Dive Brief:
- As federal efforts gear up to improve K-12 cybersecurity, the Cybersecurity and Infrastructure Security Agency has created a voluntary pledge for K-12 ed tech software providers to demonstrate commitment to creating better built-in security for their products.
- Overall, CISA’s pledge asks companies to “take ownership of security outcomes,” “embrace radical transparency and accountability,” and “lead from the top.” The agency, however, will not enforce the voluntary pledge nor follow up on a company’s adherence to these commitments.
- Six prominent ed tech companies have already signed the pledge as of Friday, including PowerSchool, ClassLink, Clever, Global Grid for Learning, Instructure and D2L, according to CISA.
Dive Insight:
The voluntary pledge is part of the Biden administration’s broader goal to hold tech companies more accountable for bolstering cybersecurity efforts — as established in the White House’s National Cybersecurity Strategy earlier this year.
The pledge further states that ed tech companies must provide single sign on services at no additional cost to a district, as doing so would reduce password-based attacks, according to CISA. The commitment adds that schools also should not be charged for security audit logs used for navigating and responding to cyberattacks.
Ed tech companies that sign on should also publish a roadmap detailing actions to eliminate any vulnerabilities. This features an outline of how companies plan to “nudge all users, including students,” to use multifactor authentication, CISA said. Companies signing the pledge are also asked to promise to publish a vulnerability disclosure policy that notifies the public of any susceptibilities after an established timeline.
Additionally, the pledge says, ed tech providers should publish security relevant statistics and trends, which could include the sharing of aggregated data on multifactor authentication adoption by customers or any history of previously implementing unsafe security practices.
On top of that, CISA said, companies signing the pledge should publicly name a top business leader who is responsible for security but is not the chief information security officer or chief technology officer. That same person “should be responsible for managing the process of integrating security and quality as a core function of the business, including the development and implementation of” the roadmap, according to the agency.
CISA’s latest announcement particularly shows that the White House’s goal of shifting cybersecurity responsibilities away from individuals, small businesses and local governments and onto tech companies must also apply to schools. The move adds to growing momentum among federal leaders as the U.S. Department of Education and CISA in August released guidance and best practices on building up schools’ cybersecurity infrastructure.
The Software and Information Industry Association “is pleased” that the White House is looking to reduce cyberattacks on K-12 schools, “and that it is taking steps to protect the security of student data,” said Sara Kloek, SIIA’s vice president of education and children’s policy, in an emailed statement. “We see immense value in the efforts of the Cybersecurity and Infrastructure Security Agency to encourage designing safe and secure technology products for schools.”
Yet there are no signs cyberattacks against school districts are stopping anytime soon, and the consequences are continuing to follow suit. Sensitive data can be compromised, and schools' already tightening budgets can be further strained through stolen funds, funding cybersecurity insurance, or paying off ransoms to hackers — though federal officials warn against this.
Recently, Prince George’s County Public Schools in Maryland reported that personal data “may be released online” following an Aug. 14 ransomware attack that reached 4,500 district user accounts out of 180,000. The district, one of the 20 largest in the U.S., said in a Friday update that there’s an understanding “the cyber attack may result in unauthorized disclosure of personal information of PGCPS users.”