Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Jul 09 2026
Security

Why Attack Surface Management Is Becoming a Priority for State and Local Governments

Continuous visibility helps agencies discover unknown assets, reduce cyber risk and strengthen resilience before adversaries strike.

As state and local governments continue expanding cloud services, citizen-facing applications and AI initiatives, cybersecurity leaders face a growing challenge: understanding exactly what assets are exposed to potential attackers.

That challenge is driving increased interest in attack surface management (ASM), a cybersecurity discipline focused on continuously discovering, monitoring and securing internet-facing assets before they can be exploited.

For government organizations operating complex and decentralized technology environments, visibility has become one of the most important components of cybersecurity.

“Attack surface management proactively and continuously discovers, maps and secures an organization’s internet-facing digital footprint from an attacker’s perspective,” says Liat Hayun, senior vice president of product management and research at Tenable.

Robert Sheldon, senior director of public policy and strategy at CrowdStrike, says ASM has emerged as organizations grapple with the reality that traditional network boundaries are disappearing.

“The perimeter of networks and, really, the other traditional boundaries of networks are dissolving over time,” Sheldon says. “There’s no longer a clear differentiation for what’s external facing and what’s internal facing as there once was.”

Click the banner below for guidance on preparing for the next era of cyber resilience. 

 

What Is Attack Surface Management?

ASM is a continuous cybersecurity discipline that focuses on identifying the systems, services and digital assets that attackers can potentially access from outside an organization.

Hayun says ASM extends beyond traditional asset discovery by uncovering vulnerabilities, misconfigurations, shadow IT, shadow AI and third-party exposures that may otherwise remain hidden.

“Attackers gain initial access largely through internet-facing assets, including public-facing IP addresses, domains, third-party integrations, cloud services and web apps,” Hayun says.

That attacker-focused perspective is one reason ASM has gained traction among government cybersecurity leaders.

Sheldon says the discipline reflects a broader shift in cybersecurity strategy as organizations seek visibility across increasingly distributed environments.

“External attack surface management is one that makes sense,” Sheldon says. “It captures basically internal vulnerability management and external internet exposure.”

For state and local governments, the ability to understand what is exposed to the public internet has become increasingly important as agencies adopt more cloud services, digital applications and connected technologies.

How Does ASM Differ From Traditional Vulnerability Management?

While ASM and vulnerability management are closely related, the two disciplines address different aspects of cybersecurity risk.

Traditional vulnerability management focuses on known systems. Security teams scan assets they already manage and work to remediate known vulnerabilities.

Attack surface management starts with discovery.

Hayun says vulnerability management focuses on scanning known internal assets for Common Vulnerabilities and Exposures, while ASM actively searches for unknown internet-facing assets across an organization’s external perimeter.

“The two approaches are complementary,” Hayun says. “Doing only one is the equivalent of locking your doors but leaving your windows open.”

Sheldon says the distinction between the disciplines has evolved over time.

“I think you could view attack surface management as having consumed a lot of what was traditionally vulnerability management,” Sheldon says.

Rather than treating internal and external exposures separately, organizations increasingly want a unified view of risk across their environments, he says. That means understanding not only what vulnerabilities exist but also what assets are exposed and how attackers might exploit them.

READ MORE: Cities must consider operational technology when assessing their attack surface.

Why Do State and Local Agencies Have Uniquely Challenging Attack Surfaces?

Every organization faces visibility challenges, but state and local governments often contend with particularly complex environments.

Hayun says public sector organizations frequently operate modern cloud services and AI technologies alongside decades-old legacy systems. At the same time, agencies and departments often procure and manage technology independently, creating significant visibility gaps.

“State and local government environments face deep structural challenges that complicate asset visibility,” Hayun says.

Sheldon points to the scale and federated nature of government environments as another challenge.

“This is the type of problem within cybersecurity that often gets more challenging the larger your scale is,” Sheldon says.

Different agencies may have different technology stacks, procurement histories and operational requirements while still relying on shared cybersecurity resources, he says. As a result, maintaining visibility across the entire environment can be difficult even for well-resourced IT teams.

For cybersecurity leaders, however, visibility remains essential.

“Visibility is the foundational thing that security practitioners need to attain,” Sheldon says. “Without that, you really have a challenging time understanding a full story of what attacks might be targeting you at any moment in time.”

 

Liat Hayun
State and local government environments face deep structural challenges that complicate asset visibility.”

Liat Hayun Senior Vice President of Product Management and Research, Tenable

 

Core ASM Capabilities: Discovery, Monitoring, Prioritization and Remediation

Although ASM platforms vary, most programs are built around four core functions: discovery, monitoring, prioritization and remediation.

Discovery

The first objective is identifying internet-facing assets. That includes public IP addresses, domains, cloud resources, web applications and third-party services.

But discovery alone does not reduce risk.

Monitoring

“Finding external assets is only one step,” Hayun says. “True risk reduction requires a platform that uses ASM as a data source to understand exactly where an organization is exposed.”

Through continuous networking monitoring, ASM makes it possible to proactively flag new potential threat vectors so they can be immediately evaluated.

Prioritization

Hayun says organizations should look for ASM capabilities that connect external discoveries with broader security data, allowing teams to understand which exposures pose the greatest risk.

Prioritization is becoming increasingly important as security teams face growing volumes of vulnerabilities and exposures.

Sheldon says organizations should seek platforms that incorporate threat intelligence and AI-driven analysis to help determine which issues require immediate attention.

“If you have the use of AI there, that can sort of inform that decision,” Sheldon says. “If you have the use of threat intel, you might be able to bring in real-time insight about what’s being exploited in the wild.”

Remediation

Ultimately, ASM is intended to help organizations focus remediation efforts on the risks most likely to impact operations. Remediation therefore becomes an ongoing, proactive effort to manage and mitigate risks rather than responding to incidents once they occur.  

Continuous ASM: Moving From Point-in-Time Audits to Always-On Visibility

Historically, organizations often relied on periodic audits and security assessments to evaluate their exposure.

That approach is becoming increasingly difficult to sustain.

Cloud resources can be deployed in minutes, new applications can appear without centralized oversight and third-party services can introduce new risks at any time.

Hayun says organizations should prioritize “continuous discovery and active tracking across all internet-facing assets” rather than relying solely on periodic reviews.

Continuous monitoring provides a more accurate picture of risk as environments evolve, she says.

Sheldon similarly argues that visibility cannot be treated as a one-time exercise.

“Visibility is the foundational thing that security practitioners need to attain,” Sheldon says.

For state and local governments, continuous ASM provides a way to maintain awareness of a constantly changing technology environment while reducing the likelihood that unmanaged or forgotten assets remain exposed for extended periods.

LEARN MORE: Intelligent asset management platforms boost government cyber resilience. 

How Can Government Agencies Get Started With ASM?

Organizations beginning their ASM journey should start with visibility.

“Initially, the focus should be entirely on external discovery and building an asset inventory,” Hayun says.

Once agencies establish a baseline understanding of their internet-facing footprint, they can begin integrating ASM findings into existing vulnerability management and security operations processes.

Hayun says organizations should move beyond simple discovery and use that visibility to prioritize remediation efforts and strengthen broader exposure management programs.

Sheldon recommends evaluating organizational maturity, researching available platforms and considering how ASM fits into broader modernization initiatives.

“It’s worth doing some market research to understand what tools have the attributes” organizations need, Sheldon says.

He also encourages government leaders to consider how AI may affect cybersecurity operations in the years ahead. As AI accelerates vulnerability discovery, organizations may face significantly larger volumes of vulnerabilities and exposures than they do today.

“It’s worth examining every part of a patching process,” Sheldon says, and asking whether it could scale if “there were 10 times as many vulnerabilities released tomorrow as there were yesterday.”

For state and local governments, attack surface management ultimately begins with understanding what assets are exposed today. From there, organizations can build the visibility needed to prioritize risk, strengthen security operations and reduce opportunities for attackers.

 

SDI Productions/Getty Images