Feb 22 2022

What Will Happen After CISA’s K–12 Cybersecurity Act Review?

The Cybersecurity and Information Security Agency will release guidelines following its review. Here’s what those new resources could mean for K–12 IT leaders.

The K–12 Cybersecurity Act, signed into law last October, initiated the Cybersecurity and Infrastructure Security Agency’s review of the cyber risks facing K–12 institutions. Per the timeline detailed in the Act, CISA would have 120 days to review the threat landscape and then 60 days to create guidelines for districts based on its findings.

The review and impending guidelines could mean changes to the way cybersecurity is managed in school districts across the country. To prepare for these changes, IT leaders should know what CISA is looking at and what to expect when the review concludes.

GET THE CHECKLIST: Learn the five steps to secure student data when you download the checklist.

Here’s what IT admins in K–12 schools can expect to come out of the K–12 Cybersecurity Act review:

CISA’s Review Will Raise Awareness Among K–12 Administrators

One of the primary outcomes expected from a federal government examination of K–12 cybersecurity is increased awareness across school stakeholders. This is an area where many IT leaders currently find obstacles to implementing or funding cybersecurity initiatives.

“It’s not because IT teams don’t understand the risks. It’s because they still have to influence superintendents and school boards,” says Matt Dascoli, senior manager of K–12 education strategy at Dell Technologies.

Because the influx of educational technology and digital learning opportunities is changing the education landscape, cybersecurity is no longer a concern solely for the IT department. All systems — from instruction and attendance to checking out books at the library — could go down in the event of a cyberattack.

“They think this is a technology problem, but this is really everyone’s issue now because our entire school district runs in a digital way,” says Adam Garry, senior director of education strategy at Dell Technologies.

Click the banner to learn more about cybersecurity measures and solutions in K–12 education.

“Something that is now understood in schools is that technology is a foundational, essential portion of the learning that happens in schools. And because it now so deeply impacts the learning process, it is has to be considered safe for people to use,” Dascoli adds.

Using the term “safety” when talking about the importance of cybersecurity helps a wider range of stakeholders appreciate the need to prioritize it, he says.

Now that CISA is speaking with districts and examining the cyberthreats facing K–12 schools, more administrators and board members can be brought into the conversation about the potential impacts of cybersecurity.

Guidelines Will Create Actionable Steps for K–12 IT Teams

IT leaders can expect actionable and manageable guidelines in the wake of CISA’s review as part of the K–12 Cybersecurity Act. While there are many frameworks that school IT staff can use as a resource — such as those from the Consortium for School Networking and the National Institute of Standards and Technology — frequently missing are the steps for how to meet those goals.

“One of the things that happens often with great frameworks developed for cybersecurity is that they have to be robust, they have to be deep. But they become so robust and deep that they become paralyzing for schools,” Dascoli says. “Something really beneficial to come from this would be some very simple guidelines of prevention and detection, resilience and response, that can be easily interpreted by people who may not be equipped to do this.”

While more schools are implementing cybersecurity in the form of penetration testing, professional development and phishing awareness, most districts — especially small and medium-sized districts — don’t have the resources to hire a CISO.

READ MORE: A vCISO can help schools bridge the gap in cybersecurity expertise.

The CISA review process and subsequent guidelines could help IT teams understand “the different areas that you need to consider, from endpoint to network to dashboards to incident response,” Garry says.

“The hope is that they will bring order to some of this chaos with frameworks and resources and money,” he adds.

Schools Will Need IT Funding to Follow CISA’s Guidelines

Because many of CISA’s recommendations will likely require a cybersecurity budget schools don’t currently have, IT admins can expect some type of funding to follow the creation of the guidelines — but shouldn’t count on it.

“Schools don’t have the resources to pay for a senior-level leader,” Dascoli says. “One of the things that we would have to do is help school systems find the right funding to be applied for these types of positions.”

Adam Garry, senior director of education strategy at Dell Technologies
Cybersecurity is something that changes on a regular basis, and we have to be able to adapt to that.”

Adam Garry Senior Director of Education Strategy, Dell Technologies

Funding will be a huge priority for schools as they look to make upgrades to their cybersecurity in the wake of the CISA review and guidelines. It will also help districts meet new cybersecurity insurance requirements, which may change in accordance with some of the federal recommendations.

“I think the insurance companies are going to be a bit more nimble than any legislation that has passed,” Garry says. “Cybersecurity is something that changes on a regular basis, and we have to be able to adapt to that.”

Cecilie_Arcurs/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT