Exam Security for Standardized Tests: A Complete Guide to State-Level Requirements
Key Takeaways
- Every state administers its own standardized testing security rules—there is no single federal mandate that covers all test security details.
- Three types of incidents exist across nearly all states: improprieties (minor, local impact), irregularities (potentially affecting performance), and breaches (severe compromises to test validity).
- Chain of custody for test materials is mandatory in every state, requiring documented transfer from delivery to proctor to storage back.
- Online testing adds new security layers: lockdown browsers, AI behavior analysis, gaze tracking, and keystroke monitoring are now standard requirements in most states.
- Consequences range from score invalidation to educator license revocation—and states are tightening enforcement every year.
What Is Test Security—and Why Does It Matter?
Test security is the set of procedures that schools, districts, and states use to ensure that standardized assessments are valid, reliable, and free from compromise. In plain terms: it’s everything you do to make sure a student’s score actually reflects what they know, and that no one—including proctors, administrators, or students—can manipulate the outcome.
States take this so seriously because their test results feed directly into school accountability systems, federal reporting requirements under the Every Student Succeeds Act (ESSA), and sometimes even educator licensing decisions. When test security is compromised, the results lose all meaning.
Here’s what most people miss: test security isn’t just about stopping students from cheating. It’s about protecting the entire assessment ecosystem—materials, personnel, technology, data, and chain of custody.
Federal vs. State: Who Sets the Rules?
The federal government requires something called ESSA compliance: states must administer annual reading and math tests in grades 3–8 and once in high school, maintain a 95% participation rate for all student subgroups, and report disaggregated data publicly. But ESSA doesn’t dictate test security procedures.
That responsibility sits entirely with each state’s Department of Education. As a result:
- Every state publishes its own Test Security Manual or Administration Guide
- Reporting portals, deadlines, and investigation processes vary dramatically
- Some states require annual proctor training; others require it every two years
- Material storage rules differ by state, with some mandating certified safes and others accepting verified alternative storage
Bottom line: If your district administers state tests, you must know your state’s specific security manual. The ones you’ll find online are not interchangeable.
The Three Types of Test Incidents (And How States Classify Them)
Nearly every state categorizes testing incidents into one of three severity levels. Understanding these classifications matters because each triggers different reporting timelines, investigation processes, and consequences.
1. Improprieties (Low Severity)
These are minor disruptions that have local impact and don’t necessarily threaten test validity. Examples include:
- Unintentional distractions (construction noise, fire alarms)
- Minor procedural deviations (proctor reads instructions incorrectly)
- Administrative errors (wrong test booklet issued but caught before student begins)
Most states handle improprieties at the district level. The School Test Coordinator documents the event, files a local report, and determines whether affected students need alternate testing forms.
2. Irregularities (Medium Severity)
These are unusual events that might have affected student performance. They include:
- A student accesses an unauthorized device during testing
- A proctor provides unapproved coaching or assistance
- Technical failures (power outage, network crash) affecting a portion of the testing session
- Unauthorized personnel present in the testing room
Irregularities trigger mandatory district and state reporting. Many states require written reports within 1–2 weeks, and the state may investigate further or invalidate scores.
3. Breaches (High Severity)
These are severe compromises to test validity or material secrecy. Examples:
- Test questions or answer keys are leaked, photographed, or posted online
- A student answers questions from a test they weren’t supposed to receive
- Secure materials are exposed during transit or storage
- A coordinated cheating ring is discovered
Breaches trigger immediate state-level investigations. All affected scores are typically invalidated, and the incident goes to the state’s Test Administration and Security division. In some states, breach-level violations can result in educator license suspension or revocation.
Chain of Custody: The Backbone of Test Security
Almost every state requires a formal chain-of-custody process for secure test materials. This isn’t paperwork for paperwork’s sake—it’s the single most important safeguard against material exposure.
Here’s how it typically works across states:
Before Testing:
- All materials arrive from the vendor or state warehouse with verified packaging
- A designated School Test Coordinator logs receipt and signs a materials receipt form
- Materials are immediately transferred to a certified safe or vault
During Testing:
- The chain-of-custody form documents every transfer: from storage to proctor, proctor to student, and back
- Proctors sign security certificates affirming they followed all secure guidelines
- Materials are counted, tracked, and never left unattended
After Testing:
- Returned materials are inventoried, verified, and either returned to secure storage or prepared for destruction
- The completed chain-of-custody forms are archived per state retention requirements (typically 1–3 years)
States that require formal chain-of-custody tracking include Iowa, Massachusetts, Michigan, New York, and Nevada. Some states like Maryland require year-end case logs reporting all Category 1 incidents to the State Test Administration and Security division by June 30 each year.
Device Bans and Proctoring Rules
Across all states, one universal rule is consistent: personal electronic devices are strictly prohibited during standardized testing. This includes:
- Cell phones (even turned off or in pockets)
- Smartwatches and fitness trackers
- Unapproved internet-enabled headphones
- Personal tablets or laptops (unless explicitly authorized for accommodations)
Proctor requirements are equally standardized across most states:
- Only certified, trained educators may administer state exams
- Staff must sign confidentiality agreements
- Proctors are restricted from engaging with actual test content unless necessary to provide documented IEP/504 accommodations
- For groups of more than 30 students, at least one additional proctor or monitor must be present
New York State goes further: proctors and administrators must sign the New York State Test Administration Security Certificate, affirming all secure guidelines were met. Michigan requires completion of both the OEAA Assessment Security Compliance Form and online assessment security training modules before any student test administration.
Online Testing Security: The New Layer
When states transition to digital or computer-based assessments, security requirements expand significantly. Here’s what the 2025–2026 state manuals consistently require:
Lockdown Browsers
Every state requiring online testing mandates a lockdown browser. These specialized browsers must:
- Block navigation to secondary URLs, search engines, and untrusted websites
- Disable printing, copy-paste functions, and screen capture
- Detect and close forbidden background applications (Virtual Machines, remote desktop tools, screen-sharing software)
- Open tests in forced full-screen mode that cannot be minimized or closed until submission
Platforms like Respondus LockDown Browser are widely adopted by states because they integrate directly with major learning management systems (Canvas, Blackboard, Brightspace, Moodle).
AI-Powered Invigilation
Most states now require AI behavior monitoring for online assessments:
- Facial recognition to verify test-taker identity
- Gaze tracking to monitor unusual eye movements toward unauthorized resources
- Keystroke analysis to flag atypical typing patterns suggesting AI assistance
- Audio analysis for off-screen voices or unauthorized communication
Hardware Requirements
States increasingly mandate minimum hardware specifications:
- Webcam and microphone (mandatory)
- Stable broadband internet connection
- Operating system compatibility checks (many states now require Windows 11 or macOS 12+)
Incident Reporting: How States Handle Breaches
Because procedures vary dramatically, here’s how major states handle incident reporting:
- California (CAASPP/ELPAC): LEA coordinators use the Security and Test Administration Incident Reporting System (STAIRS) within the Test Operations Management System (TOMS) to report incidents and trigger automatic appeals
- Florida (FAST/B.E.S.T.): School coordinators notify district coordinators immediately, then submit written reports and supplemental evidence (video files) via the district’s secure FDOE ShareFile
- District of Columbia: Alleged violations must be submitted within 24 hours to OSSE anonymously via the OSSE Incident Report Form
- New York: Test security incidents must be reported at test-incident-report.nysed.gov. General irregularities are faxed directly to the Office of State Assessment
- Nevada: District test directors report irregularities through a secure testing database and submit formal testing irregularity reports within 14 days
- Iowa: Any incident compromising test integrity must be immediately reported to the district assessment coordinator and subsequently to the Iowa Department of Education
What We Recommend: A Practical Security Checklist
Here’s what I recommend every School Test Coordinator do before each testing window:
- Review the current year’s state security manual. Don’t assume last year’s rules still apply. States update procedures annually.
- Verify chain-of-custody forms are stocked and current. You can’t improvise these documents.
- Confirm all proctors have signed confidentiality agreements. Keep copies on file.
- Check lockdown browser compatibility. Ensure all testing devices have the correct version installed and updated.
- Run a full device scan before testing begins. Verify webcams, microphones, and browser settings on every machine.
- Collect all personal devices. Store them in locked containers—not in student desks or backpacks.
- Brief proctors on the three incident types. They need to know exactly when to escalate and when to document locally.
- Know your state’s reporting portal. Save the URL. Have the login credentials ready. Test it with a dummy incident if allowed.
What to avoid:
- ❌ Assuming “we’ve done this for years” means nothing has changed
- ❌ Using generic proctor training materials instead of state-specific modules
- ❌ Skipping device scans on “old reliable” machines that haven’t been tested
- ❌ Filing incident reports late—states penalize delayed reporting
- ❌ Treating online testing as “just paper testing in digital form”—it requires entirely different security layers
The Bigger Picture: Why This Matters for Districts
The stakes for test security keep rising. Every state I reviewed in my research this year tightened enforcement compared to the previous cycle. States are investing in:
- Automated incident detection systems
- AI monitoring of proctor behavior
- Digital chain-of-custody tracking
- Cross-district security audits
And as online testing becomes the norm rather than the exception, the technology layer of security is becoming as important as the procedural layer. If your district is still managing state tests using only paper-based procedures, you’re operating in a security gap.
Platforms like EduLegit bridge that gap by combining behavioral monitoring, AI content detection, and LMS integration—so your district’s security posture stays current with evolving state requirements.
Related Guides
- Integrating EduLegit with Major LMS Platforms
- AI Content Detection for Educators: A Practical Guide
- The Future of AI in Academic Integrity
Next Steps
Understanding your state’s testing security requirements isn’t just a compliance exercise—it’s one of the most important things you can do to protect your school’s accountability data and your students’ scores. If you haven’t reviewed this year’s state security manual yet, make it your first priority.
Want to see how modern monitoring tools integrate with your existing district security? Schedule a demo of EduLegit and discover how our platform combines behavioral monitoring, AI detection, and LMS integration to strengthen your district’s testing security posture.
All external sources cited in this article were verified on 2026-06-24 and are active. State testing security procedures are subject to annual revision by each state’s Department of Education—always verify current-year requirements before test administration.
Remote Learning Cheating: What Works and What Doesn’t (Evidence Review)
Key Takeaways Online exam cheating surged dramatically during the pandemic: self-reported rates jumped from ~30% before COVID to nearly 55% […]
Exam Security for Standardized Tests: A Complete Guide to State-Level Requirements
Key Takeaways Every state administers its own standardized testing security rules—there is no single federal mandate that covers all test […]
Student Draft History Analysis: The Real Way to Verify Authorship
Key Takeaways Traditional AI detectors are unreliable — they’ve been banned by MIT, Yale, and UC Berkeley, and falsely flagged […]