School districts are finding the NIST Cybersecurity Framework a useful way to manage cybersecurity
The National Institute of Standards and Technology (NIST) works closely with industry, government agencies, and scientists around the globe to set standards that allow critical technologies to work together. NIST first released the NIST Cybersecurity Framework in 2014 and has updated and developed training materials since. Agencies, organizations, and companies of all types and sizes have been adopting the Framework ever since.
School districts around the country have begun taking notice of it more recently. This is largely due to an increase in more stringent state data security and compliance laws being passed, as well as the increase in cyberattacks targeting K-12 school districts.
But schools are woefully underfunded, and IT teams are already stretched thin. The unfortunate reality is that few district IT teams have the knowledge, resources, and/or budget to implement effective K-12 cybersecurity programs. Adapting for a K-12 NIST Cybersecurity Framework is necessary for these conditions.
The good news is that the Framework was developed specifically with adaptability and scalability in mind. This is just one of several reasons why the NIST Cybersecurity Framework is particularly beneficial for school districts.
Why Use the NIST Cybersecurity Framework?
K-12 cybersecurity is a critical issue for school districts because cybercriminals now frequently target them, and the number of incidents is on an upward trajectory. School districts maintain a large amount of personal information and are often running outdated technology—and the hackers know it.
Hackers take advantage of any crisis. For example, when schools tried to reopen during the COVID-19 pandemic, cybercriminals attacked a number of school districts and closed some of them down with ransomware attacks.
Using the NIST Cybersecurity Framework offers K-12 districts a number of benefits. It provides a systematic approach to cybersecurity that you can incorporate into your program. In addition, you can tailor the NIST Cybersecurity Framework to the needs, capabilities, and budget of your district. The Framework will also help you to identify areas where you need to improve your defenses.
The Framework doesn’t just support the district IT team, it also helps you communicate with district stakeholders and helps staff at every level tackle cybersecurity issues in their areas of responsibility. When you clear away cybersecurity myths, it’s easy to see why school districts must make cybersecurity a high visibility issue.
The 5 Functions of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework is primarily focused on Five Functions that lay the foundation for implementing the Framework, establish goals, and represent the primary pillars for success.
The Identify Function in the NIST Cybersecurity Framework is critical in order for your district to understand what you need to do to ensure cybersecurity. It will help you focus on the right things and prioritize your cybersecurity efforts in order to achieve your goals. Activities include:
- Identify the assets you need to protect
- Develop and implement procedures to ensure asset protection
- Identify the legal and regulatory requirements you must meet
- Empower your staff through training
During the Protect Function, you will develop and implement a plan for how you can safeguard critical services to limit the impact of a cybersecurity incident. This is the Function where planning, prioritizing, and implementing your multi-layered cybersecurity tech stack happens. Activities include:
- Developing protections for identities, access control, and data
- Implementing protection procedures
- Managing protective technology
After you have decided what you need to protect and how you will protect those things, the Detect Function focuses on identifying when a cybersecurity incident is taking place. No system is 100% protected, no matter how much budget and resources you have to throw at it. This is why detection is so critical. This function will help you determine how you can detect an attack quickly. Activities include:
- Ensuring that anomalies and events are detected
- Implementing continuous monitoring capabilities
The Respond Function focuses on putting processes in place that describe how you will respond to a cybersecurity incident. Activities include:
- Ensuring that response plans are documented and executed
- Managing communications with district staff, law enforcement and other external stakeholders
- Defining mitigation activities, and establishing a process for identifying and implementing improvements to avoid incidents in the future
The Recover Function identifies how you will restore anything that a cybersecurity incident damaged. Activities include:
- Ensuring the implementation of recovery processes
- Implementing improvements based on having experienced an incident
Getting Started with a K-12 NIST Cybersecurity Framework
Cybersecurity for K-12 has historically taken a bit of a backseat for many districts. With the plethora of new risks and threats districts are facing today, there is a lot of confusion happening in districts. To help shed some light on how district tech leaders can fortify their cybersecurity infrastructure, we’ve been hosting a series of webinars with K-12 IT professionals themselves.
We recently interviewed Neal Richardson, Director of Technology at Hillsboro-Deering School District, to learn how he and his team are implementing elements of the NIST Cybersecurity Framework.
In 2018, the state of New Hampshire passed state law RSA 189:66 which, among other things, required school districts to comply with a subset of the NIST Cybersecurity Framework standard. Neal Richardson was naturally placed at the forefront of implementing the state’s new compliance standards for his district and had some wonderful insights to share.
Over the next several weeks, we’ll be breaking down the NIST Cybersecurity Framework and take a deeper look at each Function. We’ll include what we’ve learned from Neal and others who have been working to improve K-12 cybersecurity operations.
Stay tuned for more by subscribing to the blog! You can also get a head-start by watching the full recorded interview with Neal here.