Exclusive: CISA releases new K-12 cybersecurity game plan

The nation's cyber defense agency has drafted up a plan for schools to beef up their cybersecurity operations in a highly anticipated report first shared with Axios and released this morning.

Why it matters: Schools have been inundated with ransomware attacks and other cyber incidents in recent years — but with smaller security budgets and fewer security personnel, they've struggled to respond.

The big picture: The number of reported cyber incidents between 2018 and 2021 rose from 400 to more than 1,300, according to the new report from the Cybersecurity and Infrastructure Security Agency.

• Just this week, the Los Angeles Unified School District confirmed that contractors' Social Security numbers were affected in a ransomware attack last fall.
• Most school districts CISA spoke with for the report either did not employ full-time cybersecurity personnel or didn't even have full-time IT staff.

Details: The report includes a mix of achievable, individual to-do items and broader community calls for cultural change across school districts.

• CISA encourages K-12 organizations to start with a "small number of prioritized investments," like setting up multi-factor authentication, creating and testing an incident response plan and implementing cybersecurity training.
• The report challenges K-12 administrators and superintendents to prioritize cybersecurity and go the extra mile to "securing necessary resources" — including seeking out grant funding or creating better deals with technology vendors.
• School districts should also join threat intel-sharing organizations, such as the K-12 Security Information eXchange and the Multi-State Information Sharing and Analysis Center, where groups trade information about the threat actors targeting their networks.

Catch up quick: Congress passed a law in late 2021 requiring the CISA to issue the report published today, which details the threats posed to K-12 schools and recommendations for strengthening their defenses.

The intrigue: The report translates each of these high-level recommendations into bite-size steps schools can take up one at a time.

Between the lines: These recommendations aren't enforceable. However, CISA crafted them with input from teachers, school administrators and security specialists to help make them more achievable.

• During roundtable listening sessions, "an overwhelming majority of stakeholders across the educator and administrator communities reported that they had too many responsibilities and not enough time or resources to fulfill them," the report notes.

What they're saying: “This report is an important step to helping K-12 schools across the country protect themselves against cyberattacks that put the personal information of students and staff at risk," Senate Homeland Security Chair Gary Peters (D-Mich.), who led the bill mandating this report, said in a statement to Axios.

• "K-12 schools are increasingly targeted by criminal hackers, and this new resource from CISA makes easy-to-understand guidance about cybersecurity risks readily available to the schools that need it most," Peters added.

What's next: CISA plans to continue to engage with the K-12 community to help schools improve their security, as well as engage with tech vendors to "encourage provision of free or low-cost security tools and products."

Sign up for Axios’ cybersecurity newsletter Codebook here.