K–12 Cybersecurity Act Signed into Law

On Friday, Oct. 8, President Biden signed the K–12 Cybersecurity Act of 2021 into law. The act comes in response to growing data security incidents impacting K–12 schools in recent years, including a dramatic rise in ransomware and other forms of malware.

On its own, the legislation is fairly simple: It authorizes the director of the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study within 120 days of the specific risks impacting K–12 institutions. Following that, the director will develop, within 60 days, recommendations for cybersecurity guidelines for K–12 schools, based on the results of the study. And following that, within 120 days, will create an online training toolkit for "officials" at K–12 schools.

Doug Levin, national director for the nonprofit K12 Security Information Exchange (K12 SIX), noted that the new law is significant in several ways, not the least of which that it is the federal government's first formal foray into K–12 data security.

"In parallel with the rise of technology use in schools and classrooms, the cybersecurity challenges facing school districts are growing both more frequent and significant. The passage of the K-12 Cybersecurity Act of 2021 underscores the magnitude of these challenges and the importance of marshaling federal resources to address them," Levin told THE Journal. "While a handful of states — including Texas, New York and New Hampshire — have taken steps to shore up school district cybersecurity risk management practices, this act marks the first foray of the federal government into the issue. While we expect benefits from its passage, our hope is that this is only the first step in a longer legislative process to address the systemic issues that make cybersecurity risk management a particular challenge for school districts."

Levin also expressed hope that, while much work has already been done in K–12, this study will dig deeper into systemic issues in K–12 data security. "Based on research that we and others have already done, we already understand a lot about K–12 cyber incident trends and experiences. And, existing guidance from CISA, MS-ISAC, and the FBI targeted to school districts is useful for what it is. The opportunity for this study is to dig a layer deeper and shed light on the systemic issues responsible for the situation we find ourselves in — issues such as the lack of K–12 cybersecurity expectations and standards, uneven school cyber incident reporting requirements and a lack of resources to adequately protect schools from risks such as ransomware and phishing attacks. There are many common sense steps that the federal government can take that would be of help — and we at the K12 Security Information Exchange stand ready to work hand-in-hand with Congress, CISA and all other parties to make real and lasting progress on the issue."

The findings of the study, the recommendations resulting from it and the online toolkit are all to be made available through the Department of Homeland Security's website.

The recommendations developed from the study, according to the text of the legislation, are to be adopted by schools on a voluntary basis.

Said Levin: "It is our hope that the forthcoming study and recommendations from CISA help lay the foundation for more robust K–12-specific cybersecurity legislation in future sessions of Congress."

About the Author

David Nagel is the former editorial director of 1105 Media's Education Group and editor-in-chief of THE Journal, STEAM Universe, and Spaces4Learning. A 30-year publishing veteran, Nagel has led or contributed to dozens of technology, art, marketing, media, and business publications.

He can be reached at [email protected]. You can also connect with him on LinkedIn at https://www.linkedin.com/in/davidrnagel/ .


Featured

  • robot typing on a computer

    Microsoft Unveils 'Computer Use' Automation in Copilot Studio

    Microsoft has announced a new AI-powered feature called "computer use" for its Copilot Studio platform that allows agents to directly interact with Web sites and desktop applications using simulated mouse clicks, menu selections and text inputs.

  • AI microchip under cybersecurity attack, surrounded by symbols of threats like a skull, spider, lock, and warning shield

    Report Finds Agentic AI Protocol Vulnerable to Cyber Attacks

    A new report from Backslash Security has identified significant security vulnerabilities in the Model Context Protocol (MCP), technology introduced by Anthropic in November 2024 to facilitate communication between AI agents and external tools.

  • educators seated at a table with a laptop and tablet, against a backdrop of muted geometric shapes

    HMH Forms Educator Council to Inform AI Tool Development

    Adaptive learning company HMH has established an AI Educator Council that brings together teachers, instructional coaches and leaders from school district across the country to help shape its AI solutions.

  • illustration of a human head with a glowing neural network in the brain, connected to tech icons on a cool blue-gray background

    Meta Introduces Stand-Alone AI App

    Meta Platforms has launched a stand-alone artificial intelligence app built on its proprietary Llama 4 model, intensifying the competitive race in generative AI alongside OpenAI, Google, Anthropic, and xAI.