What's Happening?
In 2025, state governments across the United States passed a total of 99 cybersecurity-related bills, resulting in 393 new statutory requirements. This development is detailed in a report by the University of California, Berkeley Center for Long-Term
Cybersecurity (CLTC). The report, titled 'Tracking Cybersecurity Policy Developments Across State Legislatures,' provides a comprehensive overview of the enacted state cybersecurity laws. Maryland led with 14 laws, followed by Texas with 11, Arkansas with nine, and Florida with four. The remaining 33 states passed between one to three bills each. The report highlights that more than half of these laws align with the governance function of the National Institute of Standards and Technology Cybersecurity Framework, focusing on leadership structures, oversight, and reporting requirements. Public schools are a significant focus, with new laws mandating uniform cybersecurity policies and the creation of state-administered cyber insurance programs.
Why It's Important?
The passage of these cybersecurity bills underscores the growing recognition of cybersecurity as a critical issue for state governments. By aligning with national standards and focusing on governance, states aim to enhance their cybersecurity posture and protect sensitive data. The emphasis on public schools reflects the increasing threat of ransomware attacks on educational institutions, which can disrupt learning and compromise student data. However, the report notes a significant challenge: many of these laws lack dedicated funding, which could hinder their effective implementation. Without financial support, states may struggle to conduct risk assessments, perform tabletop exercises, or meet new reporting mandates. This gap highlights the need for lawmakers to pair legislative mandates with adequate funding to ensure meaningful cybersecurity improvements.
What's Next?
Moving forward, the CLTC recommends that lawmakers address the funding gap by pairing mandates with financial resources. Additionally, there is a call for clearer cybersecurity standards and ensuring that reporting requirements lead to actionable outcomes rather than mere paperwork. The report also points out a lack of attention to detection capabilities, suggesting that states should enhance their ability to monitor systems and analyze indicators of compromise. As federal support for shared services declines, states may need to bolster their own detection and response capabilities. The public database created by CLTC aims to assist lawmakers, practitioners, and researchers in identifying trends and connecting with legislative sponsors to drive further cybersecurity advancements.
Beyond the Headlines
The legislative focus on cybersecurity reflects a broader societal shift towards recognizing the importance of digital security in an increasingly connected world. As cyber threats evolve, state governments are taking proactive steps to safeguard their digital infrastructure. However, the lack of funding and specific detection capabilities could leave states vulnerable to sophisticated cyberattacks. This situation underscores the need for a holistic approach to cybersecurity that includes not only legislative action but also investment in technology and human resources. The engagement of the cybersecurity and hacking community, as encouraged by the report, could provide valuable insights and support to lawmakers in crafting effective cybersecurity policies.
