As agencies prioritize modernization and efficiency, cloud adoption is quickly becoming the norm across the local, state, and federal government level. A new report by the Institute for Critical Infrastructure Technology (ICIT), conducted by CyberRisk Alliance’s Business Intelligence Unit and sponsored by Wiz, dives into the realities of this shift. 

Based on input from 154 IT and cybersecurity professionals across federal and state agencies, the findings paint a clear picture: the cloud era is here, but security and complexity remain key concerns. This transformation opens the door to faster operations, but also introduces new challenges in securing complex environments.

Agencies are moving to cloud—and fast 

84% of respondents said their agency has started migrating to the cloud, with 15% already post-migration. The top driver? Collaboration with partners. 65% cited better alignment with program partners as a key benefit of the cloud. 

And the potential impact goes beyond internal efficiency. Cloud adoption can help agencies deliver services more quickly and reliably—meeting rising expectations from the public and improving mission outcomes. 

But adoption isn’t without friction. 

Security concerns are slowing momentum 

Nearly half (49%) of respondents named data security as their biggest cloud challenge. And with the rise of sophisticated threats—ransomware, supply chain compromises, nation-state actors—government IT leaders are looking for stronger security strategies, not just more tools. 

Those security challenges are compounded by cloud complexity. 58% of agencies use six or more cloud providers, and nearly a third use ten or more. That fragmentation makes visibility difficult, and managing risk even harder. 

Agencies need trusted partners—not more noise 

The report reveals what public sector leaders are really looking for in cloud security partners: 

• 51% cited data security and privacy as a top priority 

• 39% pointed to staffing and resource constraints 

• 34% called out compliance and regulatory pressure 

They’re looking for platforms that help meet compliance requirements, reduce complexity, automate detection and response, and stay ahead of emerging threats like AI-powered attacks—without adding more overhead. 

Cloud security isn’t just about protection—it’s about resilience 

Cyber threats are growing more advanced, and public sector organizations are high-value targets. ICIT calls for a shift toward Digital Resilience, anchored in the “4 Rs”: resourcing, rehearsing, recovery, and response. It’s not just about preventing attacks, but about being prepared when—not if—they happen. 

At Wiz, we believe resilience starts with visibility and context. We recognize government teams need real-time, agentless visibility into their cloud environments, making it easier to spot misconfigurations, exposed assets, and unpatched vulnerabilities before attackers do. But these indicators of risk cannot just be thrown into another compliance report—they should be analyzed against the context of how workloads and cloud resources are connected, revealing toxic combinations, and allowing teams to prioritize remediation based upon the most critical issues within their cloud environments.  

Having a single solution to drive this contextual-based, prioritized remediation increases efficiency, reducing the need for multiple, siloed toolsets, and automating the analysis required for teams to understand the greatest risks to the operating environment. These same efficiencies can be extended to help agencies understand how emerging technologies like AI interact with their existing environments—highlighting risks, surfacing context, and building actionable paths forward.

Helping agencies meet the moment 

Cloud is changing how government works. And public sector leaders are embracing the shift. But modernization is not something that should target just technologies and processes, but also the metrics used to measure security. 

The NIST Risk Management Framework (RMF) emphasizes prioritizing remediation based on impact to a system’s confidentiality, integrity, and availability (CIA). By focusing on risk in proportion to its potential impact, agencies can move beyond isolated vulnerability findings and focus instead on toxic combinations of risk. This approach reduces noise and alert fatigue by grouping related issues into a single risk scenario—helping teams stay focused on what matters most. 

Wiz helps agencies put the RMF into practice by providing deep visibility into cloud environments and surfacing those toxic combinations of risk. Rather than overwhelming teams with raw findings, Wiz correlates vulnerabilities, misconfigurations, entitlements, and exposure paths to highlight impact to CIA. This context helps teams prioritize remediation based on real-world impact—reducing alert fatigue, improving resilience, and supporting compliance with NIST guidelines. 

Wiz is committed to supporting federal, state, and local agencies as they move to the cloud—helping them stay agile, resilient, and secure at every step. 

Download the full report here. To learn more about how Wiz is supporting government agencies in their cloud journey, visit: Wiz for Government