Published on January 25th, 2023 📆 | 2763 Views ⚑0
Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats
There is no more important institution to the future prosperity and strength of the United States than our nation’s K–12 education system. K–12 schools and school districts have adopted advanced networking technologies that facilitate learning and make schools more efficient and effective. This technological gain, however, has introduced heightened risks. Malicious cyber actors are targeting K–12 education organizations across the country, with potentially catastrophic impacts on students, their families, teachers, and administrators.
The K–12 cybersecurity challenge was exacerbated by the COVID-19 pandemic, which significantly tested the nation’s education system, necessitating an unexpected pivot to virtual learning that rendered our K–12 educational institutions increasingly vulnerable as new technologies were adopted on an unprecedented scale. Cyberattacks, and the threat thereof, strained resources and impacted delivery of critical education services across the nation. This has placed an untenable burden on our educational institutions and the populations that they serve and protect — children, parents, and educators. A continuing drumbeat of cyber intrusions is threatening the nation’s ability to educate our children while also placing personal information and school data at risk.
Congress recognized this heightened risk environment by enacting the K–12 Cybersecurity Act of 2021 (“The Act”), which required the Cybersecurity and Infrastructure Security Agency (CISA) to report on cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to help schools face these risks. Our resultant report provides insight into the current threat landscape and the K–12 community’s capacity to prevent and mitigate cyber-attacks. Recommendations throughout this report are informed by insights from policymakers, government officials, and members of the K–12 community. These recommendations are presented with a caveat: change must come from the top down. Leaders must establish and reinforce a cybersecure culture. Information technology and cybersecurity personnel cannot bear the burden alone.
CISA released its report and toolkit for K-12 institutions to help them better protect against cybersecurity threats. The report titled “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats” provides recommendations and resources to help K-12 schools and school districts address systemic cybersecurity risk. It also provides insight into the current threat landscape specific to the K-12 community and offers simple steps school leaders can take to strengthen their cybersecurity efforts.
The report, CISA’s recommendations, and supporting digital toolkit can be accessed below.
- In an environment of limited resources, leaders should leverage security investments to focus on the most impactful steps. K–12 entities should begin with a small number of prioritized investments: deploying multifactor authentication (MFA), mitigating known exploited vulnerabilities, implementing and testing backups, regularly exercising an incident response plan, and implementing a strong cybersecurity training program. K–12 entities should then progress to fully adopting CISA’s Cybersecurity Performance Goals (CPGs) and mature to building an enterprise cybersecurity plan aligned around the NIST Cybersecurity Framework (CSF).
- Cybersecurity risk management must be elevated as a top priority for administrators, superintendents, and other leaders at every K–12 institution. Leaders must take creative approaches to securing necessary resources, including leveraging available grant programs, working with technology providers to benefit from low-cost services and products that are secure by design and default, and urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.
- No K–12 institution is an island. Information sharing and collaboration with peers and partners is essential to build awareness and sustain resilience. K–12 entities should participate in an information sharing forum such as the Multi-State Information Sharing and Analysis Center (MS-ISAC) and/or K12 Security Information eXchange (K12 SIX) and establish a relationship with CISA and FBI field personnel.
Invest in the most impactful security measures and build toward a mature cybersecurity plan by taking these three steps:
- Implement highest priority security controls.
- Prioritize further near-term investments in alignment with the full list of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
- Over the long-term, develop a unique cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF).
Recognize and actively address resource constraints:
- Work with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP).
- Utilize free or low-cost services to make near-term improvements in resource-constrained environments.
- Expect and call for technology providers to enable strong security controls by default for no additional charge.
- Minimize the burden of security by migrating IT services to more secure cloud versions.
Focus on collaboration and information sharing:
- Join relevant collaboration groups, such as MS-ISAC and K12 SIX.
- Work with other information-sharing organizations, such as fusion centers, state school safety centers, other state and regional agencies, and associations.
- Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel.
The toolkit aligns resources and materials to each of CISA’s three recommendations along with guidance on how stakeholders can implement each recommendation based on their current needs. Along with each recommendation, stakeholders will find key actions and related resources to help them confidently build, operate, and maintain resilient cybersecurity programs at their school or district. The toolkit also shares additional free cybersecurity trainings and resources available for the K-12 community.
Please visit the Digital Toolkit page for all resources. You can print this Toolkit (.pdf, 919KB) as well.