Review of K-12 cyber incident response plans has started, says Ed. Dept.

A department official said incident response plans last updated in 2010 are getting a new look, following a GAO report last year.
K-12 cybersecurity
Education Secretary Miguel Cardona (U.S. Department of Education / Flickr)

An U.S. Department of Education official said Thursday that the department is starting to make some progress on revising K-12 cybersecurity guidance that hasn’t been updated in more than a decade.

Speaking during an online event hosted by the K-12 Security Information Exchange, or K12 SIX, Kristina Ishmael, the deputy director of the department’s Office of Education Technology, said that preliminary conversations on revising the guidelines have begun, but that the process also involves several other offices.

Ishmael had been asked about a report issued last year by the Government Accountability Office, Congress’ auditing arm, that found that the federal government last updated its recommendations for how schools should respond to cyber incidents in 2010 — even though such documents are supposed to be revised at least once every three years.

In the dozen years since the last revision, K-12 schools nationwide have been barraged by a range of online threats, including ransomware, denial-of-service attacks and business email compromise schemes, to say nothing of the added challenges brought on by pandemic-era remote learning.


“We’re in the nascent stages,” Ishmael said.

But she was quick to point out that it’s another Education Department bureau — the Office of Safe and Secure Schools — that’s responsible for drawing up plans for school safety, including cybersecurity. A third agency, the Office of Elementary and Secondary Education, is also involved in the process, Ishmael said.

In their report last year, GAO auditors wrote that the Office of Safe and Secure Schools is supposed to consult with the Cybersecurity and Infrastructure Security Agency to develop a sector-specific incident-response plan for K-12 institutions.

Thursday’s event came hours after K12 SIX, a nonprofit industry group, published its annual report on the state of grade-school cybersecurity. The organization found that while the overall number of attacks against K-12 organizations dipped in 2021, the cost of recovery from incidents like ransomware is increasing, while criminal actors’ tactics are growing more aggressive.

The report also said that the school districts nationwide should “implement baseline cybersecurity controls,” such as better malware filtering, greater endpoint protection, stronger password management for all users and more timely system updates.


Ishmael said that the Education Department recently assigned a full-time employee to work on K-12 cybersecurity policy and that a working group is talking with both CISA and the National Institute of Standards and Technology.

“We just need to do a better job of coordinating and then making sure that we can fulfill those recommendations that were put out by GAO,” she said.

Latest Podcasts