The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) stipulates that the Cybersecurity and Infrastructure Security Agency (CISA) creates requirements for digital infrastructure owners to report cyber incidents and ransomware payments. This policy and the creation of a more robust reporting system aims to help CISA provide assistance to victims of cyber attacks, analyze cyber threats, and share information about cyber threats with other organizations and individuals at risk. In this document, the Center for Democracy and Technology (CDT) comments on this act by bringing special attention to the issue of cyber threats to K-12 schools and other educational institutions. CDT argues that the cyber threat to educational institutions is particularly unknown and underestimated due to the distributed, cross-jurisdictional nature of the educational system. CDT advocates for CISA to implement three education-oriented reforms: (1) to include K-12 schools and related educational institutions in CIRCIA’s reporting obligations, (2) to adopt rules that account for distributed educational data systems that span diverse public, private, local, state, and federal jurisdictions, and (3) to work with the Department of Education to address the lack of resources that K-12 schools have to meet reporting requirements.
