Dive Brief:
- State legislators introduced 28 K-12 cybersecurity bills across 16 states last year, signaling the urgency felt to address schools’ vulnerability to cyberattacks, according to a recent report by the Consortium for School Networking.
- Based on the state bills introduced or enacted in 2024, CoSN pulled out five trends in K-12 cybersecurity solutions, including: providing training for school personnel, requiring education for students, establishing standards for schools, creating funding programs to prevent cyberattacks, and setting incident reporting and response protocols.
- Beyond school-specific legislation, 258 broader cybersecurity bills were introduced across 42 states — and 29 were enacted — in 2024. Those bills also have K-12 implications, such as creating cybersecurity task forces with education representation or addressing ransomware threats, the CoSN report said.
Dive Insight:
The CoSN legislative analysis called out several 2024 state laws with a variety of K-12 cybersecurity supports, including those in California, Florida and Indiana.
The California law, for instance, protects how public entities, including educational institutions, discuss cybersecurity matters. Specifically, school districts are allowed to hold confidential talks on sensitive cybersecurity issues. The law also creates a mechanism for educational institutions to tackle cybersecurity challenges while prioritizing appropriate confidentiality.
In Florida, the 2024 law strengthened cybersecurity infrastructure by authorizing the Florida Center for Cybersecurity to help bolster cybersecurity measures within school districts’ technology platforms and systems.
Indiana, meanwhile, created a cybersecurity and artificial intelligence framework that allows school districts and higher education institutions to adopt cybersecurity policies, carry out mandatory cybersecurity training and create technology use policies. After July 2027, Indiana educational institutions must complete cybersecurity assessments every three years and implement secondary end-user authentication.
At the federal level, efforts to support K-12 cybersecurity rolled out, with a $200 million cybersecurity pilot program for schools and libraries created by the Federal Communications Commission.
Whether the momentum for federal K-12 cybersecurity resources continues under President Donald Trump will be worth watching. Recently, the U.S. Department of Homeland Security disbanded a federal school safety advisory board whose members had included some with K-12 cybersecurity expertise.
While data tracking K-12 cyberattacks is difficult to measure at a state and national scale, scattered research shows the issue to be a persistent one.
Nonprofit K12 Security Information eXchange found some 85 ransomware attacks hit K-12 public schools between November 2022 and October 2024. Before that, 325 ransomware attacks had targeted schools from April 2016 and November 2022, according to K12 SIX.
And just a month into 2025, cyber threats have not eased for the K-12 sector. PowerSchool, an ed tech software service, disclosed in January that it had fallen victim to a cybersecurity incident where a threat actor gained unauthorized access to some of the company’s student and staff information systems. Over 55 million students and 17,000 educational customers use PowerSchool’s cloud-based systems across more than 90 countries. PowerSchool has yet to publicly disclose the number of students impacted by the data breach.
Moving forward, CoSN recommends local education and state leaders consider the following when developing cybersecurity policies:
- Develop comprehensive cybersecurity education programs.
- Create flexible cybersecurity grant programs for infrastructure and training supports that include K-12 schools as eligible recipients.
- Establish cybersecurity incident reporting frameworks with set time frames and requirements.
- Encourage partnerships among government, K-12 and postsecondary education and the private sector through regional cybersecurity centers and collaborative training programs.
- Integrate AI and cybersecurity initiatives into frameworks analyzing emerging technology risks.
