K–12 Cybersecurity Act Signed into Law

On Friday, Oct. 8, President Biden signed the K–12 Cybersecurity Act of 2021 into law. The act comes in response to growing data security incidents impacting K–12 schools in recent years, including a dramatic rise in ransomware and other forms of malware.

On its own, the legislation is fairly simple: It authorizes the director of the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study within 120 days of the specific risks impacting K–12 institutions. Following that, the director will develop, within 60 days, recommendations for cybersecurity guidelines for K–12 schools, based on the results of the study. And following that, within 120 days, will create an online training toolkit for "officials" at K–12 schools.

Doug Levin, national director for the nonprofit K12 Security Information Exchange (K12 SIX), noted that the new law is significant in several ways, not the least of which that it is the federal government's first formal foray into K–12 data security.

"In parallel with the rise of technology use in schools and classrooms, the cybersecurity challenges facing school districts are growing both more frequent and significant. The passage of the K-12 Cybersecurity Act of 2021 underscores the magnitude of these challenges and the importance of marshaling federal resources to address them," Levin told THE Journal. "While a handful of states — including Texas, New York and New Hampshire — have taken steps to shore up school district cybersecurity risk management practices, this act marks the first foray of the federal government into the issue. While we expect benefits from its passage, our hope is that this is only the first step in a longer legislative process to address the systemic issues that make cybersecurity risk management a particular challenge for school districts."

Levin also expressed hope that, while much work has already been done in K–12, this study will dig deeper into systemic issues in K–12 data security. "Based on research that we and others have already done, we already understand a lot about K–12 cyber incident trends and experiences. And, existing guidance from CISA, MS-ISAC, and the FBI targeted to school districts is useful for what it is. The opportunity for this study is to dig a layer deeper and shed light on the systemic issues responsible for the situation we find ourselves in — issues such as the lack of K–12 cybersecurity expectations and standards, uneven school cyber incident reporting requirements and a lack of resources to adequately protect schools from risks such as ransomware and phishing attacks. There are many common sense steps that the federal government can take that would be of help — and we at the K12 Security Information Exchange stand ready to work hand-in-hand with Congress, CISA and all other parties to make real and lasting progress on the issue."

The findings of the study, the recommendations resulting from it and the online toolkit are all to be made available through the Department of Homeland Security's website.

The recommendations developed from the study, according to the text of the legislation, are to be adopted by schools on a voluntary basis.

Said Levin: "It is our hope that the forthcoming study and recommendations from CISA help lay the foundation for more robust K–12-specific cybersecurity legislation in future sessions of Congress."

About the Author

David Nagel is the former editorial director of 1105 Media's Education Group and editor-in-chief of THE Journal, STEAM Universe, and Spaces4Learning. A 30-year publishing veteran, Nagel has led or contributed to dozens of technology, art, marketing, media, and business publications.

He can be reached at [email protected]. You can also connect with him on LinkedIn at https://www.linkedin.com/in/davidrnagel/ .


Featured

  • Digital Network of User Profiles and Data Connections

    Microsoft, RSA Updates Focus on Identity Security in the Age of AI

    Two authentication announcements coming out of the recent RSA Conference both point in the same direction: Organizations need a more flexible, unified approach to identity security, especially as AI agents start acting alongside human workers.

  • Wi-Fi icon on dark blue circuit background

    FCC to Conduct 'Top-to-Bottom' Review of E-Rate Program

    The FCC is laying the groundwork for a comprehensive review of its E-Rate program, the federal initiative that provides K–12 schools and public libraries with discounts on internet, WiFi, and telecommunications services to ensure equitable digital access.

  • Digital cyberspace with particles and Digital data

    Survey: AI Is Moving Faster than Data Trust

    AI agents are already in use or pilot at most organizations, but data visibility, governance and precision recovery capabilities have not kept pace, according to a new survey from Veeam Software.

  • AI logo near computer equipment

    White House Issues National Policy Framework for AI

    The White House has released a four-page AI policy framework aimed at setting a national approach to AI, with priorities including child safety, intellectual property protections, truth and accuracy guardrails, and worker training for an AI-driven economy.