Ark. Code Ann. § 25-1-128 (Act 504 of 2023) requires the Arkansas Department of Education (ADE) to develop a cyber security policy that shall be used by public school districts and public charter schools. 

Development and approval:    

• The State Cyber Security Office (SCSO) set the baseline for cyber security policies required under Act 504, using National Institute of Standards and Technology (NIST) controls.
• ADE worked with the SCSO, Arkansas Division of Information Systems (DIS), the Technology Educational Leaders of Arkansas (TEL-AR), and district technology coordinator feedback groups to develop a timeline for policy implementation.
• The policy was submitted by October 1^st as required in Act 504 and was approved by the SCSO. The policy must be resubmitted for review by October 1^st of each even numbered year.
• The approved policy provides a common cybersecurity vision and language for K12 public school districts and public charter schools, but also provides flexibility in how these policies are implemented at the standards and procedures level.

Timeline and next steps:

• The policy contains 20 NIST control families, placed into 3 groups with staggered effective dates to facilitate implementation. The overall policy and initial group of 6 NIST control families have an effective date of July 1, 2025.
• Superintendents can access the ADE K12 Cyber Security Policy by logging in to the ADE Digital Locker.
  • For ADE Digital Locker support, contact: adeitservices@ade.arkansas.gov
• Public school boards should make a motion to adopt the policy.
  • Board adoption does not require the policy to be released to the public.

Confidentiality:    

• Cyber security policies developed under Act 504 shall not be deemed open public records under the Freedom of Information Act of 1967, § 25-19-101 et seq.
• The ADE K12 Cyber Security Policy contains sensitive information and should not be posted or shared publicly.

Attachments