Policy & Education Security
K–12 Cybersecurity Act Signed into Law
On Friday, Oct. 8, President Biden signed
the K–12 Cybersecurity Act of 2021 into law. The act comes in
response to growing data security incidents impacting K–12 schools
in recent years, including a dramatic
rise in ransomware and other
forms of malware.
On its own, the legislation is fairly simple: It authorizes the
director of the Cybersecurity
and Infrastructure Security Agency (CISA) to conduct a study
within 120 days of the specific risks impacting K–12 institutions.
Following that, the director will develop, within 60 days,
recommendations for cybersecurity guidelines for K–12 schools,
based on the results of the study. And following that, within 120
days, will create an online training toolkit for "officials"
at K–12 schools.
Doug Levin, national director for the nonprofit K12
Security Information Exchange (K12 SIX), noted that the new law
is significant in several ways, not the least of which that it is the
federal government's first formal foray into K–12 data security.
"In parallel with the rise of technology use in schools and
classrooms, the cybersecurity challenges facing school districts are
growing both more frequent and significant. The passage of the K-12
Cybersecurity Act of 2021 underscores the magnitude of these
challenges and the importance of marshaling federal resources to
address them," Levin told THE Journal. "While a
handful of states — including Texas, New York and New Hampshire —
have taken steps to shore up school district cybersecurity risk
management practices, this act marks the first foray of the federal
government into the issue. While we expect benefits from its passage,
our hope is that this is only the first step in a longer legislative
process to address the systemic issues that make cybersecurity risk
management a particular challenge for school districts."
Levin also expressed hope that, while much work has already been
done in K–12, this study will dig deeper into systemic issues in
K–12 data security. "Based on research that we and others have
already done, we already understand a lot about K–12 cyber incident
trends and experiences. And, existing guidance from CISA, MS-ISAC,
and the FBI targeted to school districts is useful for what it is.
The opportunity for this study is to dig a layer deeper and shed
light on the systemic issues responsible for the situation we find
ourselves in — issues such as the lack of K–12 cybersecurity
expectations and standards, uneven school cyber incident reporting
requirements and a lack of resources to adequately protect schools
from risks such as ransomware and phishing attacks. There are many
common sense steps that the federal government can take that would be
of help — and we at the K12 Security Information Exchange stand
ready to work hand-in-hand with Congress, CISA and all other parties
to make real and lasting progress on the issue."
The findings of the study, the recommendations resulting from it
and the online toolkit are all to be made available through the
Department of Homeland Security's website.
The recommendations developed from the study, according to the
of the legislation, are to be adopted by schools on a voluntary
Said Levin: "It is our hope that the forthcoming study and
recommendations from CISA help lay the foundation for more robust
K–12-specific cybersecurity legislation in future sessions of