According to eSchool News More than 80 percent of U.S. K-12 schools experienced cyber threat activity in 2025. Almost two thirds of districts reported at least one cybersecurity incident across the past two academic years. The question is no longer whether an attack will happen. It is whether the data that gets targeted is somewhere it can actually be protected when it does.
This article makes an important point that goes directly to the heart of Virginia Code Section 22.1-20.2:1. Vendor risk does not end at the contract. It lives in the architecture. Monitoring tools and compliance agreements do not change where data sits or who can reach it. Architecture does.
