States Struggle to Fill K-12 Cybersecurity Gaps Left by Federal Cuts

‍State Leaders Step In as Federal Support Retreats

Across the United States, state policymakers are racing to strengthen cybersecurity protections for K-12 schools, even as federal resources that once supported these efforts are being rolled back.

A recent report by the Consortium for School Networking (CoSN) reveals that lawmakers in five states — Arkansas, Massachusetts, Oregon, Pennsylvania, and Texas — have considered 18 cybersecurity-related bills in 2025, with seven already enacted by midyear.

Among them:

• Texas established the Texas Cyber Command, charged with offering cybersecurity training to educational institutions.
  
  
• Arkansas mandated that its insurance department provide cyber-insurance for public schools and created a cyber response program to assist districts after incidents.
  
  
• Ohio, though not part of the initial study, enacted a comprehensive law requiring school districts to adopt cybersecurity plans, obtain board approval before paying ransoms, and report attacks within seven days.
  
  

“While federal support for K-12 cybersecurity is in turmoil, several states are advancing innovative, bipartisan legislation,” said Keith Krueger, CoSN CEO. “These common strategies offer actionable ideas and highlight the need for collaboration and leadership.”

Federal Pullback Widens the Risk Gap

The state-level momentum contrasts sharply with the federal government’s retreat from K-12 cybersecurity initiatives.

The Trump administration recently:

• Disbanded a federal K-12 cybersecurity advisory group that included leading education and technology associations.
  
  
• Reduced K-12 support programs run by the Multi-State Information Sharing and Analysis Center (MS-ISAC).
  
  
• Shut down the Readiness and Emergency Management for Schools (REMS) Center, which had been funded through 2030 to help schools plan for emergencies, including cyberattacks.
  
  

Experts say the rollback leaves schools — already prime targets for ransomware and data breaches — dangerously exposed.

“This is basic defense of the homeland,” said Doug Levin, co-founder of the K12 Security Information eXchange. “The federal government is asking schools to defend against hackers from Russia and China — with no real backup.”

Cybersecurity Gaps Growing Across Districts

The CoSN findings underscore deep systemic weaknesses:

• 61% of districts lack a dedicated cybersecurity budget, relying instead on general funds.
  
  
• 78% of their spending goes to monitoring, detection, and response — not prevention.
  
  
• 44% outsource cybersecurity functions to manage costs.
  
  

These figures paint a troubling picture: schools are reacting to threats, not proactively building defenses.

State Strategies Taking Shape

To address these challenges, CoSN recommends — and many states are adopting — the following policy levers:

• Appointing a lead state agency to coordinate K-12 cyber responses.
  
  
• Funding risk assessments and long-term cybersecurity strategies.
  
  
• Creating teacher certifications in cybersecurity and building student pathways into cyber careers.
  
  
• Mandating public reporting of cyber incidents and vendor compliance standards.
  
  

But state capacity varies widely, experts warn. Smaller or less-resourced states may struggle to provide consistent support or sustain cybersecurity investments over time.

The Big Picture

As the digital divide extends into cybersecurity, the burden of protecting schools increasingly falls on state governments and local districts. Without renewed federal coordination and funding, school systems face a widening gap in their ability to defend sensitive student data and keep classrooms connected safely.

Key takeaway:
Cyber threats are escalating, but federal withdrawal is leaving local schools to fend for themselves. Collaboration among state leaders, districts, and private partners like CyberNut is essential to close the cybersecurity gaps before they widen further.