Online Toolkit: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats

1. Implement multifactor authentication (MFA) (Cybersecurity performance goal 2.H)

MFA is a layered approach to securing online accounts and the data they contain. Even if one factor (such as a user password) becomes compromised, unauthorized users will be unable generally to bypass the second authentication requirement, ultimately stopping them from gaining access to the target accounts.

Action: All K-12 institutions should review CISA’s MFA Enhancement Guide, which provides a defined roadmap toward broad MFA adoption. Ensure that all users with elevated privileges, like system administrators, have MFA enabled for all systems.

3. Perform and test backups (Cybersecurity Performance Goal 2.R)

Implementing, maintaining, and testing backups of critical data is an essential step to reducing impacts from ransomware and other damaging attacks.

Action: Identify data that is critical to continued operations of the K-12 organization and implement backup solutions that are separated from the operational network. Conduct recurring real-world tests to ensure that data can be readily restored from backups. Where applicable, consider free tools such as Windows Auto-Backup and Google Backup & Sync. As part of the entities’ governance program, leaders should request and review evidence of the test restoration tasks and workplans to address any gaps found during the restoration exercise.

5. Develop and exercise a cyber incident response plan (Cybersecurity Performance Goal 2.S)

Every K-12 organization should have an Incident Response Plan that spells out what the organization needs to do before, during, and after an actual or potential security incident. It will include roles and responsibilities for all major activities, and an address book for use should the network be down during an incident. It should be approved by the senior official in the organization and reviewed quarterly, and after every security incident or “near miss”.

Action: Develop and regularly exercise a written Incident Response Plan, leveraging CISA’s Incident Response Plan Basics two-pager with advice on what to do before, during and after an incident. Additional helpful resources include the K12 SIX Essential Cyber Incident Response Runbook and the State Cybersecurity Best Practices Incident Response Plan.

After you've taken the highest priority steps:

7. Prioritize further near-term investments in alignment with the full list of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs)

CPGs are a prioritized subset of information technology (IT) and operational technology (OT) cybersecurity practices that all critical infrastructure owners and operators, including K-12 schools, can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.  They are intended to help establish a common set of fundamental cybersecurity practices that will help schools of all sizes kickstart their cybersecurity efforts. 

Action: Review the CPG web site and worksheet, prioritizing goals that the listed as highest impact first. As you develop your monthly, quarterly, and annual roadmaps, include additional Cybersecurity Performance Goals to improve your security posture.

1. Work with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP)

The SLCGP provides $1 billion over 4 years for a first-of-its-kind grant program specifically for state, local, and territorial (SLT) governments funding to support efforts addressing cyber risk to their information systems. The two major first year requirements for this program include the establishment of a Statewide Cybersecurity Planning Committee and the development, by this committee, of a Statewide Cybersecurity Plan.  Public Education is a required member of the Planning Committee, therefore ensuring the cybersecurity needs of educational institutions are accounted for.  While the funding is granted directly to the State Administrative Agency, publicly funded K-12 schools are eligible to receive sub-award money.

Action: Review the resources below to determine your school’s eligibility and consider applying to the program.

3. Ask more of technology providers

K–12 organizations should expect the technology used for core educational functions like learning management and student administrative systems to have strong security controls enabled by default for no additional charge.

Action: During the technology procurement and renewal process, ensure that vendors do not charge more for security features like MFA and logs. Be especially aware of the “SSO tax”, the practice of changing customers more to connect a service (like a financial or time keeping system) to the organization’s Single Sign On (SSO) portal. Further, as you deploy products be sure to review the product’s “hardening guide”. A hardening guide is a set of steps to make the product less dangerous. As you become aware of upcharges for security features, or unsafe defaults, start a dialog with other schools and ISAC members to assess a strategy for working together with the vendor to remediate. CISA is ready to serve as an advocate for the K-12 community in advancing technology products that are fit for purpose to support our nation’s education system. Where a K-12 organization identifies as technology that is not meeting expectations for security built-in, contact your regional cybersecurity advisor to begin a conversation on how we can help.

1. Join cybersecurity collaboration groups, such as MS-ISAC and K12 SIX

MS-ISAC membership includes reporting as well as data and information sharing. In addition, MS-ISAC K-12 community members receive critical alerts on current threats, risks, and vulnerabilities; free cyber tools, resources, and services; and 24/7 access to assistance that includes threat incident analysis, mitigation, and remediation.

3. Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel

Report every cyber incident to CISA, every time.