The Cybersecurity and Infrastructure Security Agency (CISA) today released its strategy for schools to ramp up their cybersecurity protocols. The report was a requirement of the K-12 Cybersecurity Act, a bipartisan bill led by U.S. Rep. Elissa Slotkin (D-Lansing) that was signed into law in 2021.
“I’m pleased that CISA is starting to implement our bill and has released this important report on how we can keep our students, teachers, and schools safe from cyberattacks and ransomware,” Slotkin said. “These days, schools are often on the front lines for these threats, and it’s more important than ever that we give them the tools they need to stay protected.
Calling the report an “important roadmap” for securing school networks and data, Slotkin said there is “more work to do.”
“I’m looking forward to working with my colleagues from both parties to find new, creative solutions for keeping our schools and students safe from emerging cyber threats,” she said. As cyber criminals target more facets of everyday American life, there is an urgent need to protect our schools from the threat of cyber attacks. Slotkin’s bipartisan legislation is set to increase coordination between schools and CISA and directs the agency to work with teachers, school administrators, and experts in cybersecurity for education to:
• Conduct a study on cybersecurity risks facing K-12 institutions, including securing sensitive student/employee records, cybersecurity challenges stemming from remote learning, and how to make cybersecurity more accessible to schools;
• Release an online training toolkit for K-12 institutions.
• Slotkin — who has been a member on the cyber subcommittees of both the House Homeland Security and the House Armed Services Committees — has introduced a range of bills and amendments aimed at addressing the growing threat of cyberattacks. In the aftermath of the Colonial Pipeline ransomware attack in May 2021, she introduced the CISA Cyber Exercise Act, a bipartisan bill that would create new ways for American businesses and governments to test their critical infrastructure against the threat of cyber attacks, and establish a National Cyber Exercise Program to test the U.S. response plan for major cyber incidents. The legislation passed the House in July with bipartisan support, and was also included as part of the House-passed version of the FY2022 National Defense Authorization Act.
As first reported by Axios, the report makes several recommendations including:
• CISA encourages K-12 organizations to start with a “small number of prioritized investments,” like setting up multi-factor authentication, creating and testing an incident response plan and implementing cybersecurity training.
• The report challenges K-12 administrators and superintendents to prioritize cybersecurity and go the extra mile to “securing necessary resources” — including seeking out grant funding or creating better deals with technology vendors.
• School districts should also join threat intel-sharing organizations, such as the K-12 Security Information eXchange and the Multi-State Information Sharing and Analysis Center, where groups trade information about the threat actors targeting their networks.
More of the key findings and recommendations can be found online in the report.