THE PROCUREMENT PULSE

Issue #3 | May 21, 2026

The weekly "I can't believe that cost how much?" briefing for K-12 tech leaders.

The Breach Clock Is Already Running

If you use Canvas, your district had a vendor-side data breach in early May. If your DPA with Instructure is like most, you don't yet know exactly which of your records were exposed — and you probably won't for weeks. None of that pauses the state and federal notification clocks that started running on May 1.

That's the lead this week. Three other things worth your time: FY2026 E-Rate is going to be fully funded, the memory crisis just got structurally worse, and Google announced the Chromebook's successor on May 12.

Let's go.

Sponsored by PCLiquidations (disclosed)

Refurbished Chromebooks and Windows laptops with NAID AAA certified data destruction on every device. Jacksonville, FL. pcliquidations.com

E-RATE WATCH

Full funding confirmed for FY2026 — no proration risk on either category.

On May 11, the FCC announced USAC will fully fund every eligible Category 1 and Category 2 request for FY2026. Total projected demand is $3.515 billion ($1.701B Cat 1, $1.814B Cat 2). The inflation-based funding cap is $5.2 billion, plus $600 million in unused prior-year funds. Total available: $5.8 billion against $3.515 billion in demand.

Two other items worth flagging:

Wave 1 and Wave 2 FCDLs are out. Wave 1 released May 1, Wave 2 on May 7. Wave 1 funded 12,977 applicants — about 60% of filers — for just over $1 billion, averaging $77,745 per applicant, most of it going to Internet Access and Internal Connections. If you're in that wave, your appeal window is 60 days from your FCDL date.

The Cybersecurity Pilot is paying out. The $200 million three-year Pilot has shifted from application review to reimbursement, and the first FCDLs are landing now. Most of you won't have been among the 700+ selected back in January 2025 — but if you were, the program is in its payout phase, so get your invoicing process ready.

DEVICE PRICING

The memory crunch from Issue #1 didn't ease. It got structurally worse — and it's a 2028 problem now, not a 2026 one.

TrendForce's May data put conventional DRAM contract prices up 90–95% quarter-over-quarter in Q1 2026 — the worst memory quarter in 15 years. The Q2 forecast is DRAM +58–63% QoQ and NAND +70–75% QoQ, with NAND outpacing DRAM for the first time this cycle. The category that hits K-12 hardest is eMMC/UFS — the storage in budget Chromebooks — because it competes for the same capacity as enterprise SSDs and earns suppliers thinner margins.

New fab capacity is not expected to reach meaningful volume before late 2027 — more realistically 2028. Micron disclosed in its December earnings call that it can fulfill only 55–60% of core customer demand. Hyperscaler capex is projected at $600+ billion in 2026, up 40% YoY, and HBM consumes three times the wafer capacity of DDR5 per bit produced. Every quarter of AI demand locks in higher prices for the next planning cycle.

What I'd do: Stop treating 2026 pricing as a blip to wait out. The refurb gap on Lenovo 300e / Dell 3100-family DDR4 devices is still holding at 30–40% below equivalent new 2026 SKUs, and the performance gap is meaningless for web-based workloads. (Disclosure: PCLiquidations sells refurb Chromebooks in this category — including for context, not promotion.)

VENDOR MOVES

Google announced the Chromebook's successor on May 12. It's called Googlebook. K-12 isn't the initial target.

At The Android Show ahead of I/O, Google unveiled Googlebook — a new laptop category built on a unified Android/ChromeOS platform with Gemini AI integrated at the OS level. Five OEM partners are signed on for the fall 2026 launch: Acer, ASUS, Dell, HP, Lenovo. Google's framing was premium — direct comparisons to MacBook Air, expected pricing above the $699 Chromebook Plus ceiling.

Google was explicit on one point that matters here: K-12 education is not the initial target. Education devices "come later in the rollout," per Google VP John Maletis. Some existing Chromebooks from 2021 onward may be eligible to transition to the new OS, but Google has not named which SKUs or when.

My read: Don't change anything yet. ChromeOS as the K-12 platform is not going away in 2026, and the Googlebook rollout is initially aimed at the segment where Google has historically lost — premium consumer and enterprise. But the OEM product roadmaps will start to diverge from here. Expect Googlebooks at the top of Dell, HP, and Lenovo lineups and Chromebooks at the bottom, and expect the line between them to move every quarter. The thing to track is which existing fleet SKUs Google certifies for the new OS path. That list, when it appears, changes refresh math for any district sitting on 2022–2024 inventory.

BY THE NUMBERS

CoSN's U.S. State of EdTech 2026 dropped May 5. 607 K-12 technology leaders across 44 states. Three numbers worth carrying into your next budget conversation:

  • 65% of districts cite insufficient budgets as their biggest barrier to effective cybersecurity. 75% are "very concerned" about AI-enabled cyber attacks. (CoSN, 2026)
  • 80% of districts now have established AI guidelines, a sharp jump from last year — but 58% still report being understaffed for the instructional use of technology.
  • $5.1 million — the joint California / Connecticut / New York settlement with Illuminate Education over the 2022 student-data breach. State AGs coordinating like a federal agency is the new enforcement model.

DEEP DIVE — Compliance

Vendor breaches — not classroom devices — are now the biggest compliance exposure you carry. And your notification obligations don't wait for the vendor to confirm what happened.

Here's what turns the Canvas/Instructure breach from a cybersecurity story into a compliance story: the notification obligations sit on you, not on Instructure. State data-breach laws — most requiring notification within 30 to 60 days of discovery — FERPA's rules on unauthorized disclosure of education records, and the updated COPPA Rule (in force since April 22, nine days before the exposure window opened) all triggered the moment your district had awareness. Your cyber insurer's notification trigger is awareness too, not confirmed scope. Instructure's forensic timeline is "weeks to months." Your clock started May 1 — or earlier.

On the numbers: ShinyHunters claimed data on 275 million individuals across Instructure's roughly 9,000 institutions. Treat the 275 million as the threat actor's claim, not confirmed fact — Instructure has said it "reached an agreement" with the attackers but has not confirmed terms or scope.

The COPPA piece. The updated rule has been in force since April 22. From your seat the changes that matter are operational, not legal. Biometric identifiers — facial recognition, voiceprints, fingerprints — are now explicitly personal information. You can't bind parents to extraneous vendor terms like arbitration clauses under the school-authorization exception (the FTC reinforced this in its IXL Learning amicus brief). Operators have to monitor how their sub-processors handle children's data, which puts every SDK and analytics tool in scope. And data retention is limited to "as long as reasonably necessary." The question to put to your stack: do you have written confirmation from every edtech vendor that they're compliant with the updated rule? If not, that's the homework.

The disposal side. If vendor breaches are the front-door risk, retired devices are the back door. NAID AAA — governed by i-SIGMA, enforced through unannounced audits by Certified Protection Professionals — is the third-party-verified standard for data destruction. A factory reset or software wipe doesn't meet the FERPA bar for retired devices, per US DOE guidance. NIST SP 800-88 Rev. 1 covers the eMMC flash in Chromebooks, not just spinning disks — a point some IT directors still miss. The trifecta an auditor wants to see: NAID AAA for data security, R2v3 for environmental, NIST 800-88 for the sanitization method. (Disclosure: PCLiquidations and SecureRecycleJax operate in this space — including for context, not promotion.)

Florida note. SOPIPA (FS 1002.222) hasn't had a meaningful update since 2023, and the Department of Legal Affairs is its sole enforcer — no private right of action, which concentrates enforcement. The Canvas breach hit Florida districts, so watch for AG activity over the next 60 to 90 days.

What I'd do this week, in order:

  1. Document when your district learned of the Canvas/Instructure incident and what you did. This is the paper trail you may need.
  2. Rotate Canvas API keys, LTI tokens, SSO connectors. Defensible response practice even if passwords weren't exposed.
  3. Confirm your DPA with Instructure includes tenant-specific scope clauses. Most don't. Note the gap for your next renewal.
  4. Inventory every edtech vendor that touches student data and get written confirmation of post-April 22 COPPA compliance.
  5. If you're retiring devices this summer, verify your ITAD partner is NAID AAA + R2v3 with NIST 800-88 documented per asset.

ONE MORE THING

A pallet of district laptops came through the warehouse that someone had "wiped" with a factory reset before shipping them out for disposal. Two still had student rosters, a few IEP notes, and a saved gradebook sitting in local folders. A factory reset isn't data destruction — it never has been.

That's the trust problem in K-12 edtech from the other direction. The front-door breach makes the news. This is the back door, and it walks out quietly on devices nobody thought twice about. Your vendors control when you find out their systems failed — but the retired fleet in your storage closet is entirely yours to get right.

If this was useful, forward it to one IT director or technology coordinator you know. That's the only way this grows.

See you next Thursday.

— JP

The Procurement Pulse | procurementpulse.news

Keep reading

© 2026 The Procurement Pulse.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv