AWS Public Sector Blog

Whole-of-state cybersecurity: Three procurement considerations for the public sector

With a growing focus on cybersecurity and available grant funding, many states are planning to protect state agencies, cities, counties, and schools. At the state and federal levels, programs are funded to support these efforts. State and local government (SLG) agencies now have procurement questions to ask and decisions to make to maximize governance and security, simplify vendor management, and accelerate the overall process within a heavily regulated procurement environment.

Learn three important considerations for public sector procurement of cybersecurity solutions, as well as best practices from Amazon Web Services (AWS) for leveraging these new cybersecurity programs.

Three procurement considerations for cybersecurity initiatives

1. Rethink the traditional cybersecurity approach

Traditionally, states use a federated model for cybersecurity. This means that each public sector organization is responsible for the security of their own critical applications. This model doesn’t allow for a holistic statewide approach to visibility, observability, or risk management. Additionally, it doesn’t provide government leaders with insights or the ability to identify, prioritize, and fund efforts to reduce risks at scale.

The pandemic has caused states to rethink this model due to increased cyber events impacting SLGs, education organizations, and their critical infrastructure. Cyber events continue to heavily impact SLG and education institutions, compromising data and critical services to students and constituents. In its 2021 State of Ransomware in the US report, Emsisoft estimated that the 77 cyber incidents that occurred that year cost taxpayers over $623M. States now are moving towards a whole-of-state model for capabilities that provide visibility, risk reduction, and shared support models. The whole-of-state cybersecurity model supports broad access to certain security controls and capabilities across the state’s infrastructure to reduce the potential for cybersecurity gaps and to gain better visibility into threats at scale across the state.

2. Drive toward optimized cybersecurity programs

A more holistic security strategy can protect critical services within state borders. SLGs are shifting to collective defenses, like whole-of-state cybersecurity, where public and private sector organizations work together to augment and train their security resources, acknowledge common risks, and share information. One of these programs, State and Local Cybersecurity Grant Program (SLCGP), allocates $1B distributed over four years to support state, local, and tribal agencies implementing cybersecurity best practices. Similarly, in September 2022, the State of Arizona Department of Homeland Security (AZDOHS) launched the Arizona Statewide Cyber Readiness Grant Program, providing technical assistance and security software licenses through AWS Marketplace to help Arizona’s most vulnerable cities, counties, and K12 school districts reduce infrastructure risks.

3. Support agile responses to innovation and security

The most common challenge facing government technology procurement is following outdated regulations and policies that don’t support agility. Speedy procurement enables government innovation; waiting for software can stall protective resources for implementation and can reduce experimentation opportunities.

State chief information security officer (CISO) and Department of Homeland Security (DHS) leads rely on fast procurement to utilize grants, and other types of use-it-or-lose-it funding associated with these programs that have short expiration and spending windows. Plus, delays in cybersecurity solution procurement can mean at-risk systems go longer without the appropriate security solutions.

According to the 2022 Total Economic Impact™ of AWS Marketplace study, AWS Marketplace provides 66% time savings due to procurement efficiencies. That’s 66% time saved in gaining the resources organizations need to boost their defenses against cyber incidents. Reducing procurement time in a whole-of-state cybersecurity initiative can enable faster time to defense and cybersecurity solutions.

Procurement best practices with AWS to support cybersecurity

Along with participating in new cybersecurity programs, many SLGs and educational organizations can implement key best practices to increase procurement speed.

Leverage existing contracts

Pre-existing cooperative contracts that have been competitively bid by another public organization can  supplement an organization’s solicitation process while leveraging the group’s purchasing power. Since there are no additional terms from AWS, public sector agencies can use the contract to make an immediate purchase.

If procurement requires negotiating terms with an independent software vendor (ISV), consider using the Standard Contract for AWS Marketplace (SCMP) with pre-negotiated, government-friendly contract templates to speed the negotiation process.

Discover software marketplaces

Digital marketplaces are becoming popular because they accelerate technology procurement, helping public sector organizations to meet their critical missions on time. AWS Marketplace makes it simple and cost-effective to find, try, buy, and deploy third-party software solutions, as well as track and manage cloud spending.

Use enterprise agreements

Establish an enterprise agreement that can includes provision for use of software marketplaces.  The contractual agreement should be backed by workflows and organizational change management to explain how to meet procurement requirements when using a marketplace. When a need arises, the purchasing tool is already established while offering oversight and management of the organization’s technology purchases. Public sector organizations can create a private, customized digital catalog of pre-approved software available in AWS Marketplace and use it behind their own firewall to quickly and securely purchase software and services.

Centralize software management

Public sector organizations can benefit from centrally managing the procurement of approved tools. When a single agency manages procurement, they can more simply identify trends and negotiate larger discounts for bulk purchases. Centralizing procurement also makes it simpler to enforce adherence to standards that benefit SLG and education organizations statewide. AWS Marketplace provides tools such as Private Marketplace to manage adherence to standards, Vendor Insights to speed up security assessments and new vendor onboarding, and a single view to track all agreements and renewals.

Shop around

Consolidating all software spend through a single reseller may alleviate vendor management concerns but doesn’t always provide the best value. For example, organizations may receive the best price for endpoint protection software from Reseller A , the best price for disaster recovery from Reseller B, and the best price on observability software directly from the software vendor. AWS Marketplace lets states negotiate the best price –no matter the source – but still view all their state subscriptions through a single access point. Plus, states can establish that price as a statewide pricing agreement that applicable government and educational organizations can use with or without central management at the state IT organization.

Federal funding for public sector cybersecurity is finite, and the need is broad among many cities, counties, and schools. Therefore, the leading state agency must secure the most operationally effective cybersecurity solutions and the best value.

Consider future needs

If project needs change, AWS Marketplace can help modify contracts such as extending the term, adding licenses, and more. AWS Marketplace can implement changes immediately so SLG and education organizations can complete purchases quickly and flexibly.

If the leading agency needs a solution immediately but doesn’t have the funds, the Flexible Payment Scheduler can help the state acquire software immediately and coordinate payments for when funds are available.

Conclusion

Whole-of-state cybersecurity models can help SLG and education agencies optimize their cyber resilience efforts and support compliance standards across all agencies to make sure critical state infrastructure is protected. The AWS Marketplace can help support procurement efforts for this cybersecurity model by accelerating procurement timelines and more to help agencies get the technology they need.

Find vetted solutions in AWS Marketplace designed to meet public sector needs in the Public Sector Solutions collection. Plus, find cloud security software to help strengthen your portfolio, predict risk, accelerate fraud detection, and augment advisory services all from AWS Marketplace.

Contact AWS experts to learn more about how AWS Marketplace can support your organization’s distinct needs.

Read more about AWS for state and local government and education:

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

Brandi Steckel

Brandi Steckel

Brandi leads state and local government and education AWS Marketplace sales, scale, and adoption at Amazon Web Services (AWS). She specializes in guidance on procurement paths for projects involving software and services. She has developed nationwide state and local capture management practices and led federal, state and local, and education proposals and program management teams.

Danielle Hinz

Danielle Hinz

Danielle is an executive government advisor for Amazon Web Services (AWS) and helps public sector customers on their digital transformation journeys. Before joining Amazon in 2017, she worked in public procurement for 20-plus years, including serving as chief procurement officer for King County, Washington, where she led a $3 billion procure-to-pay organization. She is a Certified Public Procurement Officer and has a master's degree in public administration.

Maria S. Thompson

Maria S. Thompson

Maria S. Thompson is the state and local government executive government advisor for cybersecurity at Amazon Web Services (AWS). In this role, she brings over 20 years of experience in information technology, strategic planning, computer network defense and risk management. Prior to her role with AWS, Maria served as North Carolina’s first State Chief Risk and Security Officer. There, she was instrumental in establishing the Whole of State Approach to Cyber. This included the development and implementation of the state’s first Cyber Disruption Plan, and the Joint Cyber Task Force (JCTF). Maria also served 20 years in the United States Marine Corps and retired as the cybersecurity chief/information assurance chief for the Marine Corps. Other security roles held include certification and accreditation (C&A) lead for the Multi-National Forces – Iraq and senior security engineer in a joint military organization and Security Operations Center lead for a federal agency.