We have been talking a lot in these bulletins about the increase in Cybersecurity incidents and what can be done to mitigate that risk. Congress also recognized this heightened risk environment and enacted the K–12 Cybersecurity Act of 2021 (“The Act”), which required the Cybersecurity and Infrastructure Security Agency (CISA) to report on cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to help schools face these risks. That report was published in January 2023. They summarize:
Recommendations throughout this report are informed by insights from policymakers, government officials, and members of the K–12 community. These recommendations are presented with a caveat: change must come from the top down. Leaders must establish and reinforce a cybersecure culture. Information technology and cybersecurity personnel cannot bear the burden alone.
Links to the summary page and the full document published are below. However, we know your time is valuable, and wanted to help you by pulling out some of the most salient points in this and future bulletins.
Details of the three Key Findings from the document are included below. In the first finding, they acknowledge that trying to implement the 322 base controls in the NIST Cybersecurity Framework (NIST CSF) can be overwhelming. So they simplified it by pulling out the top six most impactful steps you can take to enhance your Cybersecurity posture. In the next six bulletins, we will be giving you information on those top six security investments and some background on why they are important.
KEY FINDINGS from Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats (U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency)
- In an environment of limited resources, leaders should leverage security investments to focus on the most impactful steps. K–12 entities should begin with a small number of prioritized investments: deploying multifactor authentication (MFA), mitigating known exploited vulnerabilities, implementing and testing backups, minimizing exposure to common attacks, regularly exercising an incident response plan, and implementing a strong cybersecurity training program. K–12 entities should then progress to fully adopting CISA’s Cybersecurity Performance Goals (CPGs) and mature to building an enterprise cybersecurity plan aligned around the NIST Cybersecurity Framework (CSF).
- Cybersecurity risk management must be elevated as a top priority for administrators, superintendents, and other leaders at every K–12 institution. Leaders must take creative approaches to securing necessary resources, including leveraging available grant programs, working with technology providers to benefit from low-cost services and products that are secure by design and default, and urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.
- No K-12 institution is an island. Information sharing and collaboration with peers and partners are essential to build awareness and sustain resilience. K–12 entities should participate in an information-sharing forum such as the Multi-State Information Sharing and Analysis Center (MS-ISAC) and/or K12 Security Information eXchange (K12 SIX) and establish a relationship with CISA and FBI field personnel.
This week’s suggestion:
- Watch for next week’s bulletin
Next week’s bulletin will discuss “CISA Step 1 -Deploying Multi-factor Authentication (MFA)”
If you would like more information on navigating the NIST CSF journey, please contact Lisa MacDougall at email@example.com or call 845.897.9480.