CISA seeks vendor commitments to boost cybersecurity in K-12 schools

The Cybersecurity and Infrastructure Security Agency launched a new initiative as part of the administration’s ongoing efforts to bolster cybersecurity in K-12 schools that aims to place further responsibility on education technology and software providers. 

The “K-12 Education Technology Secure by Design Pledge” is a voluntary agreement for K-12 education technology software manufacturers to commit to developing products with enhanced, built-in security measures. The pledge requires software providers to adopt three core principles, including taking ownership of customer security outcomes, embracing “radical transparency and accountability” and leading from the top. 

Six major K-12 software technology providers have signed onto the pledge, including PowerSchool, Classlink, Clever, GG4L, Instructure and D2L. By signing the commitment, the companies have all agreed to publish secure by design roadmaps, which document internal processes used to eliminate known bugs as well as information on hiring and coding best practices. The pledge also includes the public release of vulnerability disclosure policies and lists of top leaders within their firms tasked with integrating security into the core function of their businesses. 

CISA Director Jen Easterly said in a statement that the goal of the pledge is to address K-12 cybersecurity issues and help ensure schools and administrators “have access to technology and software that is safe and secure right out of the box.” 

“We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development,” Easterly said. 

Earlier this summer, the White House and private sector partners like Amazon Web Services announced a new cybersecurity campaign to better safeguard schools ahead of the upcoming year and established the Government Coordinating Council to help spearhead cybersecurity policy and communications in K-12 schools. 

Experts told Nextgov/FCW at the time that the administration's efforts were a "step in the right direction" but may not go far enough to protect school systems from an expected onslaught of cyberattacks. 

As reports indicate schools are facing increased cyber threats, CISA has begun prioritizing on-site K-12 cybersecurity reviews to help schools prevent cyber-enabled fraud schemes and combat ransomware attacks. 

The administration has also increasingly pushed to extend secure-by-design principles across software products and industries, and directed federal agencies to prioritize investments in secure-by-design technologies in their 2025 budget requests.