Arkansas Act 504 Compliance Checklist for Schools — Powered by Red Garrison
We were meeting with a school district contact this week when they said something we've been hearing more and more:
"It would be great if someone just gave us a plain checklist of everything Act 504 requires—and showed us what you offer to help us check each box."
So we built it.
Below is a complete, plain-language compliance checklist for Arkansas Act 504 of 2023—mapped directly to the services Red Garrison provides to help your district get there and stay there.
What Is Act 504 of 2023?
Arkansas Act 504 of 2023 (codified at A.C.A. § 25-1-128, effective August 1, 2023) requires every public entity in the state—including public school districts, charter schools, and institutions of higher education—to take concrete action on cybersecurity.
The law was written in response to a growing wave of ransomware and cyberattacks targeting K-12 schools. It doesn't just suggest better security practices—it mandates them.
The Arkansas Department of Education (ADE), working with the State Cyber Security Office (SCSO) and the Arkansas Division of Information Systems (DIS), developed the official K-12 Cyber Security Policy using 20 NIST control families as the baseline standard.
The Act 504 Compliance Checklist
Use this checklist to evaluate your district's current compliance status. Each requirement maps to specific Red Garrison services you can use to fill the gaps.
✅ 1. Technology Resources Policy
What the Law Requires:
Create a formal Technology Resources Policy that defines authorized use of all district technology.
Public school districts must use the ADE-issued policy (not write their own from scratch).
The policy must prohibit:
Using district technology for unauthorized personal political communications
Lobbying elected officials via district systems
Illegal activities or violations of federal/state law
Intentionally bypassing or overriding the district's security and system integrity procedures
The policy (or a reference to it) must be available to the public upon request.
Checklist Items:
District has adopted the ADE Technology Resources Policy
Policy is incorporated into the Employee Handbook or Acceptable Use Policy
Board has voted to adopt the policy
Policy is accessible to staff and available to the public upon request
How Red Garrison Helps:
Red Garrison provides consulting support to help technology coordinators and administrators review, implement, and document their Technology Resources Policy adoption. We can help you confirm your current policy aligns with the ADE template and identify any gaps.
✅ 2. Cyber Security Policy
What the Law Requires:
Adopt the ADE-developed Cyber Security Policy for all district technology resources.
The policy is based on NIST control families (20 families total) with staggered effective dates.
Group 1 (6 NIST families) effective July 1, 2025
Additional groups follow on a staggered timeline
The policy must be submitted to the State Cyber Security Office for approval by October 1 of each even-numbered year.
The policy is confidential and not subject to FOIA—do not post it publicly.
Public school boards must make a board motion to adopt the policy.
Checklist Items:
Superintendent has accessed the ADE K-12 Cyber Security Policy via ADE Digital Locker
Board has made a motion to formally adopt the policy
District is tracking the staggered implementation timeline (Group 1 effective July 1, 2025)
Policy is treated as confidential and not shared publicly
Policy submission deadline (October 1 of even years) is on district calendar
How Red Garrison Helps:
Our APT (Adaptive Penetration Testing) program is designed to validate whether your district is living up to its cybersecurity policy—not just having one on paper. We test against real-world attack techniques to show where the NIST controls are holding and where they're not.
✅ 3. Cybersecurity Training for All Staff
What the Law Requires:
Develop and deliver a training program for all employees covering both the Technology Resources Policy and the Cyber Security Policy.
Training must be ongoing—not a single annual event.
Districts must have proof of training available for audits, compliance reviews, and insurance documentation.
Checklist Items:
All staff have completed training on the Technology Resources Policy
All staff have completed (or are enrolled in) Cyber Security Policy training
Training records are documented and stored
A process exists for training new hires
Training is refreshed as policies are updated
How Red Garrison Helps:
Red Garrison offers cybersecurity awareness training built for K-12 staff—non-technical, memorable, and directly tied to the threats your district actually faces. We also run phishing simulation campaigns to measure staff awareness in real-time and identify high-risk users who need additional coaching. All training activity is documented for audit readiness.
✅ 4. Disciplinary Procedures for Policy Violations
What the Law Requires:
Establish a formal disciplinary procedure for violations of the Technology Resources Policy.
Establish a disciplinary procedure for violations of the Cyber Security Policy (developed in consultation with the State Cyber Security Office).
Establish a reporting procedure for suspected violations of the Cyber Security Policy.
Disciplinary procedures do not apply to communications protected under the Public Employees' Political Freedom Act or the Arkansas Whistle-Blower Act.
Checklist Items:
Written disciplinary procedure exists for Technology Resources Policy violations
Written disciplinary procedure exists for Cyber Security Policy violations
A formal process exists for reporting suspected cybersecurity policy violations
HR and administration are aware of the whistleblower/political freedom exemptions
Procedures are reviewed alongside policy updates
How Red Garrison Helps:
We provide policy consulting to help districts build or review disciplinary and reporting procedures that satisfy the law's requirements. If a violation is suspected or a breach occurs, our team can support the incident response and investigation process.
✅ 5. Risk Assessment & Vulnerability Evaluation
What the Law Requires:
While Act 504 does not use the phrase "risk assessment" verbatim, the adopted ADE K-12 Cyber Security Policy—built on NIST control families—explicitly includes controls for identifying and managing cybersecurity risk. The intent of Act 504 is to ensure schools address vulnerabilities before a cyberattack occurs.
Checklist Items:
District has completed or scheduled a formal cybersecurity risk assessment
Known vulnerabilities have been documented
A process exists to address and retest identified vulnerabilities
Risk assessment findings are reviewed by leadership
How Red Garrison Helps:
This is the heart of what Red Garrison does. Our external and internal penetration testing services identify real, exploitable vulnerabilities across your district's network, systems, and credentials. Our APT program goes further—providing continuous, year-round validation so your district always knows where it stands. We also deliver actionable reports written for superintendents and technology coordinators, not just technical staff.
✅ 6. Ongoing Monitoring & Incident Readiness
What the Law Requires:
The NIST-based ADE Cyber Security Policy includes control families covering detection, response, and recovery. Combined with Act 846's cyber response program requirements, districts must be prepared to detect threats and respond quickly.
Checklist Items:
District has active endpoint monitoring or managed detection and response (MDR) in place
An Incident Response Plan (IRP) exists and has been reviewed
Staff know how to report a suspected cybersecurity incident
District participates in or has reviewed the Arkansas Self-Funded Cyber Response Program (Act 846)
How Red Garrison Helps:
Red Garrison offers Managed Security Services including continuous monitoring, threat detection, and proactive security management around the clock. Through our partner Huntress, we deliver enterprise-grade MDR (Managed Detection and Response) and ITDR (Identity Threat Detection and Response) built for the budget realities of school districts. We also help districts build or refine their Incident Response Plans and support breach containment when the unexpected happens.
✅ 7. Physical Security Validation
What the Law Requires:
Technology resources include all physical equipment—servers, workstations, network hardware, and more. NIST control families cover physical and environmental protection, which is part of the ADE K-12 policy baseline.
Checklist Items:
Server rooms and network closets have restricted, documented access
Physical security controls (badges, locks, cameras) are tested periodically
Unauthorized physical access to technology resources is addressed in policy
How Red Garrison Helps:
Red Garrison offers Physical Penetration Testing to assess the effectiveness of your physical security controls—testing access points, surveillance coverage, and facility protections against real-world intrusion scenarios.
✅ 8. Vendor & Third-Party Security (Act 754 Alignment)
What the Law Requires:
While Act 504 governs internal policies, Act 754 of 2023 (the Arkansas Student Data Vendor Security Act) requires school districts to list all vendors handling student data and ensure contracts include data protection and breach notification requirements.
Checklist Items:
District maintains an inventory of all third-party vendors with access to student or district data
Vendor contracts include data protection terms and breach notification clauses
Vendor security practices are periodically reviewed
How Red Garrison Helps:
Our consulting services include reviewing vendor relationships and third-party access points as part of a comprehensive security engagement. We help identify where third-party connections create risk in your network and what contract language should be prioritized.
Quick-Reference Summary Table
Act 504 RequirementRed Garrison ServiceTechnology Resources Policy adoptionPolicy consulting & reviewCybersecurity Policy (NIST-based) adoptionAPT Program — continuous policy validationStaff training on both policiesSecurity awareness training & phishing simulationsDisciplinary & reporting proceduresPolicy consulting & incident investigation supportRisk assessment & vulnerability managementExternal / Internal Penetration Testing, APTOngoing monitoring & incident readinessManaged Security Services, MDR via Huntress, IRP consultingPhysical security validationPhysical Penetration TestingVendor/third-party security (Act 754)Third-party risk consulting
Why a Checklist Isn't Enough on Its Own
A checklist tells you what to do. Red Garrison helps you actually do it—and prove that it's working.
Arkansas passed these cybersecurity laws because schools are high-value targets. Ransomware groups don't care that you have a policy document on file. They look for open ports, weak credentials, untrained staff, and unpatched systems.
That's why compliance and real security are two different things—and why Red Garrison's approach goes beyond documentation. Our APT (Adaptive Penetration Testing) program keeps your district continuously tested, continuously validated, and continuously improving.
Threats don't stop. Neither should your testing.
Ready to Get Started?
If you're a technology coordinator, superintendent, or administrator trying to make sense of Act 504—we'd love to help.
📞 (501) 404-5966
📧 info@redgarrison.com
🌐 www.redgarrison.com
Red Garrison LLC | Central Arkansas | Serving K-12 districts and public entities across the state.