President Joe Biden has signed the K-12 Cybersecurity Act into law to enhance the cybersecurity of K-12 educational institutions.

The law highlights the significance of protecting the sensitive information maintained by schools across the country, the President says, and the “Administration looks forward to providing important tools and guidance to help secure our school’s information systems.”

The bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks. The study must also evaluate the challenges that schools face in securing information systems owned, leased, or relied upon by those schools; and sensitive student and employee records.

Although the law is a good first step, Heather Paunet, Senior Vice President at Untangle, says, “Not all educational institutions have a deep enough understanding of how to go about protecting themselves, and having official guidelines and laws such as this one will strengthen security as a priority in a standardized way across the country. The support of the presidential office to secure systems and data at schools is significant. It will be extremely helpful in providing schools and administrators with the tools they need to properly protect their systems and data from cyberthreats.”

“Overall, this law, as well as the Biden Administration’s Executive Order on improving the Nation’s Cybersecurity ordered in May, demonstrate that high profile, disruptive attacks are being taken seriously. It’s important to see the government put strengthening security as a priority,” Paunet adds. 

John Bambenek, Principal Threat Hunter at Netenrich, notes, “Cybersecurity in any organization is an expensive proposition, either because tools cost money or professionals cost money. The fact is that many units of local government, and especially schools, simply don’t have money to spare. While studying the risks and creating free resources and guides is a good first step, the reality is that smaller and poorer districts won’t be able to implement much of what is in the guide CISA will create, assuming they have any staff that can read and understand it in the first place. This law is a good first step, but it cannot, and must not, be the last step.”