K-12 Schools High on CISA’s Priority List


Cybersecurity and Infrastructure Security Agency (CISA) Director, Jen Easterly, said strengthening K-12 schools’ cybersecurity is high on her priority list.

At Mandiant’s mWISE conference in Washington, D.C. on Oct. 20, Easterly said CISA is currently focused on target-rich and resource-poor entities, including K-12 school districts. She explained K-12 school districts often don’t have large security teams to help defend against cyberattacks.

In addition to K-12 schools, Easterly also said her agency will focus on similar entities that are a part of the critical infrastructure ecosystem. Those include the water critical infrastructure sector and healthcare sector, such as nonprofit hospitals and small water facilities.

“They’re not investing millions and billions of dollars like some in finance and energy are. And so, we have to figure out how to connect all of these entities in a way that we can get information out that is useful to them, that is tailored to their ability to understand it and absorb it, and then to drive down risks to all of our national critical functions,” Easterly said.

CISA’s recently published cross-sector cybersecurity performance goals – which it developed with the National Institute of Standards and Technology – aim to help critical infrastructure owners and operators prioritize and set a foundation for key security measures.

“[The goals] come with a checklist that says, here’s how we’ve done it, here’s the progress, here’s what we’ve completed [with] it. We’ve also color-coded it to show prioritization. And we’ve also detailed cost and the complexity behind each practice,” Easterly said.

Easterly said the goals aim to provide a shared understanding of the baseline cybersecurity practices critical infrastructure owners and operators can follow. They also aim to help small to medium-sized organizations who are often left behind – such as K-12 schools – kickstart their cyber efforts.

CISA said it has seen the impact cybersecurity gaps have had on smaller entities, through “ransomware attacks affecting critical functions from hospitals to school districts.” While the goals are voluntary, they can be helpful for school districts to implement to reduce the likelihood of such attacks.

“For the first time, I think we’re going to be able to materially measure the reduction of risk across the most critical areas,” Easterly said.