organizations across sectors have experienced actual security breaches as a direct result of workforce capability gaps, while skills shortages drive delayed projects (57%), increased team burnout (47%), and slower incident response (47%) according to the broader 2026 report.

Regulatory pressure is simultaneously intensifying hiring demands. 68% of organizations now experience moderate to extreme impact from regulations on hiring, while 95% report some level of regulatory influence overall - a sharp increase from 40% in 2025. For agencies subject to frameworks such as the Cybersecurity Maturity Model Certification (CMMC) and updated federal zero-trust mandates, non-compliance carries direct operational and legal consequences.

The time-to-hire problem sharpens the risk further. Around 55% of senior roles take six months or longer to fill, while 38% of expert roles remain open for over a year - delays that translate directly into prolonged exposure, particularly in energy, manufacturing, and utilities, where threat actors are increasingly active.

Outlook

The 2026 Cybersecurity Readiness in Government Survey points to persistent concerns about government agencies' ability to sustain effective cyber defense as threat activity and infrastructure complexity continue to grow. Some governments have moved to address pipeline constraints through targeted programs - the U.S. CyberCorps® Scholarship for Service program, for example, offers tuition funding for students who commit to federal cyber roles - but these initiatives still suffer from limited reach, inconsistent standards, and slow curriculum updates. The SANS report suggests that agencies prioritizing measurable skills validation, internal upskilling investment, and managed security service partnerships are best positioned to close the gap between policy intent and operational readiness.