Utah HB 44: A Cybersecurity Readiness Guide for School Districts

HB 44 (2026 General Session, Chief Sponsor Rep. Ryan Wilcox; Senate Sponsor Sen. Ann Millner) is mostly a physical-security bill: armed school guardians, panic-alert devices, visitor management. The cybersecurity requirements are one part of it, and knowing exactly where they live matters when you are reading the law or briefing leadership.

The cybersecurity provisions are enacted at Utah Code Title 53G, Chapter 8, Part 9 (LEA Cybersecurity Standards), Sections 53G-8-901 through 53G-8-903, with the standards-setting duty at Section 63C-27-202(9). The bill was signed by Governor Cox and took effect May 6, 2026. In brief, Part 9 and the related Commission duty do four things:

• Minimum standards, set by rule. Each LEA must comply with minimum cybersecurity standards established by the state Cybersecurity Commission through administrative rulemaking (Section 53G-8-902), on a phased implementation timeline also established in rule.
• Framework-aligned rules. Section 63C-27-202(9) directs the Commission to align the standards with industry-recognized frameworks, specifically naming the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS), and to account for varying LEA resources, capacity, and needs.
• State support for districts. UETN, in consultation with the Utah Cyber Center and the state board, must develop implementation guidelines and technical resources, provide technical assistance, and coordinate cybersecurity services for LEAs. The three entities are also required to coordinate with each other so districts get consistent guidance without duplicated effort.
• Breach reporting and a named contact. Section 53G-8-903 adds data-breach reporting duties and requires each LEA to designate a primary cybersecurity point of contact (covered in detail below).

You can read the law yourself; the cybersecurity sections are short. The enrolled HB 44 (PDF) is hosted here for convenience, and the Utah Legislature's HB 44 page is the primary source.

Both, in a sense, and the confusion is understandable. The school cybersecurity requirements were drafted earlier in the 2026 session as HB 42 (School Cybersecurity Amendments). During the session, those provisions were consolidated into HB 44 (School Security Personnel Standards) through a Senate substitute, and HB 44 is the bill that passed and was signed into law.

So if a vendor, a conference session, or a colleague refers to "HB 42 requirements," they almost certainly mean the same provisions; the current, correct citation is just HB 44, Utah Code 53G-8-901 through 903. HB 42 did not fail. Its cybersecurity provisions live on inside HB 44.

Just as important as what the law requires is what it leaves open. HB 44 does not contain a list of specific technical controls, and it does not set a single compliance deadline. Both are delegated to the Cybersecurity Commission, which writes the actual standards through administrative rulemaking, including a phased implementation timeline based on LEA size, existing cybersecurity infrastructure, and available resources.

That is not a reason to wait. The statute already tells you the shape of what's coming: the framework alignment and the topic areas the rules must address are written into the law. Districts that map their current posture against those areas now will be in a far better position when the phased timeline lands, and most of the work involved is worth doing regardless of any rule.

Section 63C-27-202(9)(d) lists the areas the minimum standards must address, as appropriate to each LEA's size, risk profile, and resources. This list is the closest thing to a published syllabus for the coming rules:

• Identity and access management
• Asset management and inventory of hardware, software, and data systems
• Data protection
• Security monitoring and logging capabilities
• Vulnerability management, including regular security assessments and patching procedures
• Incident response and recovery planning
• Security awareness training requirements for staff and administrators
• Third-party risk management for vendors with access to LEA systems or data
• Network security controls
• Backup and disaster recovery procedures
• Governance structures for cybersecurity oversight within an LEA

Two things stand out. First, this is a mainstream control set: if you have worked with the CIS Controls or the NIST Cybersecurity Framework, nothing here will surprise you, which is the point of the framework-alignment requirement. Second, the human layer is named in the law itself. Security awareness training for staff and administrators is an explicit statutory topic, not an optional extra. A district that treats training as a once-a-year video will likely find that posture hard to defend once standards are in rule.

HB 44 deliberately expands what Utah provides to districts for free. UETN and the Utah Cyber Center are tasked with implementation guidelines, technical assistance, coordinated services, and information sharing, and the law requires them to coordinate with the state board specifically to avoid duplication and give LEAs consistent guidance. If you have not talked to UETN or the Cyber Center recently, that conversation is step one, before any purchasing decision. Use everything the state gives you.

The baseline is real, but it is shared infrastructure serving every LEA in the state. Where districts typically find they need a layer above it is in the depth and per-person granularity of the human-risk work the statute calls for:

None of that replaces the state-provided baseline. It sits on top of it, in the layer where the statute asks for "security awareness training requirements for staff and administrators" and where most districts have the least visibility today. The honest sequencing: take the free baseline first, identify what your district still cannot see or evidence, then decide what belongs above it.

Here is a working checklist you can use to take stock before the Commission's rules land. It is organized around the statute's own topic areas, so work you do now maps directly to whatever the final standards require. Check items off as you go, or use the Download PDF button at the top of this page to get a copy you can print or share with leadership.

Section 53G-8-903 is the part of HB 44 most likely to matter on a bad day, so it is worth knowing cold. Here is the workflow the statute describes:

Separately, every LEA must designate a primary point of contact for cybersecurity matters who interfaces with the Cyber Center, the state board, and UETN. Smaller districts and charters should note that a regional education service agency may serve as the designated contact for multiple LEAs in its service area. If it does, the agency takes on coordination and documentation duties on behalf of the participating LEAs.

The practical takeaway: a 24-hour notification clock is short. The time to wire breach reporting into your incident response plan (who calls whom, with what information, verified against current contacts) is before an incident, ideally rehearsed in a tabletop exercise.

Harborcoat is a Utah-based team of strategic security and IT advisors. We help districts take stock of where they stand against the areas HB 44 names, make sense of what the free state baseline covers, and decide, honestly, what, if anything, belongs above it. Where implementation work is needed, we coordinate it through vetted partner firms rather than performing deployments in-house, which keeps our advice independent of any one tool.

If procurement becomes part of the conversation, we help districts navigate cooperative purchasing and public-sector procurement vehicles. But most first conversations are simpler than that: a walk through the checklist above, what the Commission's rulemaking is likely to mean for a district your size, and what to do in which order. No pitch required.