Steps STEM Schools Can Take to Improve Cybersecurity

Schools are a particular target because they hold valuable information like staff and student personal data, but they often lack resources to build a comprehensive cybersecurity program, leaving many K-12 schools as “target-rich, cyber poor.”

Many schools initially feel overwhelmed at the prospect of addressing cybersecurity and often struggle to identify the best place to start. But schools should begin by investing in the most impactful security measures and then building toward a mature cybersecurity plan that aligns with federal guidance, such as:

• Implementing Multi-factor authentication (MFA)

• Using the CISA Vulnerability Scanning or Known Exploited Vulnerabilities (KEV) Catalog to fix known security flaws

• Performing and testing backups

• Developing and exercising a cyber incident response plan

• Creating training and awareness campaigns

• Prioritizing near-term investments in alignment with the full list of CISA’s Cybersecurity Performance Goals

• Developing a unique cybersecurity plan in alignment with NIST or other effective cybersecurity frameworks.

• All of those steps are outlined, and described, in Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats report and accompanying toolkit which are accessible on CISA.gov.

K-12 schools and school districts should also know their institution is not an island and there are plenty of partners to help them with their cybersecurity journey. They can work with state planning committees to leverage capacity building funding opportunities like the State and Local Cybersecurity Grant Program (SLCGP) or Tribal Cybersecurity Grant Program, which is managed by CISA and the Federal Emergency Management Agency (FEMA). K–12 organizations also should establish a relationship with their state or regional CISA Cybersecurity Advisors, or CSAs, to prevent and, where needed, respond to cybersecurity incidents.

CSAs offer cybersecurity assistance to critical infrastructure owners and operators as well as State, Local, Territorial, and Tribal (SLTT) officials. And it’s important to remember that schools are designated as part of that critical infrastructure network.

Through our regional staff, we offer services local to K-12 institutions. We have regional staff that provide services in all 50 states and U.S. territories.

Each Region is led by a senior Regional Director who in turn leads a cadre of security professionals distributed throughout the region to meet each of our partners where they are. These professionals include local and regional Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), Emergency Communications Coordinators, and Chemical Security Inspectors.

These regional teams have deep capabilities to support all of you: in analyzing and prioritizing potential risks, recommending effective mitigations, sharing information about emerging threats, and providing access to CISA’s wide range of risk reduction services. CISA’s regional staff can also help organizations conduct free assessments to identify security vulnerabilities that may help with converging security operations.

In addition to our regional team, the resources we have described are available on the CISA website, to help organizations prepare for and respond to ransomware incidents. And you can sign-up for alerts and advisories on the CISA website for timely and actionable cyber threat intelligence.

Finally, non-federal partner organizations can also provide K-12 schools and districts with a wealth of additional cybersecurity best practices and guidance, including the Multi-State Information Sharing and Analysis Center (MS-ISAC), as well as state fusion centers, school safety centers, regional organizations like K-12 Security Information eXchange (K-12 SIX), Consortium for School Networking (CoSN).