Federal cybersecurity leaders say agencies are struggling to keep pace with the growing attack surface, with new MeriTalk research showing that discovery is outpacing agencies’ abilities to prioritize and remediate risks.
According to the report, Discover, Prioritize, Action: The State of Federal Asset and Exposure Management, 94% of federal cybersecurity leaders report exposure management challenges, with 60% saying their agency’s attack surface is expanding faster than their ability to track it.
The research, underwritten by Axonius Federal Systems, highlights a widening gap between discovery and action. Sixty-one percent of respondents say the handoff between discovery, prioritization, and remediation is a major bottleneck, and just 30% say their agencies are very effective at moving from identification and prioritization to timely remediation.
The findings also highlight data and context gaps that limit mission-driven security operations. Ninety-five percent of respondents said they are somewhat or very confident they have a comprehensive asset inventory, but only 13% said inventories are updated daily or in near-real time. More than half – 53% – said inventories are reconciled monthly or less often. Sixty-two percent of cyber leaders say they spend more time reconciling data across tools than acting on it.
For exposure prioritization, 77% say their process relies more on compliance requirements than mission risk. Only 13% say they have all the context they need to prioritize exposures effectively, with mission impact, exploitability, and accurate asset ownership cited as the hardest context to obtain or trust.
On the remediation side, federal agencies continue to rely heavily on traditional processes. Sixty percent of respondents said they use IT service management ticketing systems to remediate security exposures, while 53% pointed to manual remediation by IT or security teams. Just 28% said they orchestrate remediation through an automation platform. Only half of respondents said their agencies have defined timelines for remediating all high-risk exposures.
The report points to signs of how agencies are working to close the gap.
Thirty-nine percent of respondents say they actively use Continuous Threat Exposure Management, or CTEM, to shape their practices, while another 55% are exploring it or applying select principles. More than half, 58%, say their agency has adopted artificial intelligence (AI) for security operations in some capacity, though most maintain human approval before AI-driven recommendations trigger action.
Looking ahead, federal cyber leaders said their top priorities are strengthening cross-team coordination and accountability, improving exposure prioritization based on mission impact, and increasing visibility across contractor- or integrator-managed systems.
When asked what would most accelerate timely action on exposures, respondents said improved coordination between security, IT, and mission teams (57%), followed by faster approvals (48%) and clearer ownership across teams (45%).
MeriTalk, in collaboration with Axonius Federal Systems, surveyed 100 federal cybersecurity leaders across federal civilian agencies, the Department of Defense – rebranded as the Department of War by the Trump administration – and intelligence agencies in January 2026.
Read the full report here: https://www.meritalk.com/study/the-state-of-federal-asset-and-exposure-management/