Incident Reporting & The Critical Infrastructure Act of 2022 – K12 Schools Should Be Included

In March 2022, President Biden signed into law Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) | CISA. Enactment of the CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payment to CISA.

iboss applauds the work of CISA to protect critical infrastructure from cyber-attacks and to solicit public feedback on the implementation of CIRCIA. iboss believes CISA’s implementation of CIRCIA should include K-12 schools, who have increasingly been victimized by malicious cyber actors through ransomware and other attacks, which have disrupted critical educational services and put students and their personal information at risk. Although the threat to schools is clear, we lack a systematic understanding of its scope at least in part because of the distributed, diverse nature of the K-12 education sector, with more than 13,000 school districts, ranging from a few hundred students to over a million, and data systems spanning across jurisdictions and both private and public entities. Establishing cyber incident reporting requirements will help families, school leaders, and policymakers gain a better understanding of the sector’s needs. That reporting will also enable CISA and others to provide the sector with early warnings and guidance regarding cyber threats as CIRCIA envisions — information that is particularly valuable in this sector, in which schools and other institutions often lack the expertise and resources to engage in cyber threat monitoring, or obtain cyber threat intelligence, to inform the sectors procurement policies and practices, to secure these benefits, CISA should:

  • include K-12 schools, related educational institutions, and their private contractors in CIRCIA’s reporting obligations.
  • establish vendor criteria / prerequisites that align with the National Institute of Standards and Technology (NIST) 800-207 Zero Trust framework:
  • coordinate with the U.S. Department of Education to ensure K-12 schools and other educational institutions have the resources they need to meet their reporting obligations.

Public K-12 schools and related educational institutions such as state educational agencies provide critical services to the public, and the Department of Homeland Security has long recognized their importance as “critical infrastructure.” In implementing CIRCIA, CISA should continue to recognize K-12 schools, related educational institutions, and their private contractors as critical infrastructure subject to CIRCIA’s requirements, and further define “substantial cyber incident” to encompass the serious cyber-attacks that are increasingly threatening the K-12 sector.


iboss K12 Blog

Richard Quinones, iboss SVP – Education