Board presses KSDE on district cybersecurity funding after briefing on risks and vendor breaches

KSDE IT staff briefed the board about state‑level cybersecurity supports for school districts and how districts should respond to incidents. Ryan Kurtenbach described outreach, adoption of NIST Cybersecurity Framework 2 and the need for governance, asset management, identity management and security awareness training to reduce social‑engineering risks.

Kurtenbach said KSDE has worked with districts and the state Cybersecurity Cooperation Preparedness Office and has produced guidance and templates (including vendor‑vetting RFP language) to help districts strengthen protections. “The biggest thing for me though is the flexibility of this. What it does is it tells you how...to build your cybersecurity program,” Kurtenbach said.

Board members sought clarity about whether districts currently have dedicated cybersecurity funding. Multiple board members reported districts telling them funding was cut or repurposed; KSDE staff said they were not aware of a dedicated, ongoing state cybersecurity funding stream for districts and suggested districts sometimes used federal grant funds (ESSER) or E‑rate for pieces of security work.

On breaches and vendor incidents: staff cited recent supply‑chain events (PowerSchool) and emphasized vendor vetting and contractual security requirements. Kurtenbach said Logicalis would be an implementation partner, not a data host, and KSDE would retain its data on state systems. Staff proposed continued emphasis on low‑cost, high‑impact measures: secure account offboarding, network segmentation, security awareness training and using assessment tools for vendor security.

Next steps: KSDE will continue district outreach, share vendor vetting tools, and work with districts that report they lost funding to clarify sources. Board members requested follow‑up documentation on district funding practices and recommended exploring options for dedicated funding or supports.