Cyber Risk Management
New CISA K-12 Cyber Report: Leaders – Not Just IT Staff – Must Be Involved in Security Strategy
Recommendations Include a Handful of Urgent Priorities, Call for More Information Sharing, Procurement Expectations for Vendors
- By Kristal Kuykendall
The federal Cybersecurity and Infrastructure Security Agency this week released its long-awaited K–12 report and guide for public schools, almost a year and a half after Congress enacted the K–12 Cybersecurity Act of 2021.
The new CISA report, “Partnering to Safeguard K–12 Organizations from Cybersecurity Threats,” and accompanying toolkit answer Congress’ demand for an overview of the cyber risks facing elementary and secondary schools and for recommendations that include cybersecurity guidelines designed to help schools face these risks.
A PDF version of the report can be downloaded or printed at bit.ly/CISAk12_report; download the PDF version of the toolkit at bit.ly/CISAk12_toolkit, or find the browser version at https://www.cisa.gov/partnering-safeguard-k-12-toolkit.
“Our resultant report provides insight into the current threat landscape and the K–12 community’s capacity to prevent and mitigate cyber-attacks,” CISA said as it released the new report and toolkit. “Recommendations throughout this report are informed by insights from policymakers, government officials, and members of the K–12 community. These recommendations are presented with a caveat: change must come from the top down. Leaders must establish and reinforce a cybersecure culture. Information technology and cybersecurity personnel cannot bear the burden alone.”
“We must ensure that our K–12 schools are better prepared to confront a complex threat environment,” CISA Director Jen Easterly said. “As K–12 institutions employ technology to make education more accessible and effective, malicious cyber actors are hard at work trying to exploit vulnerabilities in these systems, threatening our nation’s ability to educate our children. Today’s report serves as an initial step towards a stronger and more secure cyber future for our nation’s schools, with a focus on simple, prioritized actions schools can take to measurably reduce cyber risk.”
Doug Levin, National Director of K12 Security Information Exchange, said the report and toolkit include important, actionable advice for schools as they are increasingly falling victim to cyber threats.
“Given the steady drumbeat of ransomware, targeted scams, and data breach incidents plaguing school systems from coast to coast, CISA’s release of ‘Protecting Our Future: Partnering to Safeguard K–12 Organizations from Cybersecurity Threats’ comes not a moment too soon,” Levin said. “This landmark federal report clearly and concisely communicates the cybersecurity challenge the U.S. K–12 education sector is facing and recommends common sense steps that stakeholders — including superintendents, school administrators, school board members, and state policymakers — can take to bring about needed change.”
K12SIX, a nonprofit information-sharing community launched in late 2020, “wholeheartedly endorses” CISA’s recommendations, Levin said. “School systems operate in a distinctive technological, political, and regulatory context, and therefore require support from organizations designed specifically for their complex and evolving needs.”
Key Findings of the CISA K–12 Report
Start With A Few Small But Mighty Steps: Acknowledging public schools’ limited resources, CISA advised that schools and education leaders should focus their security investments on the “most impactful steps,” starting with a handful of top priorities: deploying multi-factor authentication, mitigating known exploited vulnerabilities, implementing and testing backups, building out and regularly updating an incident response plan, and implementing a strong cybersecurity training program.
“K–12 entities should then progress to fully adopting CISA’s Cybersecurity Performance Goals and mature to building an enterprise cybersecurity plan aligned around the NIST Cybersecurity Framework,” the CISA report said.
Risk Management Must Include All District Leaders: Cyber risk management “must be elevated as a top priority for administrators, superintendents, and other leaders at every K–12 institution,” CISA said. Leaders should get creative to obtain the resources necessary to reduce their district’s cyber risk, including applying for all available grants, negotiating with technology vendors to get the most-secure solutions at the best prices, and “urgently reducing the security burden by migrating to secure cloud environments and trusted managed services,” CISA advised.
K–12 Institutions Must Share Information and Work Together: Collaboration is essential to building awareness and sustaining resilience, the report said. “K–12 entities should participate in an information sharing forum such as the Multi-State Information Sharing and Analysis Center (MS-ISAC) and/or K12 Security Information Exchange and establish a relationship with CISA and FBI field personnel.”
CISA’s Recommendations for K–12 Schools’ IT and Security Staff
The new CISA report includes recommendations and scores of links to additional guides and resources for K–12 IT staff. Each recommendation includes an explanation in more general terms, suitable for district leadership and board members, followed by more actionable details for IT staff, along with reference links.
- Implement multi-factor authentication
- Identify and fix known security flaws, prioritizing those that are being actively used by malicious actors
- Perform and test backups
- Develop and exercise a cyber incident response plan
- Minimize exposure to common attacks
- Create a training and awareness campaign at all levels
- Prioritize further near-term investments in alignment with the full list of CISA’s Cross-Sectors Cybersecurity Performance Goals
- Over the long-term, develop a unique cybersecurity plan that leverages the NIST Cybersecurity Framework
CISA’s Recommendations for School and District Leaders
“Most school districts are doing a lot with a little,” CISA said in the new report, noting that limited resources are a “major constraint to implementing effective cybersecurity programs.”
CISA advised that local education agencies do the following to “recognize and actively address resource constraints”:
Apply for State and Local Cybersecurity Grant funds.
Work with the state planning committee to leverage the State and Local Cybersecurity Grant Program, which will provide $1 billion over four years to state, local, and territorial governments to shore up cyber risk management efforts. Each state is required to include public education in its Cybersecurity Planning Committee that will oversee distribution of the funds, CISA noted. “While the funding is granted directly to the state, publicly funded K–12 schoolsl are eligible to receive sub-award money.”
Utilize free or low-cost services to make near-term improvements when resources are scarce.
CISA referenced its updated list of free cybersecurity tools and services, and said it will “implement a process for organizations to submit additional free tools and services” to be included on its list.
Ask more of technology providers.
Schools “should expect the technology used for core educational functions like learning management and student adminstrative systems to have strong security controls enabled by default for no additional charge,” CISA said. During procurement, vendors should not charge more for security features such as MFA and logs, according to the report.
“Be especially aware of the ‘SSO tax,’ the practice of charging customers more to connect to a service (like a financial or time-keeping system) to the organization’s single sign-on portal,” CISA said. It also advised that schools encountering upcharges for security features or unsafe defaults in tech solutions should talk with other schools and MS-ISAC members to work together with the vendor for a better solution.
CISA noted that its regional cybersecurity advisors are available to help when a K–12 school finds that a technology solution is “not meeting expectations for security built-in,” encouraging schools to contact the regional CISA representative in such cases.
Minimize On-Premises Security
K–12 organizations should urgently consider migrating on-premises IT services to the cloud, CISA advised. “Migration to the cloud will be a more secure and resilient option for many” schools and districts, the report said. “Consider first cloud versions of your user identity system and your mail system.” CISA regional representatives are available for guidance on secure cloud migration, the agency said.
Learn more and find the full toolkit at https://www.cisa.gov/partnering-safeguard-k-12-toolkit.