To help K-12 organizations mitigate against the threat of malicious cyber actors and cyber risks that can significantly impact educational missions and risk sensitive data, CISA developed this online toolkit and the Partnering to Safeguard K-12 Organizations from Cybersecurity Threats report.
This toolkit is derived from a broader list of tasks called the Cybersecurity Performance Goals (CPG). The work to improve and maintain your cybersecurity posture should be part of a continuous program, not merely a project with a finish line. As you work though the tasks below, CISA recommends that you review all the CPGs and plan to incorporate them into your ongoing security program.
This online toolkit aligns three recommendations from the report with key actions and related trainings and resources to help you build, operate, and maintain resilient cybersecurity programs. Explore each recommendation below to learn more and find prioritized action steps and aligned resources to implement at your school or district.
Recommendation 1: Invest in Most Impactful Security Measures and Build Toward a Mature Cybersecurity Plan
Cybersecurity is not one size fits all. Schools and their districts have distinct strengths and weaknesses and a wide range of needs. At the same time, there are relatively simple actions that every K-12 organization can take to significantly reduce their cybersecurity risks.
Below are the highest priority steps:
1. Implement multifactor authentication (MFA) (Cybersecurity performance goal 2.H)
MFA is a layered approach to securing online accounts and the data they contain. Even if one factor (such as a user password) becomes compromised, unauthorized users will be unable generally to bypass the second authentication requirement, ultimately stopping them from gaining access to the target accounts.
Action: All K-12 institutions should review CISA’s MFA Enhancement Guide, which provides a defined roadmap toward broad MFA adoption. Ensure that all users with elevated privileges, like system administrators, have MFA enabled for all systems.
2. Identify and fix known security flaws, prioritizing those that are being actively used by malicious actors (Cybersecurity Performance Goal 1.E)
While there are many security vulnerabilities in widely used technologies, a small number of these are actually used by malicious actors to compromise victim organizations. By prioritizing these known exploited vulnerabilities, K-12 organizations can significantly reduce their likelihood of compromise.
Action: Prioritize remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, either by signing up for recurring updates when new vulnerabilities are added or by using a third-party service that automatically identifies the presence of vulnerabilities on the KEV catalog, including but not limited to Palo Alto Networks Cortex, Tenable Nessus, Runecast, Qualys VMDR, Wiz, Rapid7 InsightVM, and Rapid7 Nexpose.
3. Perform and test backups (Cybersecurity Performance Goal 2.R)
Implementing, maintaining, and testing backups of critical data is an essential step to reducing impacts from ransomware and other damaging attacks.
Action: Identify data that is critical to continued operations of the K-12 organization and implement backup solutions that are separated from the operational network. Conduct recurring real-world tests to ensure that data can be readily restored from backups. Where applicable, consider free tools such as Windows Auto-Backup and Google Backup & Sync. As part of the entities’ governance program, leaders should request and review evidence of the test restoration tasks and workplans to address any gaps found during the restoration exercise.
4. Minimize exposure to common attacks (Cybersecurity Performance Goals 1.A and 2.W)
Malicious cyber actors continuously scan organizations to identify vulnerabilities and execute damaging intrusions. Every K-12 organization should ensure that their Internet-connected assets are up-to-date and free from exploitable conditions.
Actions: Enroll in CISA’s free Vulnerability Scanning service and quickly address vulnerabilities identified in recurring reports. Take steps outlined by CISA here to reduce the likelihood that a malicious actor can identify the organization’s assets when scanning the internet for potential victims.
5. Develop and exercise a cyber incident response plan (Cybersecurity Performance Goal 2.S)
Every K-12 organization should have an Incident Response Plan that spells out what the organization needs to do before, during, and after an actual or potential security incident. It will include roles and responsibilities for all major activities, and an address book for use should the network be down during an incident. It should be approved by the senior official in the organization and reviewed quarterly, and after every security incident or “near miss”.
Action: Develop and regularly exercise a written Incident Response Plan, leveraging CISA’s Incident Response Plan Basics two-pager with advice on what to do before, during and after an incident. Additional helpful resources include the K12 SIX Essential Cyber Incident Response Runbook and the State Cybersecurity Best Practices Incident Response Plan.
An Incident Response Plan is a written document that helps your organization before, during, and after a security incident.
6. Create a training and awareness campaign at all levels (Cybersecurity Performance Goal 2.I)
All personnel at every K-12 organization should be formally trained to understand the organization’s commitment to security, what tasks they need to perform (like enabling MFA, updating their software and avoiding clicking on suspicious links that could be phishing attacks), and how to escalate suspicious activity.
Action: Review your employee handbook to ensure it has a section on cybersecurity with information on acceptable use of technology, policies, and escalation procedures. Send periodic reminders for staff to review the handbook’s security section via email and staff meetings.
Cybersecurity training provided by Amazon for any employee or individual who wants to better understand the most common cyber risks and how to protect themselves and their organizations.
CYBER.ORG empowers educators to teach cyber confidently, resulting in students with the skills and passion needed to succeed in the cyber workforce.
After you've taken the highest priority steps:
7. Prioritize further near-term investments in alignment with the full list of CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs)
CPGs are a prioritized subset of information technology (IT) and operational technology (OT) cybersecurity practices that all critical infrastructure owners and operators, including K-12 schools, can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. They are intended to help establish a common set of fundamental cybersecurity practices that will help schools of all sizes kickstart their cybersecurity efforts.
Action: Review the CPG web site and worksheet, prioritizing goals that the listed as highest impact first. As you develop your monthly, quarterly, and annual roadmaps, include additional Cybersecurity Performance Goals to improve your security posture.
8. Over the long-term, develop a unique cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF)
The CSF is a robust framework for building and maintaining a comprehensive information security program. Governments and enterprises use it to ensure they have covered all the key elements of a mature program.
Action: Organizations should review the CSF as they complete the tasks here, and in the CPGs. K–12 entities should participate in the free Nationwide Cybersecurity Review (NCSR)22, which provides metrics that identify gaps and track progress, as well as access to incident reporting and cybersecurity resources.
Recommendation 2: Recognize and Actively Address Resource Constraints
Most school districts are doing a lot with a little and resource shortfalls can be a major constraint to implementing effective cybersecurity programs. K-12 organizations should take the following steps to recognize and actively address resource constraints:
1. Work with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP)
The SLCGP provides $1 billion over 4 years for a first-of-its-kind grant program specifically for state, local, and territorial (SLT) governments funding to support efforts addressing cyber risk to their information systems. The two major first year requirements for this program include the establishment of a Statewide Cybersecurity Planning Committee and the development, by this committee, of a Statewide Cybersecurity Plan. Public Education is a required member of the Planning Committee, therefore ensuring the cybersecurity needs of educational institutions are accounted for. While the funding is granted directly to the State Administrative Agency, publicly funded K-12 schools are eligible to receive sub-award money.
Action: Review the resources below to determine your school’s eligibility and consider applying to the program.
The SLCGP provides funding to state, local, tribal, and territorial (SLTT) governments to address cybersecurity risks and cybersecurity threats to SLTT-owned or operated information systems.
The overarching goal of the SLCGP is to assist SLTT governments in managing and reducing systemic cyber risks. Find answers to your questions here.
The Homeland Security Grant includes a suite of risk-based grants to assist SLTT efforts in protecting against, responding to, and recovering from acts of terrorism and other threats.
2. Utilize free or low-cost services to make near-term improvements when resources are scarce
As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open-source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.
Action: Evaluate your security program’s need for services and tools to determine if any in this catalog are a fit for your needs.
3. Ask more of technology providers
K–12 organizations should expect the technology used for core educational functions like learning management and student administrative systems to have strong security controls enabled by default for no additional charge.
Action: During the technology procurement and renewal process, ensure that vendors do not charge more for security features like MFA and logs. Be especially aware of the “SSO tax”, the practice of changing customers more to connect a service (like a financial or time keeping system) to the organization’s Single Sign On (SSO) portal. Further, as you deploy products be sure to review the product’s “hardening guide”. A hardening guide is a set of steps to make the product less dangerous. As you become aware of upcharges for security features, or unsafe defaults, start a dialog with other schools and ISAC members to assess a strategy for working together with the vendor to remediate. CISA is ready to serve as an advocate for the K-12 community in advancing technology products that are fit for purpose to support our nation’s education system. Where a K-12 organization identifies as technology that is not meeting expectations for security built-in, contact your regional cybersecurity advisor to begin a conversation on how we can help.
Your local and regional Protective Security Advisors (PSAs), Cyber Security Advisors (CSAs), Emergency Communications Coordinators (ECCs), and Chemical Security Inspectors (CSIs) provide a variety of risk management and response services.
4. Minimize the burden of on-prem security
Many K–12 organizations operate their own IT systems, known as “on premises” systems. Such systems require time to patch, to monitor, and to respond to potential security events. Few K–12 organizations have the resources and expertise to keep them
Action: K–12 organizations should urgently consider migrating on-premises IT services to the cloud. While it is not possible to categorically state that “the cloud is more secure,” migration to the cloud will be a more secure and resilient option for many K–12 organizations. Consider first cloud versions of your user identity system, and your mail system. Talk to your CISA regional representative for guidance on secure cloud migration.
Google's productivity and collaboration tools for people and organizations, including Gmail, Calendar, Meet, Chat, Drive, Docs, Sheets, Slides, Forms, and Sites.
Azure Active Directory (Azure AD) is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against cybersecurity attacks.
Recommendation 3: Focus on Collaboration and Information Sharing
K-12 entities struggle to fund cybersecurity resources while combating continuous threats. Situational awareness into changes in the risk environment is critical to ensure that resources are allocated to the most effective security mitigations and controls.
By focusing on collaboration and information sharing, K-12 organizations can stay aware of critical alerts on current threads and vulnerabilities.
K-12 schools should take the following actions:
1. Join cybersecurity collaboration groups, such as MS-ISAC and K12 SIX
MS-ISAC membership includes reporting as well as data and information sharing. In addition, MS-ISAC K-12 community members receive critical alerts on current threats, risks, and vulnerabilities; free cyber tools, resources, and services; and 24/7 access to assistance that includes threat incident analysis, mitigation, and remediation.
A free and voluntary membership for SLTT governments, public K-12 education entities, public institutions of higher education, and any other non-federal public entity in the US.
2. Work with other information-sharing organizations
Such as fusion centers, state school safety centers, other state and regional agencies, and associations.
3. Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel
Report every cyber incident to CISA, every time.
Additional Resources and Training for K-12 Students and Educators
This training environment offers more than 800 hours of free online, on-demand cybersecurity training for state, local, tribal, and territorial government personnel and veterans, including K-12 schools.
This free online, instructor-led course teaches you how to apply the principles of cybersecurity management.
This free online, self-paced course focuses on key concepts, issues, and considerations for managing cyber risk.
This free online, self-paced course provides essential knowledge and reviews real-life examples of cyber attacks to help you and your organization to prevent, mitigate, and respond to the ever-evolving threat of ransomware.
This webpage hosts federal government resources, guidance, and tools on cybersecurity for K-12 schools.
This webpage lists CISA trainings available to non-federal cybersecurity professionals and the public, including K-12 schools.
This catalog is a central location to help cybersecurity professionals of all skill levels find cybersecurity-related courses online and in person across the nation.
This video series provides tips for staying safe online. Topics include: the Internet of Things; Social Media Safety; Ransomware; Phishing; Making Strong Passwords; Online Gaming Safety; and Video Call Safety.
This training course is designed to help K-12 schools and districts understand cybersecurity considerations needed to inform school emergency operations plans and safety, security, emergency management, and preparedness programs.
This free computer security education program for students and teachers provides original content built on a capture-the-flag framework created by security and privacy experts at Carnegie Mellon University.
CISA encourages schools and districts to also contact their local regional offices for cybersecurity support and resources. CISA’s Cyber Security Advisors (CSAs) can provide schools with cyber preparedness, assessments and protective resources, incident coordination and support for cyber threats and/or attacks, and more.
Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.