A representative from the North Carolina Department of Information Technology (NCDIT) joined the meeting by phone to brief board members on a statewide initiative to strengthen vendor cybersecurity oversight.

The NCDIT speaker said the state is increasing continuous monitoring of third‑party vendors using tools such as BitSight and will require vendors to provide SOC 2 Type II reports or bridge letters attesting to controls between reports. "We are doing additional monitoring, of our third party vendors...we are using additional tools, one tool called BitSight," the NCDIT representative said, describing plans to vet vendors' cyber hygiene and require remediation timelines when issues surface.

The presenter described a planned transition to GovRamp, a vendor-certification framework. NCDIT plans to begin vendor outreach around Jan. 15 and target a state-level GovRamp rollout in the March–April timeframe, giving vendors six to 12 months to become compliant depending on the sensitivity of the data they handle. The state will tier certification requirements by sensitivity and expects continuous monitoring after transition.

Board members asked about penetration testing and whether NCDIT performs or requires external penetration tests. The NCDIT representative said penetration testing and periodic unauthenticated scans are part of the vendor assurance process and that the state will increasingly require such tests or equivalent reports for strategic vendors.

The board heard that the policy changes and new certification expectations will be communicated to vendors and that district contracts have been updated to include audit and remediation rights. The update is intended to reduce risks arising from vendor-held student and system data and to provide the district with additional oversight tools for vendor security.