By Seung Yeon (Sunny) Lee May 15, 2026 K-12 school districts are among the premier targets for cybercriminals nationwide. According to data from the Center for Internet Security (CIS), an alarming 82% of reporting K-12 schools have experienced cyberattacks, accounting for at least 9,300 confirmed incidents. Ransomware, phishing, and debilitating data breaches are no longer rare anomalies—they are routine threats.

Yet, school districts are being forced to fight these threats with chronically limited internal capacity, understaffed IT teams, and non-existent dedicated cybersecurity budgets.

Worse still, the safety net has vanished. A series of devastating federal funding cuts in 2025 drastically widened this defense gap:

  • MS-ISAC Defunded: In September 2025, the Multi-State Information Sharing and Analysis Center—the only federal program providing tax payer funded services, real-time cybersecurity services to districts—was shifted to a fee for service model.

  • Federal Policy Office Weakened: In March 2025, the Office of Educational Technology was eliminated.

  • Leadership Paused: The newly minted K-12 Government Coordinating Council was paused less than a year after its creation.

To understand how these disruptions are impacting schools on the ground, a Spring 2026 study conducted in partnership with CoSN surveyed 43 California K-12 technology leaders. The resulting document reveals a stark reality about the financial vulnerability and organizational capacity of our schools.

Key Insights from the Fieldintricate explorer 9udgfdap6rq unsplash

1. The Loss of MS-ISAC Made Districts Visibly Less Secure

Among California districts that actively relied on MS-ISAC, overall perceived security plummeted after the September 2025 funding cuts. Two-thirds of these districts reported that previously manageable threats have escalated in priority, driven entirely by the sudden loss of free, real-time threat intelligence.

2. Financial Constraints Are Tangible and Growing

Cybersecurity isn’t getting cheaper, but funding is drying up. Following the federal cuts, 58% of all surveyed districts reported that their ability to fund cybersecurity declined over the past year. Districts that previously relied on MS-ISAC were nearly twice as likely to report funding strains (70% vs. 38%) as they scrambled to find room in their budgets to replace what used to be tax payer funded free services.

3. The K-12 Governance Gap: A Four-Quadrant Reality

By mapping districts based on their external financial vulnerability and internal organizational capacity, the study established a structural “governance typology” of California schools:

  • The “Most Vulnerable” (30% of districts): High financial vulnerability and low organizational capacity. These districts completely lack the resources and internal infrastructure to respond to threats independently.

  • The “Underprioritized” (37% of districts): Stable finances, but weak organizational capacity. These districts have the resources but haven’t built basic preparedness infrastructure. Why? Because there is no external state mandate requiring them to act.

  • The “Constrained but Capable” (5% of districts): High financial vulnerability but remarkably strong internal capacity. This group is incredibly rare, proving how difficult it is to build strong defenses without stable financial backing.

  • The “Best Positioned” (28% of districts): Financially stable and highly capable. However, qualitative interviews revealed a troubling trend: these districts usually achieved this status only after a devastating internal cyber crisis forced them to invest, rather than proactive compliance with a state standard.

The Path Forward: Recommendations for California Policymakersmartin bekerman ubtdudrbfe4 unsplash

With federal support stripped away, California’s current legislative framework cannot leave school districts to fend for themselves. Policymakers must take immediate, structured state action:

  • Establish a State-Level Required Confidential Self-Assessment: California should encourage all K-12 districts to submit a confidential annual self-assessment of their cybersecurity conditions (staffing, budget, and incident response plans) to the California Department of Education or Cal-CSIC. We cannot fix what we do not measure.

  • Mandate Minimum Cybersecurity Standards: The state must establish a baseline “floor” that every district must meet. This means encouraging basic cyber hygiene controls (like multi-factor authentication, regular patching, and phishing training) alongside annually reviewed incident response plan documentation and a leadership tabletop exercise.

  • Build Capacity Through County Offices of Education (COEs): Rather than forcing every small district to reinvent the wheel, the state should resource COEs to act as regional cybersecurity hubs. COEs can provide standardized incident response templates, facilitate tabletop simulations, and run structured governance councils to bridge the gap between tech directors and district superintendents.

About the Research > This article is synthesized from the policy research brief, “Cybersecurity Governance in California K-12 School Districts: A Survey-Based Assessment” authored by Seung Yeon (Sunny) Lee (Goldman School of Public Policy, UC Berkeley, Spring 2026) in partnership with CoSN. For more information on the full report, survey methodology, or governance typology data, please contact the author or visit the CoSN research repository.

The views expressed in this report are solely those of the author.

Published: June 9, 2026

CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.