State policymakers across the political spectrum are grappling with how to help K-12 schools respond to mounting cybersecurity threats, even as the Trump administration rolls back federal resources meant to help districts counter such threats, according to a new report.
The which represents district technology officials—studied five states with very different political landscapes and challenges: Arkansas, Massachusetts, Oregon, Pennsylvania, and Texas. Lawmakers in these states have considered a total of 18 bills in 2025 that directly addressed K-12 cybersecurity.
Of the 18 bills, seven had been enacted as of July, according to the report. The new laws include a Texas measure that establishes the Texas Cyber Command and calls for that agency to offer cybersecurity training, including to K-12 systems; a measure in Arkansas requiring the state’s insurance department to offer cybersecurity insurance for public schools; and Arkansas also passed legislation providing resources for a cyber response program to assist districts after attacks.
“While federal support for K-12 cybersecurity is in turmoil, several states are advancing innovative, bipartisan legislation to help safeguard student data, improve incident response, expand insurance access, and build the cybersecurity workforce we urgently need,” said Keith Krueger, CoSN’s CEO, in a statement. “These states’ common strategies offer actionable ideas for state and district leaders across the country and underscore the importance of systemwide collaboration and strategic leadership.”
The five states considered a total of 61 bills that would address K-12 cybersecurity needs indirectly, including measures aimed at creating a coordinated response to cybersecurity threats and developing a cybersecurity workforce, the report found.
Much of the legislation considered or enacted in states embrace policy recommendations that CoSN believes could help schools prepare for, and counter, cyberattacks.
Those strategies include:
- identifying a lead agency for combating cyberattacks and ensuring that it is working with school districts;
- providing funding for districts to conduct risk assessments and develop strategies to prevent cyberattacks;
- supporting teacher certification in cybersecurity;
- ensuring that students are prepared for jobs in the booming cybersecurity sector;
- requiring school districts to provide public reports of cyberattacks; and
- having schools put measures in place to ensure their vendors are meeting minimum cybersecurity standards.
One of the most comprehensive new cybersecurity laws wasn’t in one of the five states CoSN examined, noted Doug Levin, the co-founder and national director of the , a nonprofit cybersecurity organization.
Ohio , which will take effect this month requiring school districts to implement cybersecurity plans, get approval from their local school boards before paying a ransom to hackers who have stolen student data, and report to state agencies any cybersecurity or ransomware attack within seven days of its occurrence.
Action in states comes amid rollback of federal resources
The flurry of state legislative activity in these five states and elsewhere comes as the federal government is diminishing its role in helping schools prevent, and respond to, cyberattacks.
For instance, the Trump administration recently disbanded a cybersecurity advisory group aimed at giving education organizations a chance to help shape the federal response to K-12 cyber threats. Its members included the Council of Chief State School Officers, the National School Boards Association, the K12 Security and Information eXchange, and CoSN.
The Trump team also cut the K-12 cybersecurity programs provided through the Multi-State Information Sharing and Analysis Center, which works with government entities, including school districts, on responding to cyberattacks.
And the administration shuttered without explanation the Readiness and Emergency Management for Schools technical assistance center. The center told its affiliates it will shut down on Sept. 18—even after to continue work through at least 2030 with $3 million in annual funding. The center offers resources to schools to prepare for active shooter incidents, cyberattacks, and other emergency disruptions.
U.S. Department of Education officials did not respond to emailed questions about the impact of those cuts on K-12 schools or states.
A growing digital divide on cybersecurity
K-12 schools are a top target for cyberattacks, which have become increasingly sophisticated over the past few years, according to the report.
The problem is many school districts aren’t prepared to meet that growing threat. More than half of districts—61%—don’t have dedicated cybersecurity budgets, relying instead on general funds to cover those expenses, .
Most cybersecurity spending—78%—goes toward monitoring, detection, and response, according to that earlier CoSN report. Nearly half of districts—44%—outsource those efforts, in part to help keep down costs.
With declining federal resources, states will have to step up to help schools prevent, and respond to, cyberattacks, said Reg Leichty, the founding partner of Foresight Law + Policy, who works with CoSN on legal and governmental issues.
But state capacity varies widely, he added.
The question is “how do we help those states that might not have the wherewithal” to help districts prepare for and respond to cyberattacks, because of a lack of resources, expertise, or political will, Leichty said.
“Like other parts of the digital divide, the cybersecurity challenge is one that’s addressed better if the federal government’s trying to fill gaps,” Leichty said.
What’s more, since an increasing number of attacks now come from outside the United States, stepping away from helping districts with cybersecurity essentially means the federal government is asking school districts to shoulder the burden of a homeland security problem, Levin said.
“This is basic defense of the homeland stuff,” Levin said.
In stepping back from efforts to help schools, the federal government is asking “the education system to educate kids [then saying], ‘oh, and good luck with those hackers attacking your systems from Russia and China.’”
