Government breaches cost $2.83M on average. Per record, $134.

IBM's cost methodology measures the four cost categories of detection-escalation, notification, post-breach response, and lost business. For a federal agency, the "lost business" category is largely zero (agencies do not lose customers to competitors), and the notification cost is amortised through existing communication infrastructure rather than triggering Experian-class commercial-vendor expense. The result is a per-record cost roughly one-third the healthcare figure. That arithmetic is correct for the four IBM categories. It is wrong as a representation of total breach impact, because national-security cost does not fit the framework.

The OPM 2015 breach is the canonical example. OPM disclosed $133M in direct cost across the breach and follow-on identity-monitoring contracts. The national-security cost is not in that figure. The breach exposed SF-86 background-investigation files for 21.5 million current and former federal employees, contractors, and their family members. The SF-86 form requires complete personal history including 10-year residence record, foreign travel history, financial history, and the names and contact details of relatives and close associates. For Chinese intelligence services, the SF-86 dataset represents a structured database of every American with a security clearance and every person with whom that American has a meaningful relationship. The intelligence value is permanent. The cost is unquantifiable in dollars but real for 30 years.

For state and local government, the cost asymmetry runs the opposite direction. State unemployment-insurance agencies and motor-vehicle departments hold SSN, driver-licence, and benefit-claim data that is highly monetisable. The 2020 wave of unemployment-fraud incidents driven by COVID-era benefits expansion produced single-state losses in the billions. California EDD alone disclosed $30B+ in fraudulent claims paid in 2020-2021, with breach-adjacent identity-theft as a major contributor. The IBM figure does not capture these costs because EDD is not classified as a sector-tracked organisation.

The Federal Information Security Modernization Act (FISMA, originally 2002, reauthorised 2014) is the foundational federal cybersecurity statute. FISMA requires every federal agency to maintain an information-security programme aligned to NIST SP 800-53, conduct annual assessments, and report to the Office of Management and Budget. Penalties for FISMA non-compliance are administrative rather than monetary, but a poor FISMA grade frequently triggers budget consequences during the appropriations process the following year.

FedRAMP is the cloud-specific compliance regime layered on top of FISMA, governing cloud-service providers that wish to sell to federal agencies. FedRAMP Authorisation runs Low, Moderate, and High impact baselines, with sponsorship by an agency or by the FedRAMP Joint Authorisation Board. Initial authorisation cost runs $250K to $2M for a typical SaaS vendor, plus 12 to 24 months of calendar time. Continuous monitoring cost runs $200K to $800K annually thereafter. The cost flows downstream to government customer pricing rather than appearing on government balance sheets, but it is real cost-of-cybersecurity attributable to government regulation.

CISA (the Cybersecurity and Infrastructure Security Agency, established 2018) operates the federal civilian-agency operational coordination function and issues binding Emergency Directives when a vulnerability or active threat requires immediate response. CISA Emergency Directive 21-01 following SolarWinds required all federal civilian agencies to disconnect SolarWinds Orion within hours. The directive system creates an enforcement mechanism that FISMA itself lacks, and it produces real cost: each Emergency Directive typically triggers $1M to $10M of unplanned response and remediation cost across federal civilian agencies in aggregate.

The single most under-appreciated government breach-cost driver is procurement velocity. A commercial organisation that discovers a breach can sign an incident-response retainer with Mandiant or CrowdStrike within hours and have on-site IR within 24 hours. A federal agency that discovers a breach has to either invoke an existing IDIQ contract (if one is in place and IR is in scope) or initiate a sole-source justification with corresponding contract paperwork that typically runs 7 to 30 days even on an expedited basis. The detection-escalation cost line consequently runs higher in absolute terms relative to total breach size, and the dwell time of the attacker is longer.

The General Services Administration has expanded the Schedule 70 (now Multiple Award Schedule IT category) coverage of cybersecurity IR services materially since 2018 to address exactly this gap. The CISA-led FedScope IR vehicle (announced 2023) is intended to reduce procurement-cycle time for federal incident response to 48 hours. As of 2026 the early evidence is encouraging but the procurement-cycle premium remains a real cost driver.

For state and local government, the procurement constraint is typically more severe because state procurement statutes frequently require RFP competition for any IT contract above a low threshold ($25K to $250K typical). The Maine 2024 ransomware response is a recent case study: the state had to invoke an emergency-procurement statute to engage IR vendors within 72 hours, with subsequent legislative review of the emergency invocation.