Malicious actors are targeting software supply chains, insider access and legacy dependencies to compromise the security of large-scale agency systems. Prevention efforts are not enough, however. To protect national security and preserve trust, agencies need resilience and a recovery-by-design approach.