Cybersecurity and Infrastructure Security Agency Releases New Report on Cybersecurity Threats for K-12 Entities

School districts are relying on technology while they reshape educational services and reform educational methods. Due to this increased reliance on increasingly advanced technology, school districts have and will continue to face severe cybersecurity challenges.

In recognition of school districts’ increased technology use platforms, Congress passed the K-12 Cybersecurity Act of 2021. Under the Act, the Cybersecurity and Infrastructure Security Agency (CISA) must report on the nature of cybersecurity threats and provide recommendations based on input from government officials, educators, and policymakers within the K-12 education community.

On Jan. 24, CISA issued a new report. CISA states that its goal in providing its report is to “raise awareness of the K–12 community’s growing cyber risk and threat landscape and catalyze action across the K–12 community.”

Here are some notable highlights and recommendations for school districts:

Recommendation #1: Invest in the most impactful security measures and build toward a mature cybersecurity plan

CISA reports that one main factor in fighting cyberattacks is recognizing that K-12 institutions only have a set number of resources. Because of this, CISA recommends that school districts first implement the “highest priority security controls” and then work to prioritize short-term actions, like fixing any known security flaws. For these high-priority steps, CISA directs school districts to the “Cybersecurity Performance Goals” or “CPGs” which are intended to be straightforward guidance tools.  Some of CISA’s recommended “high-priority” steps involve minimizing exposure to threat actors and developing training for school staff. School districts should aim to build a “unique” plan over time that will ultimately produce resilient cybersecurity programs.

Recommendation #2: Recognize and actively address resource constraints.

In its findings, CISA notes that several school districts do not currently have sufficient IT resources that can properly support cybersecurity initiatives. Consequently, CISA recommends that school districts work with the state planning committee for the State and Local Cybersecurity Grant Program to obtain more resources. Further, CISA encourages school districts to utilize low-cost services for immediate improvements and rely on technology providers to implement strong security controls, without additional charges. Finally, school districts are encouraged to minimize opportunities for cyber attackers by moving IT services from “on-premises” services to the cloud, which offers more security.

Recommendation #3: Focus on collaboration and information sharing

CISA recognizes that K-12 entities on their own cannot “singlehandedly identify and prioritize” threats and risks associated with cybersecurity. CISA’s report recommends that school districts join collaboration groups that can assist in identifying these threats, as well as other organizations and agencies. Further, school districts are encouraged to build strong relationships with CISA and FBI cybersecurity contacts.

CISA’s report acts as a reminder to school districts that the education sector is “under unprecedented risk” in an age where increased reliance on technology has resulted in heightened cybersecurity risks. With these goals and recommendations, school districts can begin implementing immediate changes, while simultaneously planning for more intensive reform.

If you have any questions, please feel free to contact Charles Russman, Bailey Kadian, or any other member of Clark Hill’s Education team.

The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.