How a CISA proposal could impact K-12 cyber incident reporting

A leading K-12 cybersecurity nonprofit last week came out in support of a proposed rule that would limit reporting of major cyber incidents to school districts enrolling over 1,000 students.

Between 2016 and 2022, 1,327 K-12 entities experienced one or more publicly disclosed cyber incidents, the K12 Security Information Exchange said, commenting last week on the rule proposed by the Cybersecurity and Infrastructure Security Agency.

Among those incidents, 19% came in districts with fewer than 1,000 students, K12 SIX said. Some 18% of districts with incidents enrolled 1,000 to 2,499 students.

The remaining 63% were districts with over 2,499 students or were a regional or state education agency.

“As such, by setting the proposed threshold for participation in mandatory cyber incident reporting requirements at 1,000 or more student enrollments, about 80% of significant incidents affecting the sector could be captured while sparing approximately 50% of the sector from the burden of participation,” K12 SIX’s wrote. “This suggests the 1,000-student enrollment threshold for LEAs is appropriate.”

CISA’s proposed rule, published in the Federal Register in April, would implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. That law stipulates that entities covered by its reporting requirements must disclose disruptive cyber incidents within 72 hours from when the entity reasonably believes the incident occurred.

They must also report to CISA any ransom payments made to cybercriminals within 24 hours of doing so.

All state education departments would be required to report cyber incidents and ransom payments, as would half of school districts, according to CISA. “Some percentage of” regional state-authorized education centers would be excluded from reporting requirements as well.

Overall, K12 SIX supported the proposed rule, but the organization called for clarification on how the K-12 sector should report cyber incidents initiated by students. K12 SIX also said CISA’s rule should clarify coverage for state and regional education agencies, given their critical role in the K-12 sector.

The CISA proposal comes as schools remain highly vulnerable to ransomware attacks. Cybersecurity remains a top concern for district ed tech leaders, according to the Consortium for School Networking.

Earlier this month, the U.S. Department of Education and the University of California, Berkeley, Center for Long-Term Cybersecurity launched an initiative to improve cyber defense in K-12 by encouraging collaboration between ed tech vendors and cybersecurity professionals. And in April, CISA and the Education Department created a council to help facilitate federal, state, tribal and local efforts to improve protections for schools’ digital infrastructure.