K-12 Cybersecurity Act of 2021 Launches Initiative to Combat Increasing Cyberattacks on Schools

On October 8, 2021, President Biden signed the K-12 Cybersecurity Act of 2021 (the “Act”) that establishes an education cybersecurity initiative to equip elementary and secondary schools with strategies to combat cyberattacks. The Act directs the Cybersecurity and Infrastructure Security Agency (“CISA”) to collaborate with educational leaders and experts to produce a study of the cybersecurity risks facing K-12 schools and develop recommendations for educational institutions to address those risks.

The regimented approach outlined in the Act’s K-12 Education Cybersecurity Initiative to evaluate the systemic flaws that expose schools to an increased risk of ransomware and cyberattacks will take CISA nearly a year to complete, but could potentially result in a more robust, standardized strategy for educational institutions to address the issue.  The approach includes:

• Cybersecurity Study. CISA has until February 5, 2022 (120 days from the law’s enactment) to complete a study evaluating the cybersecurity risks plaguing K-12 schools and assessing the obstacles schools face in securing and implementing cybersecurity protocols. The Act requires CISA to provide a Congressional briefing at the conclusion of the study.
• Cybersecurity Recommendations. By April 6, 2022 (60 days after completing the risk study), CISA must provide security recommendations, including cybersecurity guidelines for K-12 schools. Notably, these guidelines will be voluntary for K-12 schools to adopt.
• Online Training Toolkit. By August 4, 2022 (120 days after generating cybersecurity recommendations), CISA is required to develop an online training toolkit designed to educate school officials on CISA’s cybersecurity recommendations and provide strategies for its implementation.
• The completed study, recommendations, and online toolkit will be accessible to the public on the Department of Homeland Security’s website.

Some may question how the Act will be a value-add to the cybersecurity information currently available, particularly when the implementation of the final CISA work product – the cybersecurity recommendations – is voluntary. CISA already provides K-12 resources on its Stop Ransomware website; however, much of its content is reference materials and tip sheets for students, teachers, parents, and school district staff that serve as cybersecurity best practices without a more thorough analysis into the vulnerabilities in school districts’ information ecosystems across the country.

In a statement about the Act, U.S. Senator Jacky Rosen who co-sponsored the bill, recognized that “[c]ybersecurity can be expensive and debilitating, especially for small organizations or public entities.” The Act comes as a response to what is identified as a need for “an immediate federal response to improve cybersecurity” for school districts across the nation. The CISA recommendations could serve as more concrete guidance that schools may implement as a standard across their information security protocols, rather than on a user-by-user basis.

The result of CISA’s study could have far reaching implications at a time when cyberattacks on schools are on the rise. CISA’s study could identity the key systemic issues affecting school districts across the country, as well as shed light on the immeasurably inadequate resources certain districts may have to fight ransomware and other cyber threats. This would allow for better clarity on how school districts could fundamentally shore up their cybersecurity infrastructure to better protect student and employee information and keep up with the pace of evolving information security developments. Moreover, the results of the study could represent the first steps in the federal government being able to help avert and mitigate cyber incidents in K-12 educational institutions.

While educational institutions are given the option under the Act whether to implement CISA’s cybersecurity recommendations, cyber incidents are on the rise and many schools – both K-12 and higher education – will want to at least consider federally recommended guidelines. A 2021 report by the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange identified 408 publicly-disclosed school cyber incidents in 2020. In the same year, there were 145 data breach incidents involving public schools, and most incidents involved both student and staff data. A State of Ransomware report outlined that, in 2020, 1681 schools, colleges, and universities were subject to ransomware attacks.

Educational institutions should consider how to best implement a strong privacy and cybersecurity culture across its staff and students, have strong incident response plans, and remain vigilant in pursuing resources to further their cyber priorities. All educational institutions, including independent schools, may want to consider leveraging the CISA recommendations since cyberattacks rarely discriminate between institution types. Exercising good cybersecurity hygiene can only further benefit schools in the long term.

Crowell & Moring is adept at navigating privacy & cybersecurity issues and has a robust education practice that includes counseling and training institutions on how to strengthen their security, develop and implement privacy and data protection programs, and comply with applicable laws. We have extensive experience managing the crises that can arise in the event of a breach, including those involving personal information, and other sensitive or proprietary information.