K-12 Cybersecurity Funding: What Districts Need to Know
April 18, 2024 by Shauna Seaver
News headlines across the country tell the same troubling story — school districts are a prime target for cyberattacks. More than 1,600 cyberattacks impacted public K-12 school districts between 2016 and 20221 — and that total is likely an underestimate, as many districts are hesitant to report incidents publicly. Downtime that results from a cyberattack can range from three days to three weeks2, meaning both monetary losses and lost learning time for students. With the average ransomware demand rapidly increasing, the financial gain for bad actors targeting schools is significant. The national average cyber ransom demand reached an average of $1.54 million in 20233 — more than double the average of the prior year.
While many districts already have some cybersecurity measures in place, in many cases they may be insufficient to fully protect the sensitive data districts handle every day. The potential vulnerabilities are often too widespread for an internal IT department to combat, making state and federal guidance and funding for school cybersecurity programs especially valuable.
What Funding is Available?
The need for school cybersecurity funding is acknowledged more and more each year. For example, in August 2023, the White House announced an FCC proposal to establish a pilot program that would offer $200 million in cybersecurity funding for K-12 school districts. With this program, eligible school districts would be able to apply for funding and receive reimbursement for a variety of initiatives, including purchase of software and services, to strengthen their cybersecurity. While this pilot program has not yet been authorized, existing state-based programs aim to protect schools from cybersecurity risks.
State cybersecurity grants are primarily funded by the 2021 Infrastructure Investment and Jobs Act, which established the State and Local Cybersecurity Grant Program (SLCGP) to provide $1 billion in funding over four years, ending in fiscal year 2025. All SLCGP funding is overseen by the Department of Homeland Security through their Cybersecurity and Infrastructure Security Agency (CISA) and FEMA. FEMA is responsible for assessing application completeness and applicant eligibility, while CISA will check that program guidelines have been followed and determine if the proposed investments are likely to be effective. SLCGP and other state programs may be managed by local or statewide departments of homeland security or emergency management offices. Participating states include Alaska, Georgia, Illinois, Indiana, Massachusetts, Montana, New Mexico, Oregon, and Washington. You can find more information about SLCGP and other state-based programs at your state’s .gov website. Some examples of other programs include:
Who Can Apply for SLCGP Funding?
SLCGP funding can be passed to schools, but districts cannot apply for it directly. State Administrative Agencies (SAAs) for states and territories, such as departments of homeland security, are the only eligible direct applicants for SLCGP. It is their responsibility to ensure at least 80% of the funds are passed through to local entities, including school districts. Check your state’s .gov website to learn more about funding availability and established cybersecurity plans. While some states have chosen to pass 100% of funds to local governments, others have established more formal application processes.
How is SLCGP eligibility determined?
To be eligible for SLCGP funding, SAAs must have an already CISA-approved cybersecurity plan, committee list, and charter, or submit these items according to the criteria of the Notice of Funding Opportunity.
How Can District Cybersecurity Programs be Improved?
A layered cybersecurity program involving people, process, and technology is most effective to protect school districts. This is reflected by the criteria specific by the SLCGP — funding may be used to:
- Develop, revise, or implement a cybersecurity plan, which must be submitted for review to be eligible for grant funding
- Implement cybersecurity projects
- Address imminent cybersecurity threats
Cybersecurity plans that follow the people, process, and technology framework are likely to be seen as effective by CISA and, thus, eligible for grant funding. For example, an effective plan is likely to describe staff education programs, risk management processes, and implementation of firewalls, antivirus software, and other technology to help districts detect threats and operate safely.
What do we offer?
Few cybersecurity program providers specialize in offerings for public sector, and specifically the K-12 industry. Tyler Technologies’ cybersecurity solutions work independently from other Tyler offerings and can be applied to all areas of a district’s network — not just their Tyler solutions. It’s designed specifically for the public sector with a simple user interface that provides meaningful cybersecurity information and solutions for IT teams who are spread thin.
Tyler’s Managed Detection & Response solution collects data from across a district’s entire network to uncover potential vulnerabilities and active threats, alerting districts and preventing incidents from spreading or impacting their network. The range of services offered are comprehensive and flexible to meet the needs of any district. These include assistance with developing cybersecurity policies, plans, and procedures, delivering live training, supporting risk and compliance management of PCI and PII data, and performing vulnerability assessments, penetration testing, and social engineering engagements.
To learn more:
References:
1: https://www.k12six.org/
2: https://www.cisa.gov/sites/default/files/2023-01/K-12report_FINAL_V2_508c_0.pdf
3: https://www.sophos.com/en-us/content/state-of-ransomware