Skip to content

Cybersecurity and Infrastructure Security Agency Releases New Report on Cybersecurity Threats for K-12 Entities

February 8, 2023

School districts are relying on technology while they reshape educational services and reform educational methods. Due to this increased reliance on increasingly advanced technology, school districts have and will continue to face severe cybersecurity challenges.

In recognition of school districts’ increased technology use platforms, Congress passed the K-12 Cybersecurity Act of 2021. Under the Act, the Cybersecurity and Infrastructure Security Agency (CISA) must report on the nature of cybersecurity threats and provide recommendations based on input from government officials, educators, and policymakers within the K-12 education community.

On Jan. 24, CISA issued a new report. CISA states that its goal in providing its report is to “raise awareness of the K–12 community’s growing cyber risk and threat landscape and catalyze action across the K–12 community.”

Here are some notable highlights and recommendations for school districts:

Recommendation #1: Invest in the most impactful security measures and build toward a mature cybersecurity plan

CISA reports that one main factor in fighting cyberattacks is recognizing that K-12 institutions only have a set number of resources. Because of this, CISA recommends that school districts first implement the “highest priority security controls” and then work to prioritize short-term actions, like fixing any known security flaws. For these high-priority steps, CISA directs school districts to the “Cybersecurity Performance Goals” or “CPGs” which are intended to be straightforward guidance tools.  Some of CISA’s recommended “high-priority” steps involve minimizing exposure to threat actors and developing training for school staff. School districts should aim to build a “unique” plan over time that will ultimately produce resilient cybersecurity programs.

Recommendation #2: Recognize and actively address resource constraints.

In its findings, CISA notes that several school districts do not currently have sufficient IT resources that can properly support cybersecurity initiatives. Consequently, CISA recommends that school districts work with the state planning committee for the State and Local Cybersecurity Grant Program to obtain more resources. Further, CISA encourages school districts to utilize low-cost services for immediate improvements and rely on technology providers to implement strong security controls, without additional charges. Finally, school districts are encouraged to minimize opportunities for cyber attackers by moving IT services from “on-premises” services to the cloud, which offers more security.

Recommendation #3: Focus on collaboration and information sharing

CISA recognizes that K-12 entities on their own cannot “singlehandedly identify and prioritize” threats and risks associated with cybersecurity. CISA’s report recommends that school districts join collaboration groups that can assist in identifying these threats, as well as other organizations and agencies. Further, school districts are encouraged to build strong relationships with CISA and FBI cybersecurity contacts.

CISA’s report acts as a reminder to school districts that the education sector is “under unprecedented risk” in an age where increased reliance on technology has resulted in heightened cybersecurity risks. With these goals and recommendations, school districts can begin implementing immediate changes, while simultaneously planning for more intensive reform.

If you have any questions, please feel free to contact Charles Russman, Bailey Kadian, or any other member of Clark Hill’s Education team.

The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice. 

Subscribe For The Latest




2024 Cybersecurity and Data Privacy Laws Summit Chicago

This event will include a panel discussion with expert industry leaders, offering a deep dive into the most pressing issues and advancements in AI and data privacy laws. You’ll gain critical knowledge and explore the implications of AI in legal and privacy domains so you can update your practices to reflect the highest standards of data stewardship.

Explore more

WEBINAR: The Race to 2024: Politics and Social Media in the Workplace and Employer Rights.

Over the last several years, employers have seen and continue to see increased political activities from their employees at work and on social media platforms, including on business-related social media platforms, like LinkedIn. Managing employee expression causes unique challenges for employers and HR professionals, and in a General Election year, these challenges are likely to increase as the Presidential race, and other races, heat up.

Explore more

Webinar: A Cookieless Future and Promise of PETs: A Primer on Privacy Enhancing Technologies

This webinar will explore PETs – we will define what they are, what problems PETs exist to address, and emerging PET standards including the National Institute of Standards and Technology (NIST) draft guidance on how to evaluate PET effectiveness. We will provide specific PET use cases and discuss how PETs may be utilized to address the phase out of third party cookies by certain browsers for purposes of targeted advertising.

Explore more