Joe Biden has previously signed the K12 Cybersecurity Act into law on 8th October 2021. This was enforced to combat the data security incidents that impact the K-12 schools in the United States.
What does this entail for educational institutions?
The legislation is straightforward on its face: it directs the director of the Cybersecurity and Infrastructure Security Agency (CISA) to assess the specific threats affecting K–12 institutions within 120 days. Following that, depending on the study’s findings, the director will develop recommendations for cybersecurity guidelines for K–12 schools within 60 days. Then, within 120 days, an online training toolset for “officials” in K–12 schools will be created.
What is the Cybersecurity Act for K-12 Schools?
The K-12 Cybersecurity Act, introduced by U.S. Representative James R. Langevin (D-RI) in July as H.R.4691, has four goals.
Within 120 days of the act taking effect, the director of the Cybersecurity and Infrastructure Security Agency (CISA) is to produce a study on the cybersecurity threats facing grades K-12 schools. CISA’s director will look into the issues that the education industry is facing as part of the study. Information systems must be secured, sensitive student and personnel records must be protected, and cybersecurity protocols must be implemented.
The director will pursue the act’s second goal after finishing the investigation and reporting their results to Congress. CISA will issue guidelines for K-12 schools to adopt in order to lessen the digital dangers they face.
The director of CISA will then construct an online training package based on the survey’s findings and instructions. The resource’s goal will be to teach officials about excellent practices. It will also offer officials with ideas for putting those rules into action.
The K-12 Cybersecurity Act’s final goal is for the director to make the study’s results, recommendations, and online training kits available to the public. They’ll be available on the Department of Homeland Security’s website.
CISA’s director still has many months to complete this task as of this writing. However, some of these dangers are already well-known. Malware and ransomware attacks, for example, are common at schools. Threat actors can take data from K-12 schools, according to the theory. They can use it to carry out follow-up assaults or monetize on the darknet using it.
Another concern with K-12 cybersecurity is a lack of cyber awareness and training in schools. It is difficult for teachers and administrators to adopt best practices as a result of this (let alone know about them). This is especially true in the age of distance learning.
As a result, K-12 schools can create a security awareness training program to defend themselves against some of the concerns listed above. This program should include education modules to familiarise people with the hazards they face.
Technical security measures can be used to supplement human controls in K-12 schools. Use log monitoring and management, for example, to acquire visibility into potential risks. Data backups should also be used to bolster school defenses against data destruction events like ransomware. While the K-12 Cybersecurity Act has yet to produce results, these actions will aid in the preparation and protection of children’s data in the meantime.