A Superintendent’s Guide to Federal Cybersecurity Grants

Cybersecurity threats and attacks continue to rise. According to a survey of school IT professionals by cybersecurity firm Sophos, at least 80 percent of schools across 14 nations—including the United States—were victims of ransomware attacks in 2022. K-12 education was the most targeted industry, as schools are especially vulnerable, “data-rich” environments with a wealth of student data, administrative records, and even parent data like Social Security numbers and credit card information.

To help address the issue, the U.S. Department of Homeland Security has made $1 billion in funding available through the State and Local Cybersecurity Grant Program (SLCGP) to state, local, and territorial governments—including school districts—over the next four years. A FAQ page addressing common questions about the program can be found here.

The purpose of these grants is to address cybersecurity risks and threats to information systems owned or operated by—or on behalf of—state, local, and territorial governments. Only states and territories can apply for these grants. At least 80% of a state’s award have to be sub-granted to local government agencies, including school districts.

Here’s what superintendents and school leaders need to know about the grant program to improve their cybersecurity.

Why It Matters: Improving K-12 Cybersecurity

According to K12 Six’s 2022 State of K-12 Cybersecurity Report, there were 166 school incidents affecting schools in 162 school districts in 2021. Schools and districts face a wide—and growing—variety of threats and attacks, including student data breaches, breaches involving teachers and school community members, ransomware attacks, business email compromise (BEC) scams, denial of service (DoS) attacks, website and social media defacement, and online class and school meeting invasions.

The costs can be devasting. A 2021 IBM report finds that the average cost of a data breach is $4.24 million. Recovery from ransomware attacks last an average of 287 days, “even when the victim organization believed it had secure backups in place prior to the attack,” according to the IST Ransomware Task Force.  

The K-12 education sector is becoming an increasingly popular target for cyberattacks. “Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold,” says Doug Levin, National Director of K12 Security Information Exchange (K12 SIX), in an interview with Education Week. “…it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud.”

While no one can make their district 100% safe from cyberattacks, superintendents and district leaders can significantly improve their data security and privacy by strengthening their cybersecurity best practices and creating a more solid human firewall to prevent attacks. A recent Tech & Learning article advises that to prevent and survive ransomware attacks, districts should:

• Get 24-hour protection to monitor networks
• Create strong backups
• Harden network defenses
• Gain awareness of what’s stored on the network
• Feature a ransomware response plan in hardcopy format

How You Can Use Cybersecurity Grant Funds     

The State and Local Cybersecurity Grant Program was authorized under the federal Infrastructure and Jobs Act of 2021, with allowable uses that include developing or revising a cybersecurity plan, implementing that plan, and addressing imminent cybersecurity threats.

When evaluating the state of your cybersecurity plan, districts should consider several planning practices. To better prepare your district:

• Conduct a security audit at least every six months. A third-party audit gives you a holistic view of how your technology is laid out and how to take appropriate actions when needed.
• Document plans for dealing with any situation. An example is using the PICERL process (Preparation, Identification, Containment, Eradication, Recovery, and Lessons) as a best practice to prepare for each step of any security risk.
• Communicate with all your staff, parents, and students about how to report (and avoid) phishing attempts
• Follow an established schedule for updates, backups, and patches
• Transition hosting to your software system vendors. By doing so, you can reduce risk with benefits like 24/7/365 monitoring and increase data security with advanced security technologies.

As a leading provider of K-12 education technology solutions, PowerSchool is committed to being a good custodian of student data—and a best-in-class partner to help superintendents and their K-12 institutions develop, revise, and implement a solid cybersecurity plan. Our data security and privacy standard practices include:

• Leadership by a dedicated security team led by a credentialed chief information security officer (CISO)
• Compliance with all applicable state, province, and federal data privacy regulations including Family Education Rights and Privacy Act (FERPA), and Children’s Online Privacy Protection Rule (COPPA), Breach Laws, Data Residency Laws, the Digital Millennium Copyright Law, and the Sarbanes-Oxley Act
• Holder of privacy certifications from industry leaders such as TrustArc and Privo; and signatory of the national Student Privacy Pledge
• Achievement of ISO/IEC 27001:2022 certification, renewed each year; and compliance with the SOC 2® (Security Operations Center) examination

Cybersecurity Grants: How PowerSchool Can Help

A description of what’s needed for a cybersecurity plan in the State and Local Cybersecurity Grant Program is broad. The state is responsible for having the plan, and then state and local schools and districts need to align with that plan. To be eligible for funding, state plans must be able to show how they will reduce the risk of cybersecurity threats, ensuring:

• The preparation, response, and resiliency of information systems, applications, and user accounts… against cybersecurity risks and cybersecurity threats
• The continuity of operations in the event of a cybersecurity incident
• Regular drills to practice responding to a cybersecurity incident

Modern edtech systems directly address these criteria. Specifically, PowerSchool’s suite of products are built with advanced interoperability—which reduces security vulnerability by keeping all your data on one heavily protected platform. PowerSchool’s interoperable suite of edtech solutions helps decrease security vulnerability because all data remains on the same platform.

How exactly does the interoperability of PowerSchool products improve your security?

• Creating a more controlled environment, with user permissions adjustable for various roles, to make sure you’re granting access to only those staff who need it
• Simplifying processes to reduce security risks. With single sign-on (SSO) technology, users have one login to prevent password theft.
• Making account management more consistent, allowing you to maintain comprehensive security best practices with unified, integrated technology and role-based permissions
• Logging out once, you automatically sign out of every program when logging out of a single program

As a company, PowerSchool takes the following measures to make your data and privacy as safe as possible:

• We depend on a Security Operations Center (SOC). PowerSchool hosts thousands of customers. Security and maintenance responsibilities are on us as the cloud provider, and we take them very seriously. We depend on an SOC, which is a centralized unit that deals with security issues on an organizational and technical level. An SOC outlines audits, tools, and how we configure our network so we can keep information secure.
• We are ISO 27001 certified. The ISO 27001 certification outlines standards with annual, third-party audits that evaluate our processes, trainings, and more.
• We help our customers create standard security audits. This educates them on critical questions to ask their vendors and what they should look for in highly secure applications.
• We have a Customer Security Advisory Board. PowerSchool collaborates with CIOs and security professionals from select districts, meeting regularly to discuss updates and trends in data security, raise concerns about areas of risk, and share best practices for improving security.
• We partner with certified companies. When PowerSchool works with best-in-class hosting vendors, we require them to submit their security specifications to maintain the highest security standards.
• We focus on our internal security. PowerSchool trains 100 percent of our employees on internal security every year.
• We provide security vulnerability tracking. PowerSchool has a formal tracking process for any time a vulnerability is reported. We have made significant investments in tools to continually put our own systems to the test to ensure the strength of our wall of protection.

As a result of our commitment to being the edtech leader in student data privacy protection and cybersecurity, PowerSchool was one of the first software companies to commit to CISA’s voluntary pledge to design products with greater security built in. Companies signing the pledge publicly agree to take ownership of customer security outcomes, embrace radical transparency and accountability, and lead from the top by making secure technology a key priority for leadership.

You can find more information on PowerSchool’s company commitment to data privacy here, and our commitment to data interoperability by signing 1EdTech’s TrustEd Apps Pledge (formerly IMS Global’s Standards First Pledge) here.

Critical Solutions for Secure Data: Connected Intelligence by PowerSchool

We believe that the safe collection and management of student data is essential to student success within the 21^st-century digital classroom. Connected Intelligence by PowerSchool is the first fully managed, secure data as a service (DaaS) platform for K-12. Connected Intelligence maximizes district data security and provides secure data access in a single location, supporting districts in adopting data security best practices recommended by the federal Cybersecurity and Infrastructure Agency (CISA):

1. End use of unsupported/end-of-life software and hardware accessible from the internet

Any data that is being accessed by antiquated systems, on desktop databases, or through spreadsheets can be loaded into Connected Intelligence for safekeeping and secure distribution.

2. Ensure the ability to reconstitute critical systems

Connected Intelligence aggregates all district data securely in one place. If a cyber-attack occurs, sensitive data is safe and can be quickly restored. Even during an attack, essential data can be queried and used for emergency purposes.

A Team Effort to Improve Cybersecurity  

Current actions superintendents can take at this point in the State and Local Cybersecurity Grant Program process are to:

• Advocate to your state to apply for funds
• Serve on your state’s cybersecurity plan development committee
• Stay posted for the opportunity to apply to the state for a sub-grant

Improving cybersecurity is a continuing challenge for school and district leaders. The grant program provides an opportunity to meet that challenge. By partnering with an experienced, industry-leading edtech company, you can be better prepared to take advantage of those funds to proactively improve your security defenses to reduce your risk today and into the future.