CoSN: 2021 State and Federal Cybersecurity Policy Trends: Insights for Education Technology Leaders & Policymakers

CoSN: 2021 State and Federal Cybersecurity Policy Trends: Insights for Education Technology Leaders & Policymakers

CoSN Cybersecurity Legislation Year in Review December 2021

Executive Summary

State leaders’ desire to help schools and higher education institutions better defend themselves from cyberattacks expanded significantly in 2021. Legislators in 40 states introduced at least 170 cybersecurity bills that focused directly or indirectly on the education sector. That growth represents a major increase in legislative activity compared to 2020 when state leaders introduced only 87 comparable cybersecurity bills. Fifty-one of the 2021 bills – in 30 states – became law. The new laws revealed several national trends, including policies focused on required incident reporting, state governance changes, dedicated state agency funding, required state planning, and creating exemptions from the state “sunshine laws” for sensitive cybersecurity information.

Federal leaders’ interest in expanding cybersecurity enhancements, including for schools and higher education institutions, also increased in 2021. Legislators introduced at least 19 federal bills with cybersecurity provisions that directly or indirectly apply to the education sector compared to 10 such bills in 2020. Congress approved and President Biden signed two bills into law that have significant cybersecurity provisions relevant to education leaders: the K-12 Cybersecurity Act of 2021 (P.L.117-47); and the Infrastructure Investment and Jobs Act (P.L.117-58). The new federal laws include provisions designed to gather additional information about the cyber threat facing schools, produce new technical assistance materials for the field, and invest in state and local cybersecurity capacity building.

The proliferation of education cybersecurity bills and laws in 2021 is no surprise given the serious and persistent attacks on schools and other education entities and the massive operational and privacy consequences the attacks leave behind. Cyberattacks on school districts and other education entities remain a major threat to the nation’s education systems and confidential data. The Cybersecurity & Infrastructure Security Agency (CISA) said in August 2021 that “[m]alicious cyber activity is on the rise across the United States and it is impacting organizations of all sizes and in all sectors.” CISA added that “[n]umerous reports of cyberattacks against K-12 educational institutions continue to be reported to CISA, FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC).”1Similarly, an October 2021 Government Accountability Office (GAO) report said that “K-12 schools across the nation face a range of cybersecurity threats and [f]rom 2018 to the present, schools in most states have reported cyberattacks on their systems.” The GAO report also said the U.S. Department of Education “should take additional steps to help protect k-12 schools from cyber threats.”2

The full report that follows below highlights 2021 state and federal cybersecurity policy trends and provides an inventory of new cybersecurity laws and legislation. Like CoSN’s 2020 cybersecurity legislation report, this paper seeks to inform policymakers and education technology leaders about the changing cybersecurity legislative landscape, so that they can take advantage of new resources and programs and learn about cybersecurity policy strategies proposed or adopted by other jurisdictions.