K12 SIX Submits Comments on Proposed K-12 Cyber Incident Reporting Regulations

On May 8, 2024, the K12 Security Information eXchange (K12 SIX) submitted comments in response to the publication of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) Notice of Proposed Rulemaking. The proposed regulation would institute federal cyber incident reporting requirements on the K-12 sector for the first time.

K12 SIX serves as the national non-profit information sharing and analysis center for the K-12 education facilities critical infrastructure subsector. Launched in late 2020 as a subsidiary of the Global Resilience Federation, K12 SIX members include public and private school systems of all sizes, regional education agencies (ESAs), and state departments of education (SEAs). Collectively, the K12 SIX membership serves millions of students from coast to coast. In addition to multi-directional information sharing, K12 SIX develops school specific best practices and guidance, provides professional development to K-12 IT leaders, and advocates for the cybersecurity needs of the sector.

In short, K12 SIX is supportive of the aims of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and views the proposed regulations as enabling foundational information infrastructure for national civil cyber defense.

A lack of actionable and timely information on K-12 cyber incidents has made it exceedingly difficult for federal and state policymakers to ascertain trends in the scope and severity of the cybersecurity challenge, has hindered law enforcement effectiveness, and put school community members—including students, families, and educators—at avoidable risk of identity theft and credit/tax fraud. Moreover, it has allowed overseas threat actors to systematically exploit vulnerabilities in commonly implemented technologies found in U.S. public school systems to deploy ransomware and extort millions of taxpayer dollars from victims.

In submitted comments, K12 SIX offered feedback on issues with CIRCIA implementation specific to the K-12 education facilities critical infrastructure subsector. Other interested parties may submit comments on the CIRCIA NPRM through July 3, 2024 by following directions here.