Skip to content
← All industries
Government

Public Infrastructure on Private Risk

Government agencies worldwide running citizen services on legacy technology. The White House runs WordPress — but .gov overall is 49% Drupal across 14,349 sites.

Key data points
.gov framework distribution (14,349 detected)
7,047 Drupal, 3,589 WordPress, 1,538 Rails (11%), 789 Next.js (6%), 560 Django (4%). Source: WebPulse 10M scan.
Drupal 49%, WordPress 25%
US federal IT legacy spending
Over 80% of federal IT budget goes to maintaining legacy systems.
$100B+ annually
Average time to patch a government site
Procurement, testing, approval cycles far slower than private sector.
45-90 days
COBOL lines in US federal systems
Social Security, IRS, Veterans Affairs — critical services.
~240M lines
Government data breaches (2025)
State and federal agencies combined. Many involving legacy system vulnerabilities.
1,200+
Risk factors

What keeps Government CISOs awake

Procurement processes prioritizing low upfront cost over total cost of ownership

WordPress chosen because 'nobody gets fired for choosing WordPress' — the status quo bias

Citizen data processing on frameworks with active CISA KEV entries

Multi-month patch deployment cycles creating extended vulnerability windows

COBOL knowledge concentration in near-retirement workforce

Stack comparison

Typical vs Recommended

Typical Government stack
WordPress 35
PHP 7.x 33
MySQL 5.x 31
.NET Framework (4.x) 39
IIS 35
Recommended modern stack
Astro 80
Python 3 85
PostgreSQL 81
Docker 77
Nginx 69
Score your own stack →
Regulatory landscape

Compliance Exposure

FedRAMP

Cloud security authorization. Legacy on-premise systems increasingly difficult to maintain in compliance.

FISMA

Federal information security. Annual assessments. Legacy systems accumulate findings year over year.

CISA Directives

Known Exploited Vulnerabilities catalog. Federal agencies required to patch within defined timelines — often impossible on legacy stacks.

Accessibility (Section 508)

Legacy CMS themes and plugins frequently fail accessibility requirements, creating legal exposure.