Skip to content

Cybersecurity and Infrastructure Security Agency Releases New Report on Cybersecurity Threats for K-12 Entities

February 8, 2023

School districts are relying on technology while they reshape educational services and reform educational methods. Due to this increased reliance on increasingly advanced technology, school districts have and will continue to face severe cybersecurity challenges.

In recognition of school districts’ increased technology use platforms, Congress passed the K-12 Cybersecurity Act of 2021. Under the Act, the Cybersecurity and Infrastructure Security Agency (CISA) must report on the nature of cybersecurity threats and provide recommendations based on input from government officials, educators, and policymakers within the K-12 education community.

On Jan. 24, CISA issued a new report. CISA states that its goal in providing its report is to “raise awareness of the K–12 community’s growing cyber risk and threat landscape and catalyze action across the K–12 community.”

Here are some notable highlights and recommendations for school districts:

Recommendation #1: Invest in the most impactful security measures and build toward a mature cybersecurity plan

CISA reports that one main factor in fighting cyberattacks is recognizing that K-12 institutions only have a set number of resources. Because of this, CISA recommends that school districts first implement the “highest priority security controls” and then work to prioritize short-term actions, like fixing any known security flaws. For these high-priority steps, CISA directs school districts to the “Cybersecurity Performance Goals” or “CPGs” which are intended to be straightforward guidance tools.  Some of CISA’s recommended “high-priority” steps involve minimizing exposure to threat actors and developing training for school staff. School districts should aim to build a “unique” plan over time that will ultimately produce resilient cybersecurity programs.

Recommendation #2: Recognize and actively address resource constraints.

In its findings, CISA notes that several school districts do not currently have sufficient IT resources that can properly support cybersecurity initiatives. Consequently, CISA recommends that school districts work with the state planning committee for the State and Local Cybersecurity Grant Program to obtain more resources. Further, CISA encourages school districts to utilize low-cost services for immediate improvements and rely on technology providers to implement strong security controls, without additional charges. Finally, school districts are encouraged to minimize opportunities for cyber attackers by moving IT services from “on-premises” services to the cloud, which offers more security.

Recommendation #3: Focus on collaboration and information sharing

CISA recognizes that K-12 entities on their own cannot “singlehandedly identify and prioritize” threats and risks associated with cybersecurity. CISA’s report recommends that school districts join collaboration groups that can assist in identifying these threats, as well as other organizations and agencies. Further, school districts are encouraged to build strong relationships with CISA and FBI cybersecurity contacts.

CISA’s report acts as a reminder to school districts that the education sector is “under unprecedented risk” in an age where increased reliance on technology has resulted in heightened cybersecurity risks. With these goals and recommendations, school districts can begin implementing immediate changes, while simultaneously planning for more intensive reform.

If you have any questions, please feel free to contact Charles Russman, Bailey Kadian, or any other member of Clark Hill’s Education team.

The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice. 

Subscribe for the latest

Subscribe

Related

Event

Webinar: Special Education Bootcamp - Compliance Foundations Under IDEA

Whether you are new to special education leadership or looking to reinforce your foundational knowledge, this interactive webinar will provide a comprehensive overview of the core compliance requirements under the Individuals with Disabilities Education Act (IDEA). Designed for school leaders who are responsible for ensuring legally sound practices, this session will offer practical tools and strategies to help participants navigate common procedural and substantive pitfalls, support sound decision-making, and build a compliant and student-centered special education program.

Explore more
Event

Telehealth Week Webinar 2025: Navigating Legal Changes and Future Trends for Healthcare Providers

Join Paul Schmeltzer, Carrie Foote, and John Howard for our one-hour annual Telehealth Week webinar, focused on the evolving legal landscape of telehealth. This session will cover key topics, including the upcoming DEA final rule on prescribing controlled substances via telehealth, federal reimbursement concerns for telehealth, and what healthcare providers need to prepare for other upcoming changes.

Explore more
Event

2025 Cybersecurity and Data Privacy Laws Summit

Join us for an immersive half-day seminar exploring the rapidly evolving landscape of cybersecurity, data privacy, and AI-related regulation. This year’s summit will feature dynamic discussions with industry leaders, offering practical insights into the tools, tactics, and legal implications shaping incident response and AI accountability in 2026 and beyond.

Explore more