The NIST Cybersecurity Framework can guide overworked K-12 IT teams
The NIST Cybersecurity Identify Function is the first step when you decide to use the NIST Cybersecurity Framework. The National Institute of Standards and Technology (NIST) developed this Framework as part of its mission to provide best practices for several things, including cybersecurity. Today, K-12 districts are finding the Framework to be a useful tool. In some cases, districts are also being required to implement the Framework—in whole or in part—due to new state data security regulations.
Cybercriminals are targeting school districts. And it’s a problem that is intensifying because hackers take advantage of crises such as the COVID-19 pandemic. School districts are scrambling to protect their communities, but there aren’t many resources available for K-12 cybersecurity guidance. The Framework provides a flexible, relatively easy to follow roadmap that helps K-12 IT teams prioritize their efforts. The K-12 NIST Cybersecurity Framework is often the best option for school districts—and it’s free!
We were recently joined by Neal Richardson, the Director of IT at Hillsboro-Deering School District, for a discussion on how his team is implementing the NIST Cybersecurity Framework at his district. This is the first installment of a series on applying the NIST Cybersecurity Framework to K-12 schools. We’ve also published posts on each of the Five Functions of the framework, including information, insights, and advice from our discussion with Neal.
- The NIST Cybersecurity Protect Function
- The NIST Cybersecurity Detect Function
- The NIST Cybersecurity Respond Function
- The NIST Cybersecurity Recover Function
The NIST Cybersecurity Identify Function
The NIST Cybersecurity Identify Function sets the foundation for your Framework implementation project. It helps you to develop an organizational understanding of what you need to do to manage your district’s cybersecurity risk to systems, people, assets, data, and capabilities. It’s a way to customize your implementation by prioritizing your efforts based on your district’s specific needs, risks, and budget.
For example, here are some of the typical outcomes when using Identify. You will:
- Identify all the physical and software assets your district owns to create a foundation for an Asset Management program
- Identify the environment your school supports, including your role in your critical infrastructure sector, the Education Facilities Subsector of the Government Facilities Sector as defined by Homeland Security
- Identify the cybersecurity policies you already have in place that describe your existing plan, and identify legal and regulatory requirements you must comply with
- Identify where you’re vulnerable and the threats you face to internal and external resources and the measures you have in place to respond to those risks to create a basis for a Risk Assessment
- Identify a Risk Management Strategy that describes the tolerance your district has for risk
- Identify a Supply Chain Risk Management Strategy that describes your priorities, risk tolerances, and constraints for managing the risks in your supply chain for things like EdTech
Getting Started with the NIST Cybersecurity Identify Function
Many districts will need to get started by identifying the legal and regulatory requirements for their cybersecurity capabilities and processes. You’ll need to address federal requirements such as FERPA, COPPA, CIPA, HIPAA, etc. You’ll also gather information about state and local requirements.
For example, Neal Richardson needed to respond to a 2018 New Hampshire bill that required the state Department of Education to “establish minimum standards for privacy and security of student and employee data, based on best practices, for local education agencies.” This resulted in the adoption of a subset of the NIST Cybersecurity Framework as a minimum standard.
Neal recommends that most districts start by identifying and inventorying everything that connects to your network and/or domain, and determining what needs to be protected. This review would include laptops, desktops, mobile devices, printers, servers, thermostats, software, and third-party/cloud apps. For each of these items, you’ll need to identify what it is, where it is, what OS it’s running, and what software and apps are installed on it, including their version numbers.
Pro Tip: Break your network up into chunks and tackle them one at a time. Neal did this by breaking his district down into individual school buildings, then into individual hallways and rooms within each building. He and his Tech Coordinator cataloged everything that connects to their network and/or Google domain. This included everything from smart thermostats, door locks, and security cameras to on-premise servers, Chromebooks, and mobile devices.
Where to Go from Here
The issue of cybersecurity for K12 districts isn’t going away. Anxiety over incidents like ransomware, phishing, and DDoS attacks keep many IT professionals in K-12 awake at night. But many don’t know where or how to get started to build their defenses.
While it can be overwhelming for many teams who are already under immense pressure, the NIST Cybersecurity Framework is the best standard available to all types of organizations for improving your cybersecurity stance.
It’s not a matter of if, but a matter of when a data security incident will occur in your district. Don’t become another statistic! Take it one step at a time–every little bit will help you improve your district’s cybersecurity defenses.