Three Cybersecurity Frameworks for School Systems 

According to research, education is the single most vulnerable sector when it comes to cybersecurity threats. Under-resourcing and lack of cybersecurity-preparedness means that schools and other educational institutions accounted for nearly 7 million (63%) of all reported encounters in 2022. Policymakers and leaders are focusing their attention on the sector and how to defend schools against cyber threats, including implementing recommended cybersecurity frameworks.

What Are Cybersecurity Frameworks?

Cybersecurity frameworks are valuable tools that guide organizations in navigating the complex landscape of threats and vulnerabilities. These frameworks are essentially sets of standards, guidelines, and best practices that help organizations build and maintain effective security postures.

Think of them as roadmaps outlining essential steps to identify, protect, detect, respond to, and recover from cyber incidents, designed by cybersecurity experts. Frameworks provide a structured approach to managing cybersecurity, ensuring no crucial aspects are overlooked. They promote risk assessment and mitigation, helping organizations prioritize their efforts based on potential threats.

Today, there are many frameworks that have been designed for various different stakeholder groups. Some frameworks are general, others are sector-specific. There are three frameworks that have proven popular – and really effective – in the US public school sector: 

Here’s a quick rundown of the most common frameworks schools can use to prevent attacks. 

The National Institute for Standards and Technology Cybersecurity Framework (NIST CSF)

The NIST Cybersecurity Framework, announced in February 2013, was prompted by President Obama’s Executive Order to create a voluntary cybersecurity standard.

The NIST CSF is a comprehensive and broad framework that applies to public and private entities in several areas. The framework has three primary components and covers five high-level functions: identify, protect, detect, respond, and recover.

Its core identifies and records 108 suggested cybersecurity best practices, while Implementation Tiers assess the rigor of an organization’s NIST CSF implementation, including the integration of cyber risk policies and procedures into overall decision-making and governance. Profiles help businesses tailor the Framework to their specific needs, objectives, risk appetite, and resources.

While this is a thorough and beneficial approach, it’s very complex and understanding and implementing the framework effectively can be daunting for resource-constrained school districts. The latest Nationwide Cybersecurity Review found K-12 schools lagging behind other government agencies in NIST CSF implementation.

Center for Internet Security Critical Security Controls (CIS Controls) Framework

Developed by the Center for Internet Security, the CIS Controls offer a more focused approach. Its 153 recommended practices, organized into 18 categories and grouped into three Implementation Groups (IGs), target specific cyber-attack tactics. The three implementation groups include: 

  • Implementation Group 1 is best-suited to small to medium-sized businesses with limited IT and cybersecurity expertise, with an emphasis on protecting IT assets and people. The emphasis is on preventing wide, non-targeted cyberattacks (essential cyber hygiene). IG1 organizations prioritize operational continuity and the protection of low-sensitivity data.
  • Implementation Group 2 is suited for businesses with specialist IT asset and system management teams that must meet federal or state cybersecurity compliance requirements. IG2 enterprises manage sensitive data and can withstand temporary service interruptions. 
  • Implementation Group 3 (IG3) covers all 153 CIS-recommended best practices for companies with several specialized cybersecurity specialists who must adhere to federal and state legislation. IG3 best practices are intended to prevent targeted attacks from sophisticated adversaries and to lessen the impact of expected zero-day attacks.

Schools might find IG1 and IG2 particularly relevant. IG1 addresses essential cyber hygiene suitable for limited staff environments, aligning with the majority of smaller schools. IG2 caters to organizations with dedicated IT staff and regulatory compliance requirements, reflecting the needs of larger districts or those facing heightened risks.

Will it work for your school? On the one hand, this framework helps schools prioritize critical security measures based on their size, resource and risk profile, provides specific, easily understood best practices and targets known attack vectors relevant to the educational sector.  On the downside, it doesn’t offer the comprehensive guidance of the NIST CSF. There are regular updates, and keeping up with new versions can be resource-intensive.

K12 SIX Essential Cybersecurity Protections for School Districts (K12 SIX Essential Protections)

Unlike broader frameworks like NIST CSF or CIS Controls, K12 SIX stands out for its specificity. Designed specifically for school districts, the K12 SIX Essential Protections offer a highly relevant and practical framework. Its 12 actionable defenses address common cyber threats faced by schools and align with insurance requirements and government guidance. Categorized and presented with a four-level implementation rubric across four categories, it helps schools prioritize and measure progress.

These categories represent the key areas of focus for the framework:

  1. Network traffic sanitization: This focuses on measures to block malicious traffic and protect against online threats entering or leaving your school network.
  2. Device safeguarding: This covers securing all devices used within the school, including computers, tablets, laptops, and mobile phones.
  3. Identity protection: This is crucial for safeguarding confidential data of students, teachers, and staff, including passwords, access controls, and data encryption.
  4. Regular maintenance: This emphasizes the importance of ongoing activities like patching vulnerabilities, updating software, and conducting backups to maintain effective defenses.

Each category consists of four levels of implementation:

  1. At risk: This indicates the absence of basic control measures, leaving the school vulnerable to cyber threats.
  2. Baseline: This signifies the implementation of essential security practices to address minimal requirements.
  3. Good: This represents a more advanced level with stronger security measures in place.
  4. Better: This reflects the best possible implementation, exceeding basic requirements and providing robust protection.

Using this rubric, schools can assess their current cybersecurity posture within each category, identifying areas where they are “at risk” and need improvement. It also provides a roadmap for progress, highlighting areas where they can move from “baseline” to “good” or even “better” by implementing additional recommended practices.

Compared to NIST CSF or CIS Controls, and designed for beginners, it offers fewer best practices, but seamlessly integrates with CIS Controls and NIST CSF for further growth.

FeatureNIST CSFCIS ControlsK12 SIX Essential Protections
PublisherNational Institute of Standards and Technology (NIST)Center for Internet Security (CIS)K12 Security Information eXchange (K12 SIX)
Current Version1.1 (April 2018)8 (May 2021)2022-23 School Year (October 2022)
Developed byGovernment & industry collaborationInternational, grassroots consortiumK-12 IT security professionals
Target AudienceAll organizations (federal, critical infrastructure, public/private)All organizations (including government)K-12 schools
Number of Recommendations108 (23 categories across 5 functions)18 (153 safeguards across 3 groups)12 (across 4-level implementation rubric)
Suitability for K-12 SchoolsRequires dedicated cybersecurity staffRequires trained cybersecurity staffAspiring to better cybersecurity
DescriptionVoluntary, risk-based approach with customizable “profiles”Prescriptive, prioritized security safeguardsTailored to K-12 needs with practical implementation guidance

The Journey of Cybersecurity Maturity

Think of K12 SIX as the launchpad on your cybersecurity journey. Start here, implement its recommendations, and gradually progress towards more comprehensive frameworks like NIST CSF or CIS Controls as your resources and expertise evolve. Here are three recommendations to bear in mind:

1. Choosing a Framework Is Less Important Than Using It Effectively

Frameworks are closely aligned and often interrelated to one another, which means choosing a specific framework isn’t all important – committing to a framework and to cybersecurity risk management is all that really matters. 

2. Work Within Your Limits

Even with enough resources, developing a mature cybersecurity risk management program can take years. Investing in stronger frameworks may drain resources away from actions that can strengthen defenses in the short run. If your resources and expertise is limited, focus your attention where it can have the biggest impact. 

3. Stay Flexible

Cybersecurity frameworks develop to address vulnerabilities and threats, and not all best practices are applicable to all K-12 organizations due to variances in technology, IT systems, risk tolerance, cybersecurity capacity, and budgets. Avoid using checklist-based techniques to framework implementation.

Remember, frameworks are just tools. Ultimately, achieving robust cybersecurity requires a multi-layered approach, including ongoing training and risk awareness, collaboration and monitoring.