State CISO confidence has dropped from 48% to 22% in four years. That is the headline finding of the 2026 NASCIO-Deloitte Cybersecurity Study, which surveyed the chief information security officers of all 50 states, the District of Columbia and the U.S. Virgin Islands on their ability to protect public data.
- Only 22% of state CISOs express high confidence in their ability to protect public data, down from 48% in 2022 — a 26-point collapse
- 78% cite third-party breaches as the largest anticipated threat; 55% flag AI-enabled attacks
- 16% reported budget reductions in 2026, versus zero reported budget declines in 2024
- The Trump administration moved the Multi-State Information Sharing and Analysis Center (MS-ISAC) from federal funding to a fee-based membership model
What the 2026 NASCIO-Deloitte Study Finds: State CISO Confidence at a Four-Year Low
The 26-percentage-point drop in state CISO confidence is the study’s headline figure, but the detail beneath it tells a more specific story: the state CISO cohort is simultaneously contending with deteriorating infrastructure, AI-driven threat vectors, shrinking federal support, and a local government supply chain they do not control.
The confidence collapse in local government and higher education is even sharper. The share of state CISOs who describe themselves as “not very confident” in local government’s ability to secure public data jumped from 35% in 2022 to 63% in 2026. With 43% of state CISOs now doubting local government cyber practices, more states are evaluating whole-of-state cybersecurity — a centralized approach that extends state-level security support to municipalities and schools. “A stronger whole-of-state orientation could help municipalities defend against cyber threats that could also affect state systems,” the NASCIO-Deloitte report states.
Nearly all survey respondents say their states are developing generative AI strategies, policies and best practices. Eighty-four percent of state CISOs are involved in generative AI strategy development. But the same AI adoption creates new exposure: vendors are embedding AI capabilities into existing products without sufficient transparency, one CISO told researchers, leaving states “in a reactive position” before they can assess the risk or apply governance frameworks.
Why State CISO Confidence Is Falling Despite Increased AI Adoption Across State Governments
The state CISO confidence decline is a compound failure, not a single-cause event. Three pressures converged in the 2022-to-2026 window: more sophisticated threats, less federal support, and the same aging infrastructure that earlier NASCIO studies identified as a persistent vulnerability.
The federal funding withdrawal is the structural change that makes the other two harder to manage. The Trump administration converted the MS-ISAC — a federally funded threat intelligence and incident response resource for state and local governments — to a fee-based membership model. Many state CISOs said they received funding from the State and Local Cybersecurity Grant Program but cited challenges with application requirements, short program time frames and funding levels. States are now relying less on federal support at precisely the moment that AI-enhanced attack capability is expanding.
Budget data reinforces the squeeze. Only 22% of state CISOs reported budget increases of 6% or more, down from 40% two years ago. Sixteen percent reported outright budget reductions. The combination — more sophisticated threats, less federal backstop, flat or declining budgets — is the arithmetic behind the state CISO confidence collapse.
Four Actions State CISOs Can Take to Rebuild Confidence in Public-Sector Cyber Programs
The NASCIO-Deloitte study’s findings point toward four concrete responses, each addressing one of the compound pressures the 2026 data surfaces.
Prioritize whole-of-state cybersecurity governance this fiscal year. The study finds 43% of state CISOs already lack confidence in local government cyber practices. Extending state security support to municipalities and school districts reduces the attack surface that state agencies share with local entities. States that have deployed centralized security operations capabilities to county and municipal governments have reduced the blast radius of local-government incidents affecting state systems.
Build AI governance frameworks before vendors build them for you. The NASCIO-Deloitte report documents a specific mechanism: vendors embedding AI capabilities into existing products “without sufficient transparency or state-level control.” A state AI governance policy that requires vendor disclosure of AI capabilities before procurement approval, and mandates risk assessment before deployment, closes the window between AI activation and policy response.
Audit federal program dependencies and budget for fee-based alternatives now. The MS-ISAC transition from federal funding to fee-based membership is the most operationally immediate change the 2026 study surfaces. State CISOs who have not yet recalculated their threat intelligence and incident response budget should assume no federal subsidy is permanent.
Use the metrics implementation priority as a governance anchor. Half of the state CISOs surveyed named implementing effectiveness metrics as their top 2026 initiative, up from 25% in 2024 and 15% in 2022. Metrics create the structured evidence base for budget arguments and legislative appropriations requests. For the 22% who still report high state CISO confidence, the metrics discipline is what keeps that confidence grounded in evidence — and for the remaining 78%, it is the first step toward reclaiming it.
Join our LinkedIn group Information Security Community!
