Skip to Content

Cybersecurity & Standards, Equity in Civic Technology

The K-12 Cybersecurity Act is an Opportunity for Engagement

Along with the importance of addressing the growing number of cybersecurity incidents in education, there is also a growing recognition of the need to engage more with stakeholders on issues related to education data and technology. The K-12 Cybersecurity Act passed in October brings both of these important concepts together.

Last month the Government Accountability Office (GAO) released a report on the cybersecurity challenges faced by K-12 schools, and what federal agencies, most importantly the U.S. Department of Education (ED), should be doing to help them mitigate these risks. The K-12 Cybersecurity Act of 2021 requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity threats facing K-12 schools and provide security recommendations. Specifically, CISA is required to study the cybersecurity risks facing K-12 institutions and provide a congressional briefing on the study by February 2022, develop public cybersecurity recommendations by April, and publish a toolkit for K-12 officials by August. These requirements reflect both the critical cybersecurity challenges schools face, and that cybersecurity is a national issue that the federal government can and should support schools in handling.

The success of any federal program to strengthen the cybersecurity of K-12 schools is going to depend heavily on understanding the varied technical landscape of schools and the particular complexities of educational data programs and systems. School districts can have anywhere from tens of students to tens of thousands of students, with information technology (IT) staff ranging from teams of full time employees to a single person for whom IT is only part of their job. Educators may be low-tech chalkboard enthusiasts, or they may use a range of educational apps to supplement their curriculum. At the state level, Statewide Longitudinal Data Systems (SLDSs) have to collect and maintain significant amounts of student data to fulfill federal reporting requirements and enable kids to move through their education as seamlessly as possible, whether that be simply moving from middle to high school, or changing schools far more frequently due to homelessness or military dependent status

The best way to strengthen the education sector’s cybersecurity practices and policies in this complex landscape is to ensure that people at all levels of the education system and with varying expertise are consulted during the process of developing recommendations. In particular, to ensure that CISA’s recommendations address the issues schools are confronting and will be practicable for schools to implement, CISA would be well-served to engage the following stakeholders:

School District IT Leaders

CISA is well-equipped to handle fundamental cybersecurity advice. Indeed, it has already produced extensive guidance for K-12 institutions on the prevention and management of ransomware and malware threats. But while some cybersecurity advice is universal (PSA: password hygiene is the hand washing of the digital world!), there are also numerous issues where the specifics of the system itself and available resources inform what guidance would be most effective. To ensure that it is able to offer actionable advice relevant to all of the wide range of schools, CISA should engage IT leaders, managers, and users from a representative range of districts. Given that the size of the district and available resources are major influences on how schools are able to respond, CISA should aim to consult with varied sizes of schools and districts, including those that are both well-resourced and resource-strapped.

State IT Leaders

CISA should also engage with state-level IT leaders. SLDSs are a critical component of how educational institutions aim to support students throughout their education career and into the workforce. These systems are complex and necessarily contain a large amount of sensitive data, making them a key target of cybersecurity improvement measures. By consulting with the state agencies who maintain these systems, CISA can provide recommendations that support the improvement of their security, while still ensuring states and their students are able to leverage the data they contain.

U.S. Department of Education Staff

CISA will need to work closely with the Department of Education (ED) for both the development and the distribution of their recommendations. The Readiness and Emergency Management for Schools Technical Assistance Center (REMS-TAC) is an important partner as the designated partner agency to CISA. Another department within ED, the Privacy Technical Assistance Center (PTAC) is perhaps a less obvious but still critically important partner. Because it is responsible for providing guidance on the Family Educational Rights and Privacy Act (FERPA), PTAC ends up providing significant cybersecurity assistance to schools, as a data breach can be a FERPA violation. Consequently, many schools turn to PTAC for cybersecurity guidance and resources, making them a critical partner in ensuring that schools find and make use of the guidance ultimately provided by CISA.

Cybersecurity in the education context is a complex issue requiring a broad range of expertise and roles. Given the sensitivity of the information held by educational institutions and the importance of providing children with quality education, it is absolutely critical that we as a nation get it right. CISA should seize this opportunity to pull together all the stakeholders they need to provide tailored, fit-for-purpose guidance that will enable schools and districts to serve their students, regardless of the cybersecurity threats they face.