The federal government is ramping up support for K-12 cybersecurity with a Government Coordinating Council for the Education Facilities Subsector, announced Thursday by the U.S. Department of Education and the Cybersecurity and Infrastructure Security Agency.
Education facilities fall under the Government Facilities Sector, which is one of 16 critical infrastructure sectors outlined as a security priority in Presidential Policy Directive 21. In 2013, the national directive called on all levels of local and federal government, in addition to the private sector, to strengthen and secure critical infrastructure from both physical and cyber threats.
The new council is aimed at expanding collaboration among federal, state, tribal and local governments to bolster schools' cyberdefense. Government coordinating councils participate in the development of the National Infrastructure Protection Plan, which details how the government and private sector can best mitigate risks and improve security outcomes, according to CISA.
The education facilities coordinating council will hold ongoing conversations between various stakeholders and share best practices for protecting K-12 schools from cyberattacks, according to the Education Department.
“The GCC embodies our commitment to ensuring the cybersecurity of our nation's schools,” said U.S. Deputy Secretary of Education Cindy Marten in a statement. “This initiative represents a monumental step forward in formalizing the partnership between federal, state, and local educational leaders in protecting our K-12 critical infrastructure.”
Schools are among the top targets for cyberattacks, particularly ransomware.
Meanwhile, CISA last week proposed a federal rule that would require covered entities to quickly report cyber disruptions and ransomware payments. These entities would have to report significant incidents within 72 hours of discovery, and critical infrastructure sectors would have to report ransom payments within 24 hours.
The proposal comes as lawmakers and IT professionals, especially within K-12, have long called for a more comprehensive reporting system for cyberattacks to better understand the scope of threats to school operations and sensitive data.
According to Cybersecurity Dive, analysts say there will likely be debates in the future regarding which entities within the 16 critical infrastructure sectors will have to comply under the proposed rule.
The White House has also been zeroing in on solutions to boost cyberdefense for schools, as it released guidance documents in August to support districts. States are ramping up efforts to support schools, too: 75 education-related cybersecurity measures passed in 2023 — a 620% increase from 2020, according to The Consortium for School Networking.