Policy & Education Security

K–12 Cybersecurity Act Signed into Law

• By David Nagel
• 10/08/21

On Friday, Oct. 8, President Biden signed the K–12 Cybersecurity Act of 2021 into law. The act comes in response to growing data security incidents impacting K–12 schools in recent years, including a dramatic rise in ransomware and other forms of malware.

On its own, the legislation is fairly simple: It authorizes the director of the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study within 120 days of the specific risks impacting K–12 institutions. Following that, the director will develop, within 60 days, recommendations for cybersecurity guidelines for K–12 schools, based on the results of the study. And following that, within 120 days, will create an online training toolkit for "officials" at K–12 schools.

Doug Levin, national director for the nonprofit K12 Security Information Exchange (K12 SIX), noted that the new law is significant in several ways, not the least of which that it is the federal government's first formal foray into K–12 data security.

"In parallel with the rise of technology use in schools and classrooms, the cybersecurity challenges facing school districts are growing both more frequent and significant. The passage of the K-12 Cybersecurity Act of 2021 underscores the magnitude of these challenges and the importance of marshaling federal resources to address them," Levin told THE Journal. "While a handful of states — including Texas, New York and New Hampshire — have taken steps to shore up school district cybersecurity risk management practices, this act marks the first foray of the federal government into the issue. While we expect benefits from its passage, our hope is that this is only the first step in a longer legislative process to address the systemic issues that make cybersecurity risk management a particular challenge for school districts."

Levin also expressed hope that, while much work has already been done in K–12, this study will dig deeper into systemic issues in K–12 data security. "Based on research that we and others have already done, we already understand a lot about K–12 cyber incident trends and experiences. And, existing guidance from CISA, MS-ISAC, and the FBI targeted to school districts is useful for what it is. The opportunity for this study is to dig a layer deeper and shed light on the systemic issues responsible for the situation we find ourselves in — issues such as the lack of K–12 cybersecurity expectations and standards, uneven school cyber incident reporting requirements and a lack of resources to adequately protect schools from risks such as ransomware and phishing attacks. There are many common sense steps that the federal government can take that would be of help — and we at the K12 Security Information Exchange stand ready to work hand-in-hand with Congress, CISA and all other parties to make real and lasting progress on the issue."

The findings of the study, the recommendations resulting from it and the online toolkit are all to be made available through the Department of Homeland Security's website.

The recommendations developed from the study, according to the text of the legislation, are to be adopted by schools on a voluntary basis.

Said Levin: "It is our hope that the forthcoming study and recommendations from CISA help lay the foundation for more robust K–12-specific cybersecurity legislation in future sessions of Congress."