K-12 Cybersecurity Insider | 8/11/2025 edition

A biweekly newsletter providing curated cybersecurity news to the K-12 community, as a public service of K12 SIX. Sign up for the K12 SIX mailing list to have future editions delivered to your inbox.

Mark Your Calendar

• 8/13 - National Student Privacy & Data Security Summer Webinar Series: Day 1 (U.S. Department of Education/PTAC)

• 8/14 - Monthly Cross-Sector Threat Briefing (member-only)

• 8/20 - Operational Resilience Series: Communications Disruption Exercise (open to the public, pre-registration required)

In the News

Ohio Enacts Cybersecurity Regulations for Schools

In the absence of federal requirements for K-12 cybersecurity, a small number of states are taking the lead to set baseline standards for their school districts. Effective September 30, 2025, Ohio Revised Code Section 9.64 requires each local government entity in Ohio - including school districts - to implement a basic cybersecurity program. This program should include: (a) annual cybersecurity training for employees; (b) a cyber incident response plan; (c) practices to assess and remediate cyber risks; and (d) promptly reporting cyber incidents to the Ohio Cyber Integration Center and the Auditor of State. Moreover, school districts will be required to seek formal board approval for payment of extortion demands tied to ransomware.

Federal Cyber Grant Funds for State, Local Cybersecurity Released

On August 1, 2025 the U.S. Department of Homeland Security (DHS) announced the fourth and final round of funding for the State and Local Cybersecurity Grant Program (SLCGP), which expires at the end of FY 2025. The SLCGP provides funding to eligible entities to address cybersecurity risks and threats to information systems owned or operated by, or on behalf of, state, local, or tribal governments, including - in some states - school districts. Most states can expect to receive $1-2 million, presuming they agree to matching 40% of the total costs of approved projects with nonfederal dollars. Program-specific unallowable costs include “costs associated with the Center for Internet Security (e.g., Multi-State Information Sharing and Analysis Center (MS-ISAC) and Election Infrastructure Information Sharing and Analysis (EI-ISAC)), including but not limited to membership fees and services.”

Smart ‘Vape’ Sensor Widely Deployed in Schools Vulnerable to Hacking

In 2022, Juul settled some 5,000 lawsuits from states, counties and school districts that alleged that the e-cigarette maker used deceptive marketing aimed at teens and neglected to prevent underage sales of its products. Since then, additional suits have been settled. Money from those settlements has been used by schools nationwide to install vape detectors. Among the more popular sensors: the Halo 3C Smart Sensor (produced by a Motorola subsidiary). The issue: it contains security weaknesses that could allow someone to turn it into a secret listening device. So much for secure by design.

Fast Facts

• 45: U.S. K-12 ransomware victims claimed by threat actors (2025 to date) (source)

• 62: Severe information technology vulnerabilities (CVSS Base Score 7.0+) disclosed in past week (source)

Members Get More

The K12 Security Information eXchange (K12 SIX) operates as the information sharing and analysis center (ISAC) exclusively for the K-12 education sector. Organizations eligible for membership include school districts, charter schools and charter management organizations, private/independent schools, regional education agencies, and state education agencies. K12 SIX members get more.