Researchers concluded that much of the cybersecurity legislation passed by states focused on improving cybersecurity for state government agencies. “The analysis,” explain the authors, “showed that state lawmakers passed legislation to address the needs of state government systems, specifically state agencies, over all other entities.” By reviewing cybersecurity bills enacted across the United States, analysts at the UC Berkely Center for Long-Term Cybersecurity discovered that 37 states passed 99 cybersecurity-related bills in 2025, creating 393 new cybersecurity rules. A color-coded map of the U.S. displays the number of bills passed by each state—from one to fourteen in their report, Tracking Cybersecurity Policy Developments Across State Legislatures.
Map Showing the Cybersecurity Bills Passed in State Legislatures in 2025
Map courtesy of The UC Berkeley Center for Long-Term Cybersecurity
In addition, the researchers created a searchable database for all cybersecurity-related bills enacted in 2025 for all 50 states. The researchers explain that, “this database is meant to serve as a tool for researchers, practitioners, and lawmakers to quickly understand the current legislative landscape in any given state, identify which local lawmakers are actively passing cybersecurity policy, and contact their offices if needed.”
A March 10 press release from the American Academy of Physician Associates (AAPA), announced that South Dakota joined the PA licensure compact, making the state the 23rd to enter the compact. The state joined the compact as part of an application for Rural Health Transformation Program funds, according to the release. “With the bill now signed into law,” the release explains, “South Dakota joins a rapidly growing number of states committed to modernizing licensure frameworks to better reflect how healthcare is delivered today.”
In a March 18 webinar, GovRAMP shared information on Utah’s transition to GovRAMP. According to the presentation, Utah & GovRAMP Office Hours, reasons for requiring GovRAMP included: increasing security standards, along with the cost efficiency of using a shared assessment. Utah accepts GovRAMP or FedRAMP Authorized (Rev. 5 packages). Security assessments no longer accepted by Utah include: TXRAMP, SOC 2, ISO 27001 and HITRUST. Specifically, for GovRAMP, they accept Progressing Snapshot, Core Status, Ready Status and Authorized Status, but not Snapshot. These new requirements took effect July 1, 2025, for new solicitations/contracts. For existing contracts, Utah aims to offer a smooth transition to GovRAMP. Effective July 1, 2027, all solicitations with a requirement of GovRAMP or FedRAMP require the product to already hold an appropriate verified status – Core, Ready, Authorized or Provisionally Authorized. GovRAMP suggested the following resource for more information on Utah’s GovRAMP requirements: Utah’s GovRAMP page.
Renee Moseley joined GL Solutions in 2016 with an educational and professional background in research and writing, along with software documentation. At GL Solutions she produces informative content to help regulatory agencies stay current on news and information that supports their success.
