When Gov. Kim Reynolds vetoed a section of the state budget that allocated funding for K-12 school cybersecurity enhancement, she argued it was a “clear and unmistakable earmark” designated for a single technology company.
But a Republican state lawmaker behind the proposal said the provision would have allowed any cybersecurity company to bid for a contract with the state as cyberattacks on school districts keeps rising.
Reynolds’ June 2 veto came in the last slate of annual bill rejections as she serves out her final months in office.
The provision she rejected was part of the state education budget, allocating $500,000 for protecting K-12 schools from cybersecurity threats. The governor said her decision was based on concerns that the measure was “drafted, designed and lobbied for by a specific information technology and cybersecurity firm.”
While Reynolds’ veto message did not name a specific company, the intended vendor for the appropriation was the California-based cybersecurity provider Fortinet, according to multiple state lawmakers.
The governor’s office declined to comment further or confirm the name of the company.
Fortinet offers cybersecurity protection services for companies, school districts, local governments and others across the country. The company did not respond to multiple comment requests.
In her June 2 veto letter, Reynolds argued the bill failed to disclose that school districts subscribing to the company’s service will be saddled with “recurring annual costs that will substantially and persistently exceed the limited one-time appropriation.”
“In effect, this earmark uses a modest sum of taxpayer dollars as an inducement to lock Iowa school districts into long-term vendor relationships — shifting the true cost of this arrangement onto local budgets for years to come, with no guarantee of continued state support to offset it,” Reynolds wrote.
Iowa state Sen. Jesse Green, R-Boone, who floor-managed the bill and champions cybersecurity funding, disputed Reynolds’ allegation.
“The way the bill was written was it would have allowed any company to put a RFP (request for proposal) or be able to negotiate for the contract. And so there’s other companies that are out there in the space,” Green said. “It wasn’t specific to one entity, but I guess it’s just a difference in opinion.”
The vetoed provision would’ve designated $500,000 for “procuring, implementing, and maintaining on-premises and secure electronic mail gateway appliances that support centralized policy management, automated threat response, and unified threat visibility, and that utilize artificial intelligence-powered security subscriptions and support services to protect school district electronic mail systems” from advanced cyber threats, the measure states.
Pointing to widespread cybersecurity attacks targeting Iowa school districts in recent years, Green, who chairs the Iowa Senate Education Appropriations Subcommittee, contends the state should pick up the tab for enhancing cybersecurity, especially for smaller and more rural districts.
In 2023, the Des Moines Public Schools cancelled classes for multiple days in response to a ransomware attack. The district, along with thousands of universities, colleges and schools across the country, found its access to Canvas, a web-based learning management system, disrupted following a cybersecurity attack in early May this year.
“I thought for a reasonable amount of money that if we provided the funds through the state, that these smaller schools would then comply and update their cybersecurity systems, and that we could do it more effectively and efficiently,” Green said.
Green also sponsored Senate File 2200 early in the 2026 session, which would have required Iowa public school districts, charter schools and area education agencies to adopt cybersecurity solutions.
Fortinet lobbied in favor of the bill and was the only technology company with a registered stance on the legislation.
As Reynolds noted in her veto letter, Iowa school districts have access to cybersecurity services through state-negotiated master agreements, or prenegotiated, competitively bid contracts.
“These agreements exist precisely so that districts can meet their technology and security needs efficiently and competitively, selecting the vendor that best serves their students and communities,” Reynolds wrote. “Every school district in Iowa already has the tools and authority it needs to secure robust cybersecurity services — at favorable pricing, from the vendor of their choice.”
Despite the veto, Green said he will continue to push for increased cybersecurity funding in future legislative sessions.
“This is going to be a growing threat as we move forward,” Green said. “We need to always be vigilant in this area.”
Rapid Response Politics Reporter Maya Marchel Hoff can be reached at mmarchelHoff@usatodayco.com. You can find her on X (formerly Twitter) at @mmarchelhoff.