On November 14, 2022, CDT submitted comments to the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the implications of Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 for K-12 schools and other educational institutions such as state educational agencies.
K-12 schools have increasingly been victimized by malicious cyber actors through ransomware and other attacks, which have disrupted critical educational services and put students and their personal information at risk. To secure CIRCIA’s benefits for K-12 institutions, students, families, and policymakers, CDT urged CISA to:
(1) include K-12 schools, related educational institutions, and their private contractors in CIRCIA’s reporting obligations;
(2) adopt rules that account for the distributed nature of K-12 data systems; and
(3) coordinate with the U.S. Department of Education to ensure K-12 schools and other educational institutions have the resources they need to meet their reporting obligations.