"CISA Provides Resources for Securing K-12 Education System"

The US Cybersecurity and Infrastructure Security Agency (CISA) recently published a report detailing the cybersecurity risks the K-12 education system faces, along with recommendations on how to secure it.  Over the past four years, there have been thousands of cyber incidents involving K-12 institutions.  The K-12 Cybersecurity Act of 2021 instructed CISA to review the cyber risks to elementary and secondary schools, evaluate challenges schools and school districts face in securing information systems, to provide recommendations on improving the protection of these systems, and develop an online training toolkit for school officials.  CISA noted that discussions with stakeholder groups relevant to the K-12 education community revealed that the majority of them do not have the time or resources to secure information systems and sensitive student and employee records or to implement cybersecurity protocols.  Most reported that the breadth of available cybersecurity information, like news coverage, conference panels, webinars, and more, only made matters more complicated.  Nearly all reported that they needed simplicity, prioritization, and resources targeted to the unique needs and context of K-12 organizations.  According to CISA, “with finite resources, K-12 institutions can take a small number of steps to significantly reduce cybersecurity risk,” such as deploying multi-factor authentication (MFA), patching known vulnerabilities, creating backups, and implementing cyber incident response plans and cybersecurity training programs.  CISA also discovered that many school districts struggle with insufficient IT resources and cybersecurity capacity.  CISA noted that this can be addressed by using free or low-cost services, by asking technology providers for strong security controls at no additional cost, by migrating IT services to more secure cloud versions, and by taking advantage of the State and Local Cybersecurity Grant Program (SLCGP).  CISA stated that K-12 entities cannot singlehandedly identify and prioritize emerging threats, risks, and vulnerabilities.  CISA recommended that they join relevant collaboration groups, work with other information-sharing organizations, and collaborate with CISA and FBI regional cybersecurity personnel.  The agency recommends that all K-12 institutions start by investing in the most impactful security measures, which will allow them to eventually migrate to a mature cybersecurity plan.  They should also prioritize investments in line with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

SecurityWeek reports: "CISA Provides Resources for Securing K-12 Education System"