Skip to content

Cybersecurity and Infrastructure Security Agency Releases New Report on Cybersecurity Threats for K-12 Entities

February 8, 2023

School districts are relying on technology while they reshape educational services and reform educational methods. Due to this increased reliance on increasingly advanced technology, school districts have and will continue to face severe cybersecurity challenges.

In recognition of school districts’ increased technology use platforms, Congress passed the K-12 Cybersecurity Act of 2021. Under the Act, the Cybersecurity and Infrastructure Security Agency (CISA) must report on the nature of cybersecurity threats and provide recommendations based on input from government officials, educators, and policymakers within the K-12 education community.

On Jan. 24, CISA issued a new report. CISA states that its goal in providing its report is to “raise awareness of the K–12 community’s growing cyber risk and threat landscape and catalyze action across the K–12 community.”

Here are some notable highlights and recommendations for school districts:

Recommendation #1: Invest in the most impactful security measures and build toward a mature cybersecurity plan

CISA reports that one main factor in fighting cyberattacks is recognizing that K-12 institutions only have a set number of resources. Because of this, CISA recommends that school districts first implement the “highest priority security controls” and then work to prioritize short-term actions, like fixing any known security flaws. For these high-priority steps, CISA directs school districts to the “Cybersecurity Performance Goals” or “CPGs” which are intended to be straightforward guidance tools.  Some of CISA’s recommended “high-priority” steps involve minimizing exposure to threat actors and developing training for school staff. School districts should aim to build a “unique” plan over time that will ultimately produce resilient cybersecurity programs.

Recommendation #2: Recognize and actively address resource constraints.

In its findings, CISA notes that several school districts do not currently have sufficient IT resources that can properly support cybersecurity initiatives. Consequently, CISA recommends that school districts work with the state planning committee for the State and Local Cybersecurity Grant Program to obtain more resources. Further, CISA encourages school districts to utilize low-cost services for immediate improvements and rely on technology providers to implement strong security controls, without additional charges. Finally, school districts are encouraged to minimize opportunities for cyber attackers by moving IT services from “on-premises” services to the cloud, which offers more security.

Recommendation #3: Focus on collaboration and information sharing

CISA recognizes that K-12 entities on their own cannot “singlehandedly identify and prioritize” threats and risks associated with cybersecurity. CISA’s report recommends that school districts join collaboration groups that can assist in identifying these threats, as well as other organizations and agencies. Further, school districts are encouraged to build strong relationships with CISA and FBI cybersecurity contacts.

CISA’s report acts as a reminder to school districts that the education sector is “under unprecedented risk” in an age where increased reliance on technology has resulted in heightened cybersecurity risks. With these goals and recommendations, school districts can begin implementing immediate changes, while simultaneously planning for more intensive reform.

If you have any questions, please feel free to contact Charles Russman, Bailey Kadian, or any other member of Clark Hill’s Education team.

The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice. 

Subscribe for the latest

Subscribe

Related

Event

2025 California Labor and Employment Law Symposium

Join Clark Hill for a full-day symposium exploring the most pressing legal issues facing California employers today. Our California Labor & Employment attorneys, along with colleagues from our Immigration and Cybersecurity/Data Privacy groups, will provide practical insights, legal updates, and strategic guidance across a range of workplace topics. Whether your role is in-house counsel, HR leadership, or company executive, this event is designed to equip you with the tools to help navigate California’s ever-evolving employment landscape.

Explore more
Event

Webinar: End of Year Privacy Check-In: What’s Changed, What Hasn’t and What’s Happening in 2026

Attendees will gain insights specific insight into the definition of ADMT under the new rules, common in-scope use cases and requirements, risk assessment and cybersecurity audit obligations and expectations for regulatory focus in 2026. You’ll walk away with a “check-list” of compliance priorities for 2026.

The session will provide practical guidance for legal, compliance, and business teams preparing for compliance deadlines and navigating emerging privacy risks.

Explore more
Event

2025 Illinois Labor & Employment Law Symposium

Join us for a complimentary half-day seminar designed for legal, HR, and business professionals navigating today’s rapidly changing work environment. Our experienced attorneys will share timely insights, practical strategies, and legal updates to help you stay compliant, mitigate risk, and lead with confidence.

Explore more