Forum Guide to Cybersecurity: Safeguarding Your Data

Appendix B: Resources on Cybersecurity in Education Agencies

The following is a sample list of resources developed by the federal government and state education agencies (SEAs) related to cybersecurity, including data security, in education agencies. This list is not intended to be comprehensive.

Federal Resources

Accessing SLDS Data: Innovative Solutions to State-Specific Security Controls

U.S. Department of Education, Institute of Education Sciences, National Center for Education Statistics, Statewide Longitudinal Data Systems (SLDS) Grant Program

https://slds.ed.gov/#communities/pdc/documents/18796

This spotlight highlights two states, California and Louisiana, with laws that strongly regulate data access. It describes how their state education agencies have adapted their data management and data use procedures to comply with state requirements while continuing to meet their reporting and operational needs.

Best Practices for the Design and Implementation of Data Privacy and Security Programs

U.S. Department of Education, Institute of Education Sciences, National Center for Education Statistics, SLDS Grant Program

https://slds.ed.gov/#communities/pdc/documents/18793

This brief offers an overview of key concepts and content to be covered in privacy and security plans for state SLDS agencies as well as methods of developing and implementing these plans. It draws on best practices identified by the Privacy Technical Assistance Center (PTAC) and includes examples of privacy and security plans from Wisconsin and Kentucky.

Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments

U.S. Department of Justice, Federal Bureau of Investigation, Internet Crime Complaint Center

https://www.ic3.gov/media/2020/200401.aspx

This public service announcement identifies cybersecurity threats that have increased as a result of the coronavirus disease (COVID-19) pandemic and provides recommendations to counteract these threats.

Cyber Investigations

U.S. Department of Homeland Security, U.S. Secret Service

https://www.secretservice.gov/investigation/#cyber

The U.S. Secret Service cybercrime mission has expanded the scope of its investigative efforts beyond its traditional limits. As part of its mandate to combat financially motivated cybercrime, the U.S. Secret Service complements its investigative efforts with educational outreach programs. These programs are aimed at strengthening the ability of private and public sector entities to protect themselves against an array of cybercrime.

Cybersecurity and Remote Learning and Working

U.S. Department of Education, Institute of Education Sciences, National Center for Education Statistics, National Forum on Education Statistics and SLDS Grant Program

https://slds.grads360.org/#communities/pdc/documents/18939

The Forum and the SLDS Grant Program joined efforts for Steven Hernandez, chief information security officer for the U.S. Department of Education, to deliver a virtual presentation. The webinar provided information on the security implications of virtual education technologies and shared best practices for securing agency information and data while working and learning remotely.

Cybersecurity Considerations for K-12 Schools and School Districts

U.S. Department of Education, Office of Safe and Supportive Schools, Readiness and Emergency Management for Schools Technical Assistance Center

https://rems.ed.gov/docs/Cybersecurity_K-12_Fact_Sheet_508C.PD

This fact sheet focuses on addressing threats to a school’s or school district’s networks and systems, also called cybersecurity considerations.

Data Breach Response Checklist

U.S. Department of Education, Student Privacy Policy Office

https://studentprivacy.ed.gov/resources/data-breach-response-checklist

This checklist of critical breach response components and steps is intended to assist education agencies in building a comprehensive data breach response capability. It is meant to be used as a general example illustrating current industry best practices in data breach response and mitigation applicable to the education community.

Data Security and Management Training: Best Practice Considerations

U.S. Department of Education, Student Privacy Policy Office

https://studentprivacy.ed.gov/resources/data-security-and-management-training-best-practice-considerations

This brief provides best practices for data security and data management training for education leaders. It discusses key training concepts to follow, content, delivery methods, and possible audiences for training.

Data Security Checklist

U.S. Department of Education, Student Privacy Policy Office

https://studentprivacy.ed.gov/resources/data-security-checklist

This checklist is designed to assist education agencies with developing and maintaining a successful data security program by listing essential components that should be considered when building such a program, with a focus on solutions and procedures relevant for supporting data security operations of education agencies.

Data Security Threats: Education Systems in the Crosshairs

U.S. Department of Education, Student Privacy Policy Office

https://studentprivacy.ed.gov/resources/data-security-threats-education-systems-crosshairs

This presentation reviews security threats to education data systems, including common ways in which these systems can be exploited. It also offers suggestions on assessing system vulnerabilities and mitigating the risks.

Family Educational Rights and Privacy Act (FERPA) and the Coronavirus Disease2019 (COVID-19)

U.S. Department of Education, Student Privacy Policy Office

https://studentprivacy.ed.gov/resources/ferpa-and-coronavirus-disease-2019-covid-19

The purpose of this guidance is to answer questions that school officials may have had concerning the disclosure of personally identifiable information from students’ education records to outside entities during the coronavirus disease (COVID-19) pandemic.

FERPA and Virtual Learning During COVID-19

U.S. Department of Education, Student Privacy Policy Office

https://studentprivacy.ed.gov/training/ferpa-and-virtual-learning-during-covid-19-webinar-recording

This webinar is intended to provide information on privacy best practices and insight into helpful resources available to the education community during the coronavirus disease (COVID-19) pandemic.

Federal Risk and Authorization Management Program (FedRAMP)

General Services Administration

https://www.fedramp.gov/

FedRAMP is a cybersecurity risk management program by which the U.S. federal government determines whether cloud products and services are secure enough for purchase and use by federal agencies. The FedRAMP Marketplace provides a database of cloud services that have achieved a FedRAMP designation.

How to Engage and Train Stakeholders Regarding Privacy and Security Best Practices

U.S. Department of Education, Institute of Education Sciences, National Center for Education Statistics, SLDS Grant Program

https://slds.ed.gov/#communities/pdc/documents/18506

This brief offers an overview of key concepts and content to be covered in privacy and security training for SEAs as well as methods of delivering that content to stakeholders. It draws on best practices identified by PTAC and includes examples of privacy and security training among state agencies involved in Utah’s SLDS.

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Schools

U.S. Department of Education, Office of Safe and Supportive Schools, Readiness and Emergency Management for Schools Technical Assistance Center

https://rems.ed.gov/IntegratingCybersecurityForK12.aspx

In this webinar, presenters provided an overview of the landscape of cybersecurity threats facing K-12 schools. Resources, programs, and tools to help schools maintain secure networks and prevent cyber-attacks were also shared.

Issue Brief: Data Security Top Threats to Data Protection

U.S. Department of Education, Student Privacy Policy Office

https://studentprivacy.ed.gov/resources/issue-brief-data-security-top-threats-data-protectio

This brief outlines critical technical and non-technical threats to education data and information systems. A brief description of each threat is followed by a suggestion of appropriate risk mitigation measures.

Keeping Children Safe Online

U.S. Department of Justice

https://www.justice.gov/coronavirus/keeping-children-safe-online

This webpage provides guidance for teachers, parents, guardians, and caregivers on protecting children from becoming victims of online child predators during school closures due to the coronavirus disease (COVID-19) pandemic.

National Cybersecurity Assessments and Technical Services (NCATS)

U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency

https://www.us-cert.gov/resources/ncats

The NCATS team supports federal, state, and local governments and critical infrastructure partners by providing proactive testing and assessment services. NCATS provides its stakeholders with an objective third-party perspective of their operational cybersecurity posture, identifies security control strengths and weaknesses, and actionable reports that champion the implementation of mitigations and controls capable of positive impact toward reduction of overall risk.

National Infrastructure Protection Plan (NIPP) Government Facilities Sector-Specific Plan for 2015

U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency

https://www.cisa.gov/publication/nipp-ssp-government-facilities-2015

The Government Facilities Sector-Specific Plan details how the NIPP risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Education Facilities Subsector includes facilities that are owned by both government and private sector entities and covers pre-kindergarten through 12th-grade schools, institutions of higher education, and business and trade schools.

NIST Special Publication (SP) 800-53

U.S. Department of Commerce, National Institute of Standards and Technology (NIST)

https://nvd.nist.gov/800-53

The NIST SP 800-53 database represents the security controls and associated assessment procedures defined in NIST SP 800-53 (Revision 4) Security Controls for Federal Information Systems and Organizations.

Responding to Information Technology (IT) Security Audits: Improving Data Security Practices

U.S. Department of Education, Student Privacy Policy Office

https://studentprivacy.ed.gov/resources/responding-it-security-audits-improving-data-security-practices

IT audits can help organizations identify critical gaps in data security and reduce the threat of security compromises. This issue brief explains what audits are and how they can be used to improve data security.

Secure Video Conferencing for Schools \

U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency

https://www.cisa.gov/publication/secure-video-conferencing-schools

These resources provide cybersecurity recommendations and guidance for K-12 schools to help keep schools, staff, and students safe while videoconferencing.

SITE ASSESS: A Mobile Application (App) for K-12 Schools, School Districts, and Institutions of Higher Education

U.S. Department of Education, Office of Safe and Supportive Schools, Readiness and Emergency Management for Schools Technical Assistance Center

https://rems.ed.gov/SITEASSESS.aspx

This free, secure, and comprehensive mobile app is designed for school district and school personnel to examine their security, safety, accessibility, and emergency preparedness. The app generates a customized to-do list that may be used in the short term and long term to address facility improvements, prompts teams to share pertinent information with first responders, and contains relevant resources on education facility and preparedness topics. Included within the section on Computers and Network Systems are tasks that examine cybersecurity.

SP 1800-series Documents

U.S. Department of Commerce, National Institute of Standards and Technology (NIST)

https://csrc.nist.gov/publications/sp1800

NIST SP 1800-series documents present practical, usable, cybersecurity solutions to demonstrate how to apply standards-based approaches and best practices. Each publication generally serves as a “how-to” guide that is designed to help organizations gain efficiencies in implementing cybersecurity technologies while saving them research and proof of concept costs.

State Resources

Cybersecurity

Colorado Department of Public Safety

https://www.colorado.gov/pacific/cssrc/cyber-security

This webpage provides information and links to helpful resources on cybersecurity in local education agencies (LEAs) and schools.

Cybersecurity

Indiana Department of Education

https://www.doe.in.gov/cybersecurity

This initiative funded several activities to improve the cybersecurity position of Indiana schools, including a cybersecurity training and awareness service for K-12 school personnel, funding for high school cybersecurity coursework, and matching grants for schools to improve their e-security stance. The following webpages include additional information related to the initiative:

• Cybersecurity Task Force Cyber Blog (https://www.indianactocouncil.org/domain/39)
• Resource Hub (https://www.doe.in.gov/cybersecurity/resource-hub)
• Indiana K-12 Cybersecurity Audit Checklist (https://docs.google.com/spreadsheets/d/11vdbs4_Eh8RohaOPH_V0ksmT37JzxsE4K_UWyc5WTaM/edit?usp=sharing)

Cybersecurity Task Force

California Office of Emergency Services

https://www.caloes.ca.gov/cal-oes-divisions/cybersecurity-task-force

This webpage provides information on the California Cybersecurity Task Force, a statewide partnership comprised of key stakeholders, experts, and professionals from California’s public, private, academic, and law enforcement sectors.

Data Privacy

California Department of Education

https://www.cde.ca.gov/ds/ed/dataprivacy.asp

This webpage provides information and links to laws, policies, and best practices on data privacy for parents, teachers, local education agencies, and the general public.

Data Privacy and Security

Colorado Department of Education

https://www.cde.state.co.us/dataprivacyandsecurity

These webpages contain federal and state policies that the Colorado Department of Education adheres to, data privacy and security procedures, as well as guidance and resources for various stakeholders.

Data Privacy and Security

Kentucky Department of Education

https://education.ky.gov/districts/tech/Pages/Data-Security-Privacy.aspx

The webpage serves as a hub for information on data privacy and security. It includes links to applicable federal and state laws, policies, and best practices established by the Kentucky Department of Education, and resources and training by audience and topic.

IT Security Incident Communication

Washington State Office of the Chief Information Officer

https://ocio.wa.gov/policy/it-security-incident-communication

This policy was created to ensure the scope and impact of IT security incidents are properly evaluated, and that a coordinated, centralized approach is used to determine if, when, and how to communicate notification of an incident.

North Dakota Computer Science and Cybersecurity K-12 Standards

North Dakota Department of Public Instruction

https://www.nd.gov/dpi/sites/www/files/documents/Academic%20Support/CSCS2019.pdf

These learning standards provide North Dakota educators, school administrators, and parents the information they need about what students should know and be able to do about computer science and cybersecurity from kindergarten through high school. The standards set expectations for student learning to increase student awareness of the importance of cybersecurity in schools and the workplace.

Privacy of Pupil Records

California Education Code

https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=EDC§ionNum=49073.1

This state legislation sets requirements for California LEAs to protect the privacy of student records, including situations in which an LEAs contracts with a third party to provide software or services for the digital storage, management, and retrieval of student records.