States Face Growing Cyber-Security Strain in K-12 Without Federal Support

 State policymakers across the U.S. are increasingly confronted with the realities of mounting cyber-threats targeting K-12 education systems even as federal support for those schools is being pulled back.

A new report from the Consortium for School Networking (CoSN) examined five states — Arkansas, Massachusetts, Oregon, Pennsylvania and Texas and found that in 2025 those states alone considered 18 bills directly related to K-12 cybersecurity. Of that number, seven measures had already been enacted by July. For example:

• Texas passed a law creating the Texas Cyber Command, which will provide cybersecurity training to schools.
  
  
• Arkansas passed legislation requiring its insurance department to offer cyber-insurance for public schools, and established a cyber-response program for districts impacted by attacks.
  
  
• Ohio (not among the five states originally studied) passed a wide-ranging law requiring school districts to adopt cyber-plans, mandate board approval before paying ransomware demands, and report attacks within seven days.
  
  

Federal Pull-Back Leaves Big Gaps

The legislative push at the state level comes as the federal government has significantly scaled back its support infrastructure for K-12 cybersecurity:

• A federal advisory group devoted to K-12 cybersecurity that included major education-sector organizations was disbanded.
  
  
• The federal program run by the Multi‑State Information Sharing and Analysis Center (MS-ISAC), which provided cybersecurity support to school districts, has had its K-12 programs reduced.
  
  
• The Readiness and Emergency Management for Schools Technical Assistance Center (REMS) – which supported schools’ emergency planning (including cyber events) – is scheduled to shut down despite earlier funding approval.
  
  

One expert aptly described it as asking school districts to defend themselves against international hackers with little federal backup:

“This is basic defense of the homeland stuff … the education system to educate kids [then saying], ‘oh, and good luck with those hackers attacking your systems from Russia and China.’” 

Schools Ill-Prepared to Manage the Risk

The CoSN-data paints a sobering picture:

• 61 % of school districts do not have a dedicated cybersecurity budget, and instead draw from general funds.
  
  
• 78 % of their cybersecurity spending goes toward monitoring/detection and incident response — fewer resources go to prevention or proactive planning.
  
  
• 44 % outsource their cybersecurity response activities in part to reduce costs.
  
  

What States Are Doing

To respond, states are adopting several policy levers, many recommended by CoSN:

• Designating a lead state agency to coordinate K-12 cyber response.
  
  
• Funding risk assessments and proactive strategy development for districts.
  
  
• Encouraging cybersecurity teacher certification and workforce development, including preparing students for cybersecurity careers.
  
  
• Legal/reporting requirements for school districts to publish attacks or vendor-cybersecurity compliance.
  
  

Key Takeaways

• With federal structures weakening, states are increasingly bearing the burden of K-12 cyber‐governance.
  
  
• But state capacities vary widely and many districts are underfunded, making systemic gaps likely.
  
  
• Without dedicated budgets, proactive planning, and clear oversight, schools remain highly vulnerable to ransomware and other attacks at a time when the stakes (student data, disruption of learning) are high.
  
  
• Policymakers, district tech teams and vendors alike need to collaborate — and soon — to build resilience.