Cybersecurity in the public sector reached an inflection point in FY25. Cyber incidents, from credential compromises and ransomware attacks to supply‑chain intrusions and zero‑day exploitation, continued to demonstrate that cyber risk is no longer confined to IT departments. It is a governance, operational and community resilience challenge affecting every level of government and nearly every sector. Against this backdrop, the National Cybersecurity Preparedness Consortium (NCPC) spent FY25 helping state, local, tribal and territorial (SLTT) organizations translate cybersecurity training into real‑world readiness.
Funded by the Department of Homeland Security and administered through FEMA’s National Training and Education Division, NCPC delivers no‑cost, DHS‑certified cybersecurity training aligned with the National Preparedness System, Presidential Policy Directive‑8 and Executive Order 14028. Its mission is straightforward but ambitious: equip communities with the knowledge and skills needed to prevent, detect, respond to and recover from cyber incidents.
Training at National Scale
By the end of FY25, the NCPC had trained 159,988 participants nationwide, reaching all 50 states and U.S. territories. That reach is the result of a diversified delivery model that combines instructor‑led and web‑based training designed specifically for public‑sector constraints, such as limited staff, tight budgets and geographic dispersion.
Web‑based training continued to play a central role in expanding access. Participation grew steadily year over year, with especially strong engagement in FY24 and FY25, reflecting both rising cyber awareness and the value of flexible, asynchronous learning models for busy professionals. For many jurisdictions, web-based training became the entry point into more advanced or role‑specific cybersecurity training.
What the Data Says People Need
FY25 participation data tells a clear story about where public‑sector cyber priorities are headed. High‑completion web‑based courses focused on cybersecurity maturity models, Internet of Things (IoT) risk, fundamentals of cybersecurity, advanced persistent threats, and mobile device security. This mix reflects a shift away from narrow technical skills toward broader enterprise risk awareness.
For cybersecurity professionals, this trend underscores an important lesson: public‑sector readiness increasingly depends on connecting governance, technology and operations. Training demand is no longer just about “how to secure a system,” but about understanding how cyber risk affects continuity of operations, emergency management, public trust, and service delivery.
Training Designed for Application, Not Just Awareness
The NCPC structures its curriculum across three levels: Awareness, Performance, and Management and Planning. This ensures training outcomes map directly to real responsibilities. Awareness courses establish foundational cybersecurity concepts, helping develop understanding and context that support the growth of cybersecurity knowledge, skills and abilities. Performance courses emphasize hands‑on, role‑specific skills using engaging activities that reinforce cybersecurity concepts and support stronger retention and real-world application. Management and Planning courses emphasize policy, governance, coordination and decision‑making, supporting effective and coordinated cybersecurity decisions across organizational stakeholders.
In FY25, participant assessments showed measurable increases in knowledge, skills and abilities, validating the NCPC’s emphasis on applied learning. Simulation‑based courses in particular helped leaders experience cyber incidents as resource, communication and prioritization challenges, not just technical events. For many organizations, these experiences helped establish a shared language between IT teams, executives and emergency managers.
Lessons from Sector‑Specific Gaps
Training participation and feedback in FY25 also revealed recurring readiness gaps across sectors:
- Local and rural governments often face foundational challenges, including limited cybersecurity staffing, unclear governance structures, and competing operational priorities. Training demand here emphasized baseline awareness and maturity modeling to support strategic planning.
- Public safety and emergency services organizations highlighted gaps in integrating cyber incidents into all‑hazards emergency operations. Dispatch systems, records management, and communications infrastructures remain particularly vulnerable.
- Utilities and critical infrastructure operators showed growing concern around IoT, operational technology and third‑party risk, driving interest in courses focused on advanced threats and networked device security.
- Tribal and territorial partners consistently emphasized accessibility and relevance, reinforcing the importance of flexible delivery models and content that respects local context while aligning with national frameworks.
These findings align closely with FEMA preparedness doctrine: cyber readiness must be scalable, inclusive and adaptable while remaining anchored to shared national risk management principles.
Collaboration as a Preparedness Accelerator
The NCPC’s impact in FY25 was amplified by its consortium model, which brings together five partner institutions with complementary expertise. Throughout the year, these partners worked collaboratively to assess the evolving needs of state, local, tribal and territorial (SLTT) communities to refresh course content, develop new offerings, and coordinate delivery across regions and sectors.
This coordinated approach enabled the NCPC to efficiently design and deliver timely, high-quality training focused on emerging cybersecurity threats while maintaining consistency, relevance and alignment with federal policy. For public‑sector professionals, this model ensured access to trusted, standardized training tailored to the operational realities and capacity needs of SLTT organizations.
Looking Ahead
FY25 reinforced an essential truth for the cybersecurity community: training alone is not preparedness. Preparedness comes from training that changes behavior, informs decisions, and strengthens coordination across roles and sectors. By focusing on applied learning, inclusive access and national alignment, the NCPC continues to help public‑sector organizations move from awareness to actionable readiness.
As cyber threats continue to evolve, the lessons of FY25 provide a roadmap for strengthening resilience, one community, one organization, and one trained professional at a time.
By Natalie Sjelin, Chair of the NCPC and Executive Director of the Center for Infrastructure Assurance and Security
and Rebecca Tate, Director at the Texas A&M Engineering Extension Service National Emergency Response and Recovery Training Center