The Biden Administration kicked off Cybersecurity Awareness Month by signing the K-12 Cybersecurity Act of 2021 into law on October 8, 2021.
U.S. Senator Rick Scott (R-FL) initially introduced the bipartisan legislation this past May after a string of ransomware attacks targeted school districts across the country and gained sponsorship support from Senator Jacky Rosen (D-FL) and Senator Bill Cassidy (R-LA).
The K-12 Cybersecurity Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to perform a 120-day review of cybersecurity risks faced by school districts and provide a report back to Congress. The law states that CISA is required to examine “how identified cybersecurity risks specifically impact K–12 educational institutions” and evaluate the challenges schools face in securing their information systems, protecting student and teacher data and implementing and enforcing cybersecurity controls.
Following the report, the law provides CISA with 60 days to develop guidelines for K-12 organizations and then another 120 days to create an online toolkit school districts can use to implement those strategies and recommendations.
One key note of the law is the lack of direct funding for K-12 cybersecurity. However, a separate bill is currently in review that would provide a $10 million annual fund for cybersecurity initiatives such as this.
A recent study shows that in 2020, a total of 1,681 schools, colleges and universities in the U.S., as well as 560 health care facilities, reported ransomware attacks. The key word is reported, as the total number of attacks is likely much higher than that. Following the high-profile ransomware attack on Clark County School District in Nevada, Senator Rosen (D-NV) joined the bipartisan sponsorship of the bill.
“Malicious cyber actors are increasingly targeting K-12 schools across the United States, including the Clark County School District, the fifth-largest school district in the country, which was the victim of a ransomware attack,” said Senator Rosen. “Cyberattacks can be expensive and debilitating, especially for small organizations or public entities. Schools and school districts need an immediate federal response to improve cybersecurity in Nevada and across our nation to prevent the personal information of students, faculty, and staff from falling into the wrong hands. I’m proud to see that this bipartisan legislation, which I co-sponsored, passed the Senate and is one step closer to becoming law. This bill will provide schools with tools and resources to prevent and combat cyber threats.”
This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks. The use of such recommendations shall be voluntary.
The study must evaluate the challenges that schools face in securing (1) information systems owned, leased, or relied upon by those schools; and (2) sensitive student and employee records.
Further, the bill requires CISA to (1) develop an online training toolkit designed for school officials; and (2) make available on the Department of Homeland Security website the study's findings, the cybersecurity guidelines, and the toolkit.
“Today, I was pleased to sign the K-12 Cybersecurity Act into law to enhance the cybersecurity of our Nation’s K-12 educational institutions,” President Biden stated. “This law highlights the significance of protecting the sensitive information maintained by schools across the country, and my Administration looks forward to providing important tools and guidance to help secure our school’s information systems. I want to thank Congress for passing it with bipartisan support.”.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.