CISA Urges ‘Priority’ Cyber Steps for K-12


The Federal government’s top cybersecurity agency has recently delivered a priority list for K-12 school systems to boost their network security, centered around three big themes for both short and long-term actions.

The Cybersecurity and Infrastructure Security Agency (CISA) urged school systems – which remain one of the favorite targets for ransomware-based cyberattacks – to tackle the following steps:

  • Implement highest priority security controls;
  • Prioritize further near-term investments in alignment with the full list of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs); and
  • Over the long-term, develop a unique cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF).

Putting those goals first, CISA said, will help K-12 school systems to address immediate security needs, while also building out more mature cybersecurity plans.

The new report – Partnering to Safeguard K-12 Organizations from Cybersecurity Threats – features recommendations and resources to help K-12 schools and school districts address systemic cybersecurity risk. The report also comes with a new toolkit from CISA to help school systems execute on their security goals.

“We must ensure that our K-12 schools are better prepared to confront a complex threat environment,” CISA Director Jen Easterly said.

“As K-12 institutions employ technology to make education more accessible and effective, malicious cyber actors are hard at work trying to exploit vulnerabilities in these systems, threatening our nation’s ability to educate our children,” Easterly said. “Today’s report serves as an initial step towards a stronger and more secure cyber future for our nation’s schools, with a focus on simple, prioritized actions schools can take to measurably reduce cyber risk.”

Drilling down into the CISA report, the agency said that schools need to recognize and actively address resource constraints by:

  • Working with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP);
  • Utilizing free or low-cost services to make near-term improvements in resource-constrained environments;
  • Expecting and calling for technology providers to enable strong security controls by default for no additional charge; and
  • Minimizing the burden of security by migrating IT services to more secure cloud versions.

The agency also emphasized that schools need to focus on collaboration and information sharing by:

  • Joining relevant collaboration groups, such as MS-ISAC and K12 SIX;
  • Working with other information-sharing organizations, such as fusion centers, state school safety centers, other state and regional agencies, and associations; and
  • Building a strong and enduring relationship with CISA and FBI regional cybersecurity personnel.

CISA said it is continuing to work with Federal partners, including the Department of Education, as well as other stakeholders to identify opportunities for cybersecurity progress and provide meaningful support that measurably reduces cyber risk for schools.