In a quiet but important shift, the Arkansas Legislature passed several new cybersecurity laws during its most recent session — and they are already changing how businesses, schools, and public agencies need to think about digital risk.

If you operate in Arkansas — whether you're in education, critical infrastructure, or local government — these changes could affect you.

Here’s what you need to know.

1. Mandatory Cybersecurity Policies for Public Entities (Act 504)

The first major law, Act 504, now requires every public entity in Arkansas — including state agencies, counties, cities, school districts, and public colleges — to adopt formal cybersecurity policies.

That means if you're a public organization in Arkansas and you don't have an approved cybersecurity policy yet, you are now out of compliance.

Public entities must submit their cybersecurity policies to the Arkansas State Cyber Security Office every two years for review, aligning them with state cybersecurity standards.

Why it matters:
Outdated or nonexistent policies have long been a weak point for public-sector security. Act 504 forces local agencies and schools to address risks like ransomware, phishing, and insider threats — before an incident happens.

When:
Policies must have been in place by mid-2024. Ongoing updates will be required every two years.

2. New Cyber Risk Pool for Public Agencies (Act 846)

Cyberattacks are expensive. Recovery costs after a ransomware attack can easily hit six figures for even small towns and school districts.

Act 846 created the Arkansas Self-Funded Cyber Response Program — a new insurance and incident-response fund specifically for counties, cities, and school districts.

Through this program, public entities can opt into statewide cyber coverage, helping them manage the financial impact of an attack.

There’s a catch:
Entities must meet minimum cybersecurity standards within 12 months to maintain coverage.

Why it matters:
If you’re a public IT leader or superintendent, participating in this program could be critical for funding recovery after a cyberattack — but only if your organization tightens its cybersecurity practices now.

3. Cyber Incident Confidentiality Rules (Act 510)

Before this year, cyber incidents at public agencies often became public record under Arkansas' Freedom of Information Act (FOIA), even before full investigations were complete.

Act 510 changes that.
It makes internal cybersecurity response plans confidential and allows closed legislative sessions to discuss cyberattacks on state and local systems.

Why it matters:
Agencies no longer have to reveal their security playbooks — or the details of an ongoing cyber incident — to the public. This move is designed to protect sensitive data from being exposed while a breach is still being contained.

4. Ban on Foreign-Made Drones for Public Use (Act 525)

In another security-focused move, Arkansas passed Act 525, banning state and local governments from buying drones made by companies affiliated with adversarial nations like China or Russia.

Any existing foreign-made drones must be phased out by May 1, 2027.

Why it matters:
Drones are increasingly used for infrastructure inspections, public safety, and disaster response. But they can also collect sensitive imagery and metadata. This law tries to ensure Arkansas public systems aren't unknowingly feeding data to hostile entities.

5. State Contracts Ban with China (Act 758)

Arkansas also passed the Technology Protection Act (Act 758), which bans state agencies from contracting with the government of China or Chinese state-owned companies.

Why it matters:
Vendors that want to do business with Arkansas now have to prove they aren’t controlled by a foreign government. This could reshape procurement options for IT services, cloud providers, and hardware vendors.

6. Student Data Protection for K-12 Schools (Act 754)

Finally, Act 754 addresses a growing concern in education: third-party vendor security.

Public school districts are now required to:

• List all vendors handling student data.

• Ensure contracts include strict data protection and breach notification terms.

Why it matters:
Student data (grades, addresses, health info) has become a big target for cybercriminals. This law gives parents and educators more transparency — and forces ed-tech vendors to step up their security.

Bottom Line

Arkansas isn’t just talking about cybersecurity — it’s changing the rules.

Whether you’re a school, a city government, a vendor, or a business that interacts with public entities, you need to be paying attention to these new requirements.

Cyber threats in Arkansas are growing — but so are the expectations for how we defend against them.

At Red Garrison, we’re already helping organizations across Arkansas update their policies, tighten their defenses, and prepare for what’s next.

Need help getting your cybersecurity policies compliant — or just want a quick readiness check?
Contact Red Garrison today. We’re ready to defend.