A new guidebook released by CLTC’s Public Interest Cybersecurity Program highlights the benefits of “community cyber defense programs” — including cybersecurity clinics, regional security operation centers (RSOCs), and state cyber corps — as a resource for defending organizations like nonprofits, rural hospitals, schools, local utilities, counties, municipalities, and small businesses from cyber attacks.
Authored by Grace Menna, Senior Fellow of Public Interest Cybersecurity at CLTC, Save Money, Build Talent, and Defend Communities: A Whole-of-State Cybersecurity Guidebook shows how cyber defense programs are a smart investment for states because they can save taxpayer dollars, develop the local workforce, and strengthen community cyber defense. Such programs can be an effective, cost-efficient way to help defend “target-rich, resource-poor” organizations that provide essential services to U.S. communities but lack the resources to defend themselves against cyberattacks by criminals and nation-states.
The report is the first of its kind to map the concentration of cyber defense programs across the U.S. Menna’s research indicates that 32 states have at least one cyber defense program, and 10 have more than one type of program, as of April 2026.
“State governments are turning to community support ecosystems to provide a safety net that strengthens civic organizations’ cyber defenses, ensuring they can continue their vital work securely and without disruption,” Menna writes. “As part of a growing ‘whole-of-state’ cybersecurity strategy, many states are piloting cyber defense programs that rely on local talent to provide hands-on assistance to fill critical gaps in the cyber defenses of communities. These programs lean on civilian participation to help bolster defenses, often by upskilling students and deploying local skilled volunteers to save money, develop the local cybersecurity workforce, and build resilience.”
The report presents a roadmap for states to adopt a multi-faceted approach to cybersecurity that supports the sharing of intelligence, tools, and products, as well as shared training and education and streamlined procurement processes for cybersecurity software and hardware. The guidebook focuses on three types of programs:
- Cybersecurity clinics: Modeled after legal and medical school clinics, cybersecurity clinics provide real-world experience to students at colleges and universities by training them to provide pro bono cybersecurity services to community organizations.
- Regional security operation centers (RSOCs): Typically staffed by a combination of student trainees and professionals, RSOCs detect, analyze, and respond to security incidents across a specific geographic region.
- State cyber corps: State cyber corps are teams of cybersecurity professionals who volunteer to provide preventive and reactive cybersecurity services to designated beneficiaries, typically operating under the authority of a state government department or agency.
The guidebook makes a strong case for investment in cyber defense programs by providing preliminary data on the gross economic value and return on investment. Programs that rely on existing skilled volunteers, like state cyber corps, can create between $1.4M and $7.5M in gross economic value per year for states and help harden the defenses of community organizations, according to the guidebook. RSOCs are estimated to create between $1.1M and $2.6M in gross economic value annually, while cybersecurity clinics generate between $12,000 to $150,000 per year. These programs can help serve as key workforce development investments in students while providing cybersecurity services to organizations that otherwise would go without.
The report includes an overview of best practices employed by successful cyber defense programs, as well as common hurdles and examples of how to overcome them. It also features case studies centered on initiatives in Texas, Wisconsin, and New Jersey, which showcase “how a network of programs collaborating and sharing intelligence can be a force multiplier for a state’s investment in local cyber defense.”
This new resource comes at a critical time, as states are increasingly responsible for managing the cybersecurity of infrastructure within their states following a reduction in federal funding. The guidebook suggests that state governments can maximize the impact of cyber defense programs by providing resources to enable them to work together. “These programs cannot succeed in a vacuum,” Menna writes. “They need financial and administrative support from state leaders.”
Save Money, Build Talent, and Defend Communities: A Whole-of-State Cybersecurity Guidebook
