Key Finding 2: Recognize and actively address resource constraints (part 1)

Completed 100 XP

This unit introduces actionable steps as part of the next level of cybersecurity risk mitigation, focusing on CISA Key Finding 2: Many school districts struggle with insufficient IT resources and cybersecurity capacity. As you learn, work with your cybersecurity team to identify and address resource constraints to further align your school with CISA's Cybersecurity Performance Goals (CPGs). Then work toward developing a mature, long-term cybersecurity plan.

Prioritize CPG alignment

After accomplishing the highest priority recommendations, CISA recommends taking the next step—investing in alignment with the full list of CPGs. CPGs are a voluntary subset of information technology (IT) and operational technology (OT) cybersecurity practices that K-12 schools can implement to meaningfully reduce the likelihood and impact of known risks and poor cyber hygiene practices. They’re intended to:

  • Help establish a common set of fundamental cybersecurity practices.
  • Kickstart the cybersecurity efforts of schools of all sizes.
  • Set a cybersecurity standard for organizations to meet.
  • Reduce overall cybersecurity risk nationwide and across industries.

Next steps

  1. Take a closer look at how the CPGs help with your team's cybersecurity planning. Select one of the recommended actions that you learned about in units 4-6 (Key Finding 1):

    • Implement phishing-resistant multifactor authentication (MFA)
    • Identify and prioritize known security flaws
    • Perform and test backups
    • Minimize exposure to common attacks
    • Develop a cyber incident response plan
    • Create a training and awareness campaign
  2. Use the CISA CPG Checklist to answer these questions then add any necessary items to your cybersecurity plan:

    • What is the ratio of cost to impact? How does that compare to some of the other CPGs?
    • What are some specific recommended actions to mark this CPG as "Implemented" or "In Progress"?
    • Are there free resources you could leverage to help implement this CPG?

Develop a long-term cybersecurity plan

In tandem with prioritizing alignment to CPGs, CISA also recommends that school leaders work with their cybersecurity team to develop a long-term, unique cybersecurity plan that leverages the National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF). The NIST CSF is a set of guidelines and best practices that provide a structured approach for organizations to manage and improve their cybersecurity posture.

A graphic of the NIST Cybersecurity Framework which represents the circular nature of each category: Identify, Protect, Detect, Respond, and Recover.

Source: National Institute of Standards and Technology

The backbone of the Framework is the Core: a set of activities and outcomes organized into categories and aligned to informative references. It's designed to provide a common language for planning and communication between stakeholders. Learn more about each core category with this resource from NIST.

  • Identify: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect: Develop and implement the appropriate safeguards to ensure delivery of services.
  • Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover: Maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Next steps

Consider participating in the free Nationwide Cybersecurity Review (NCSR) as a part of your long-term planning strategy. The NCSR is a no-cost, anonymous, annual self-assessment based on the NIST Cybersecurity Framework. It provides metrics that identify gaps in cybersecurity programs and track progress. It also provides access to incident reporting and cybersecurity resources.


Next unit: Key Finding 2: Recognize and actively address resource constraints (part 2)

Previous Next