K-12 Cyber Incident Response Plan Updates

The Department of Education has begun preliminary conversations on updating its K-12 cyber incident response plan, which hasn’t been updated in over a decade, according to agency official.

Kristina Ishmael, deputy director for the Office of Educational Technology at the Education Department, explained during a March 10 K12 Six event that those conversations include several offices at the agency, such as the Office of Safe and Secure Schools and the Office of Elementary and Secondary Education.

While the larger effort spans across the Education Department, Ishmael said the Office of Safe and Secure Schools is principally responsible “for drafting school security plans, including cybersecurity.”

The existing cyber incident response plan has not been updated since 2010. In October 2021, the Government Accountability Office (GAO) issued a report urging the Education Department to take additional steps to help protect K-12 schools from cyber threats, especially as K-12 educational institutions have become more vulnerable to cyberattacks.

The GAO report found that “the department has not updated the sector plan and not determined the need for sector-specific guidance because CISA [the Cybersecurity & Infrastructure Security Agency] has not directed it to do so.”

The report details that the Education Department’s Office of Safe and Secure Schools is responsible for updating the sector plan and consulting with CISA to determine the need for guidance. GAO recommended that the agency “initiate a meeting with CISA to determine how to update its sector-specific plan and determine whether sector-specific guidance is needed.”

According to Ishmael, the Education Department recently appointed a full-time employee dedicated to K-12 cybersecurity policy, and formed a working group that would coordinate with CISA and the National Institute of Standards and Technology to formulate cyber-related guidance.

“We need to do a better job of coordinating and making sure that we can fulfill the recommendations put out by GAO,” Ishmael said.

Separately, Federal lawmakers joined in the conversation earlier this month, saying that schools lack the awareness and training to mitigate cyberattacks.

“The Federal government needs to do a better job at reaching out to every school division to know the assets they have at hand at the national and state level to protect our K-12 critical information,” said Sen. Mark Warner, D-Va. “Making sure we get cybersecurity right is critically important.”

The Federal government has tried to provide school districts with resources to combat and protect themselves against cyberattacks. President Biden signed the K-12 Cybersecurity Act into law last year which lays out four objectives to strengthen the cybersecurity of K-12 educational institutions in the United States.

“Cyberattacks targeting schools are growing increasingly sophisticated and given this emerging threat. The Federal Government must be a meaningful partner to our State and local leaders,” said Rep. Doris Matsui, D-Calif., who introduced the legislation alongside Rep. James R. Langevin, D-R.I. in July 2021.