CISA Publishes Guide to Support University Cybersecurity Clinics


by Clayton Romans, Associate Director

Small and local organizations face a unique challenge in cybersecurity. They are the target of criminal groups seeking to launch ransomware attacks, and yet they often have no good way of getting the cybersecurity resources they need to protect themselves. One answer to this problem is University Cybersecurity Clinics. 

University cybersecurity clinics train students from diverse backgrounds and academic expertise to strengthen the digital defenses of non-profits, hospitals, municipalities, small businesses, and other under-resourced organizations, while also developing a talent pipeline for cyber civil defense.

As an example, the Consortium of Cybersecurity Clinics (co-chaired by the Center for Long-Term Cybersecurity and the MIT Cybersecurity Clinic) coordinate across over a dozen university clinics across the country. The Consortium serves as a forum for clinicians, trainers, students, and advocates to share knowledge, expand the reach of cybersecurity clinics, and lower the barriers for other institutions to establish their own clinics.

"University, college and community-college based cybersecurity clinics are filling an essential gap in cybersecurity defense in their communities," said Ann Cleaveland, Co-Chair of the Consortium of Cybersecurity Clinics and Executive Director of the UC Berkeley Center for Long-Term Cybersecurity. "The Consortium and our members are tremendously grateful for CISA's support for these clinics and their clients around the country. This kind of partnership is critical for advancing cybersecurity for the public good."

CISA is well positioned to support university cybersecurity clinics and is pleased to publish today a guide for this growing community with helpful information, resources, and services. The clinics act as force-multipliers for our mission to strengthen target-rich, resource-poor organizations. Clinics can also provide valuable information to CISA regarding the state of cybersecurity and challenges in the field. They play an important role in training the next generation of cybersecurity practitioners and leaders and can act as a recruiting channel for CISA.  

Accordingly, CISA is announcing several actions to support university cybersecurity clinics.

  • Resource Guide. CISA will publish a resource guide tailored specifically for the clinics and their clients to use. It will clearly explain how the resources apply to clinics and their clients.
  • Community Awareness. Raising awareness for clinics is an invaluable tool which helps to increase support for clinics nationally and locally, spotlights the valuable experience of students who have participated in clinics, helps existing clinics connect with local and federal resources, and inspires universities to start new clinics.
  • Direct Engagement with the Clinics. CISA will increase its engagement at the local level with clinics through our regional Cybersecurity Advisors. Our region-based Cybersecurity Advisors provide a wide range of subject matter expertise and serve as a link with CISA’s programs and services. At the national level, we will work with organizations like the Consortium of Clinics to find additional ways that CISA can support.  
  • Grants.  CISA is taking steps to leverage our State and Local Cybersecurity Grant Program (SLCGP), which aims to address cyber risks to information systems owned or operated by  state and local governments. In some cases, clinics may be a source for states and local governments for needed services in carrying out the scope of work under SLCGP grants and subgrants. Further, some clients may be state or local agencies themselves who are eligible for grants or subgrants to strengthen their own networks. In the resource guide, we encourage clients and clinics to work with their State Cybersecurity Planning Committee to understand available funding resources. As CISA looks toward future rounds of grants, we are exploring how to encourage states to consider clinics in their grant-related work.
  • Recruiting. Clinics can serve as a talent pipeline for the entire cybersecurity community. At CISA, we are working to include them in our recruiting efforts. 

CISA has been an impactful partner in the development of the Applied Cybersecurity Community Clinic at UT Austin. CISA’s Cybersecurity Performance Goals and other resources are included in our curriculum and recommendations to client organizations, which allows clinic students to see how their participation not only bolsters community cyber resilience but also contributes to the broader cyber defense mission of the agency,” said Francesca Lockhart, Cybersecurity Clinic Program Lead, Strauss Center for International Security and Law, The University of Texas at Austin. “I look forward to deepening our partnership with CISA and further leveraging their expertise and services as our clinic and the Consortium of Cybersecurity Clinics grows.

In the long-term, clinics have the potential to be a nationally scalable solution to support target-rich, resource-poor organizations. We are excited to take these first steps and look forward to ongoing engagement and support as more cybersecurity clinics spread across the country.