Whole-of-state cyber defense: How AI-driven security helps US states protect what matters most

This shift toward collective cyber defense is a cornerstone of the new federal vision. The March 2026 National Cyber Strategy for America explicitly calls for a "new level of relationship between the public and private sectors" and demands "unprecedented coordination across government" to protect the American people. By prioritizing the "security and resilience of the systems that underpin our military, intelligence, and civilian enterprises," the strategy signals that local and state security is no longer an isolated concern; it is a matter of national economic and social prosperity.

State governments today oversee a vast and diverse ecosystem, including executive agencies, counties, cities, school districts, higher education, and public safety organizations. Each plays a critical role in delivering citizen services, yet many operate with different tools, staffing levels, and security maturity.

Attackers understand this imbalance. Rather than targeting the most mature state systems directly, they often compromise smaller, under-resourced entities first, using them as entry points into larger environments.

This reality is driving a shift toward a whole-of-state cybersecurity approach.

Traditionally, state agencies, local municipalities, and school districts have operated as individual "islands" of security. A whole-of-state approach breaks down these silos, allowing shared threat intelligence, unified tooling, and coordinated incident response.

Instead of every agency or district operating independently, states coordinate tooling, visibility, and response across jurisdictions. Larger state security teams can share capabilities and expertise with smaller local entities, raising the baseline of protection for everyone.

The result is a move from fragmented defense to collective resilience.

This model is increasingly supported by federal frameworks. For instance, the CISA State Cybersecurity Governance Case Studies (2026) highlight how states like Georgia and Virginia have successfully used formal governance structures to manage cyber risk as a collective strategic priority. These studies demonstrate that by establishing clear policies and shared resources, states can protect the most vulnerable local entities without infringing on their operational independence.

This isn't just a theoretical risk. Recent analysis from Deloitte (2026): Whole-of-state cybersecurity: Protecting the public information ecosystem reveals that cybercriminals are increasingly bypassing hardened state data centers to target "cyber-underserved" entities. These include K-12 districts and small municipalities that serve as the literal front doors to a state's digital ecosystem. These entities often lack the budget for elite defense, yet they are connected to the same vital networks. This creates a vast and vulnerable attack surface that Deloitte identifies as the single greatest challenge to state-wide resilience.

A breach in any one of these organizations can disrupt statewide services or expose sensitive citizen data. A whole-of-state model addresses this risk by enabling:

• Shared detection and response: Threats are identified early before they can move laterally through the network.

• Coordinated action: Organizations move away from siloed incident handling toward a unified defense posture.

• Consistent protection: Security standards remain high regardless of an individual agency's size or budget.

When one organization is protected, the entire ecosystem benefits.

Cyber incidents in the public sector are not abstract IT problems. They can halt 911 dispatch, delay emergency response, close schools, or expose student and citizen personally identifiable information (PII).

With shared visibility and standardized workflows, security teams can:

• Detect attacks as they propagate across agencies

• Coordinate response across state and local boundaries

• Keep essential services running during incidents

This operational alignment is critical for maintaining public trust.

Pooling resources does not mean forcing every agency into a single, centralized system. Modern whole-of-state strategies rely on distributed architectures that balance efficiency with governance.

This enables:

• Reduced tool sprawl and licensing redundancy

• Lower operational complexity

• Better use of taxpayer and tuition dollars

At the same time, agencies retain control over their own data and policies.

Traditional security information and event management (SIEM) platforms often require moving large volumes of log data into a central repository. For state governments, this can introduce massive costs, data egress fees, and complex compliance risks.

A distributed data mesh approach allows teams to search and analyze data where it already resides while still providing statewide visibility. This reflects the current federal gold standard. For example, the CISA Continuous Diagnostics and Mitigation (CDM) Program uses Elastic to enable CISA to access federal agencies’ cybersecurity data via a unified dashboard without moving that data or removing ownership from the originating agency.

By adopting this same architecture, states can achieve:

• Data sovereignty: Keeping sensitive student or citizen data within its originating department to satisfy local privacy mandates

• Policy-aware access controls: Ensuring that shared visibility is always aligned to jurisdictional and agency boundaries

• Affordable long-term retention: Supporting strict mandates like M-21-31 by using searchable "frozen" data tiers rather than relying on expensive, inaccessible cold storage

This architecture makes collaboration possible without compromising the privacy, governance, or budgets of individual agencies.

State and local organizations operate with different budgets, policies, and legacy systems. An open security model enables collaboration by allowing agencies to participate without abandoning existing investments. 

Open security enables:

• Vendor-agnostic data ingestion, so agencies can share security signals regardless of existing tools

• Standards-based integrations, allowing systems to work together across jurisdictions

• Community-driven detections, providing transparency instead of opaque black-box analytics

For state, local, and education (SLED) organizations, openness reduces long-term risk, preserves agency autonomy, and makes sustained statewide collaboration achievable.

State CISOs consistently cite staffing shortages as one of their biggest challenges, but the strategy for solving this has shifted. According to the NASCIO Top 10 Priorities for 2026, artificial intelligence has officially overtaken cybersecurity as the number-one policy priority for State CIOs for the first time in over a decade. This signals a transition from seeing AI as a future trend to treating it as the primary operational tool for managing risk across the state ecosystem.

This includes:

• Alert triage, correlating hundreds of alerts into a small number of high-confidence incidents

• Guided investigation, reducing noise and analyst fatigue

• Faster response, enabling teams to act before threats escalate

By shifting analysts from triage to decision-making, AI extends the reach of limited teams.

Public sector organizations face strict privacy and compliance requirements, which is why a one-size-fits-all approach to AI often fails. To maintain trust, agencies are moving toward context engineering. Rather than relying on simple prompts, context engineering is the technical discipline of dynamically assembling the right data, policy guardrails, and institutional knowledge for AI in real time.

By using this approach, the system ensures that:

• Policy is enforced at the data layer: AI only "sees" the context it is authorized to access, ensuring that redaction and PII protections are absolute.

• Institutional memory is preserved: AI draws from past incident reports and state-specific standard operating procedures (SOPs), preventing hallucinations that are common in generic models.

• Sovereignty is maintained: Because context is assembled dynamically from your own secure data stores, sensitive information is never used to train public models.

By combining open, distributed architectures with AI-driven security analytics, states can align with the vision set forth in President Trump’s Cyber Strategy for America (March 2026). This national framework prioritizes the rapid adoption of agentic AI to autonomously detect, divert, and deceive threat actors at scale. For state leaders, this enables a shift from reactive firefighting to a proactive, coordinated defense that can:

• Extend protection to under-resourced agencies: Bringing elite, AI-powered defense to small towns and school districts that cannot hire dedicated security teams

• Improve resilience against coordinated attacks: Identifying patterns across the entire state ecosystem to stop a multiprong campaign before it spreads

• Operate more efficiently despite staffing constraints: Automating routine triage so human analysts can focus on high-level strategy and recovery

• Protect the services and data citizens rely on every day: Ensuring that critical infrastructure remains resilient against increasingly sophisticated foreign threats

In an environment where threats move faster than traditional bureaucratic boundaries, collective defense is no longer optional; it is a matter of national security and economic survival.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of elasticsearch B.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.