New Law Requires Federal Government to Identify K-12 Cyber Risks, Solutions

Staff Writer

President Joe Biden on Friday signed into law legislation aimed at helping the federal government better identify K-12 cybersecurity risks and suggest appropriate solutions for school districts to adopt.

By Feb. 5, the U.S. Department of Homeland Security must conduct a study on specific K-12 cybersecurity risks, including an evaluation of challenges that schools face in implementing cybersecurity protocols and securing sensitive student and employee records and information systems that they use.

The study must also identify cybersecurity challenges around remote learning and analyze the most effective ways to communicate cybersecurity recommendations and tools for school districts.

DHS must brief Congress on this study by the same February deadline.

The measure was introduced in the Senate by Gary Peters, D-Mich. The final bill signed into law includes looser requirements compared with similar legislation introduced in the House in June.

That House bill, introduced by Rep. Doris Matsui, D-N.Y., would have required DHS to create a database for schools to find cybersecurity tools and apply for funding opportunities to improve cybersecurity. The initial legislation would have further required DHS to establish a voluntary registry of information related to cyber incidents affecting IT systems owned or managed by schools.

Doug Levin, the national director for the K12 Security Information Exchange, which supported the legislation, said he would have liked to have seen the House bill pass, but said the enacted law is a “starting point” for the establishment of national K-12 cybersecurity standards.

He called on DHS to consider, as part of its forthcoming recommendations, establishing a public incident reporting process, which would help teachers and students take steps to protect themselves from future data breaches.

“We need to think creatively about providing support at a regional or national level from nonprofit organizations,” Levin said. “The notion that every school district is going to be able to hire a well-qualified chief information security officer and deploy advanced cybersecurity tools is probably not realistic.”

Levin said he expects a version of the House legislation to be reintroduced at some point.

The final bill requires the federal government no later than 60 days after completion of the cyber study to develop recommendations to help school systems address risks identified in the study, and no later than 120 days after study completion to develop an online training toolkit for K-12 officials to implement those recommendations.

In a report accompanying the bill, the U.S. House of Representatives ‘Homeland Security Committee noted the rising number of cyber incidents, citing a recent study by the K12 Cybersecurity Resource Center that found 408 publicly disclosed cyber incidents in U.S. schools in 2020, 18 percent more than in 2019 and the highest number since tracking of these events started five years ago.

The number of incidents was higher in the second half of 2020, as many schools were operating remotely because of the COVID-19 pandemic, creating new cyber risks, including disruptions to virtual classes and online school meetings, the committee report notes.

In conducting the study and developing recommendations, DHS will consult with teachers, school administrators, federal agencies, private-sector organizations, and non-federal cybersecurity entities with experience in education issues.

“Our hope is that this is just the first step in a much longer process to untangle the systemic issues that make cybersecurity a challenge,” Levin said. “That could lead to some resources and support for school districts.”

Image by Getty

Follow EdWeek Market Brief on Twitter @EdMarketBrief or connect with us on LinkedIn.

See also: