K-12 Cybersecurity Funding: What Districts Need to Know

April 18, 2024 by Shauna Seaver

K-12 Cybersecurity Funding: What Districts Need to Know

News headlines across the country tell the same troubling story — school districts are a prime target for cyberattacks. More than 1,600 cyberattacks impacted public K-12 school districts between 2016 and 20221 — and that total is likely an underestimate, as many districts are hesitant to report incidents publicly. Downtime that results from a cyberattack can range from three days to three weeks2, meaning both monetary losses and lost learning time for students. With the average ransomware demand rapidly increasing, the financial gain for bad actors targeting schools is significant. The national average cyber ransom demand reached an average of $1.54 million in 20233 — more than double the average of the prior year. 

While many districts already have some cybersecurity measures in place, in many cases they may be insufficient to fully protect the sensitive data districts handle every day. The potential vulnerabilities are often too widespread for an internal IT department to combat, making state and federal guidance and funding for school cybersecurity programs especially valuable.

What funding is available?

Schools and Libraries Cybersecurity Pilot Program

In June 2024, the FCC approved the $200 million Schools and Libraries Cybersecurity Pilot Program4 to help fund the cybersecurity services and equipment schools and libraries need most to protect their data. Advanced/next-generation firewalls, endpoint protection and authentication, and services for monitoring, detection, and response will be eligible for reimbursement. With this announcement, the FCC released an overview of eligibility requirements, the application process, and selection criteria to help potential applicants understand the program and prepare to apply for funding. The pilot program’s application window is slated to open in fall 2024.

What is the goal of the pilot program?

While these funds cannot singlehandedly solve the cybersecurity threats schools face, they can help the FCC gather information to improve program efficacy and funding opportunities. In a statement about the pilot, FCC Chairwoman Jessica Rosenworcel said the goal is “to study and better understand what equipment, services, and tools will help protect school and library broadband networks from cyberthreats … and provide our local, state, and federal government partners with actionable data about the most effective and coordinated way to address this growing problem.”

How is the pilot program funded?

The pilot’s funding comes from the Universal Service Fund, not directly from the E-Rate program. This separation is intended to protect successful school connectivity programs funded by E-Rate while new cybersecurity programs are evaluated. FCC Commissioner Geoffrey Starks said, “This pilot will provide us with the information necessary to analyze whether and how the commission should update our E-Rate program to help schools and libraries help themselves against the ongoing cyber threat.”6 That means the most effective cybersecurity solutions could be eligible for funding beyond the 3-year pilot program.

State-based funding resources

State cybersecurity grants are primarily funded by the 2021 Infrastructure Investment and Jobs Act, which established the State and Local Cybersecurity Grant Program (SLCGP) to provide $1 billion in funding over four years, ending in fiscal year 2025. All SLCGP funding is overseen by the Department of Homeland Security through its Cybersecurity and Infrastructure Security Agency (CISA) and FEMA. FEMA is responsible for assessing application completeness and applicant eligibility, while CISA will check that program guidelines have been followed and determine if the proposed investments are likely to be effective. SLCGP and other state programs may be managed by local or statewide departments of homeland security or emergency management offices. Funding is available in all states, including Alaska, Georgia, Illinois, Indiana, Massachusetts, Montana, New Mexico, Oregon, and Washington. You can find more information about SLCGP and other state-based programs at your state’s .gov website. Some examples of other programs include:

See Where You Stand. Take Our Cybersecurity Questionnaire
See Where You Stand. Take Our Cybersecurity Readiness Quiz!

Wondering how you can improve your cybersecurity posture without overwhelming your budget or resources? Take our cybersecurity readiness evaluation to see where you stand and get recommendations on the best next step toward maturing your program!

Who can apply for SLCGP funding?

SLCGP funding can be passed to schools, but districts cannot apply for it directly. State Administrative Agencies (SAAs) for states and territories, such as departments of homeland security, are the only eligible direct applicants for SLCGP. It is their responsibility to ensure at least 80% of the funds are passed through to local entities, including school districts. Check your state’s .gov website to learn more about funding availability and established cybersecurity plans. While some states have chosen to pass 100% of funds to local governments, others have established more formal application processes.

How is SLCGP eligibility determined?

To be eligible for SLCGP funding, SAAs must have an already CISA-approved cybersecurity plan, committee list, and charter, or submit these items according to the criteria of the Notice of Funding Opportunity.

How can district cybersecurity programs be improved?

A layered cybersecurity program involving people, process, and technology is most effective to protect school districts. This is reflected by the criteria specified by the SLCGP — funding may be used to:

  • Develop, revise, or implement a cybersecurity plan, which must be submitted for review to be eligible for grant funding
  • Implement cybersecurity projects
  • Address imminent cybersecurity threats

Cybersecurity plans that follow the people, process, and technology framework are likely to be seen as effective by CISA and, thus, eligible for grant funding. For example, an effective plan is likely to describe staff education programs, risk management processes, and implementation of firewalls, antivirus software, and other technology to help districts detect threats and operate safely.

What cybersecurity solutions does Tyler Technologies offer?

Few cybersecurity program providers specialize in offerings for the public sector, or specifically for the K-12 industry. Tyler Technologies’ cybersecurity solutions can be applied to all areas of a district’s network — not just their Tyler solutions. These solutions are designed specifically for the public sector with a simple user interface that provides meaningful cybersecurity information and solutions for IT teams who are spread thin.

Tyler’s Managed Detection & Response solution collects data from across a district’s entire network to uncover potential vulnerabilities and active threats, alerting districts to help prevent incidents from spreading or impacting their network. The range of services offered are comprehensive and flexible to meet the needs of any district. These include assistance with developing cybersecurity policies, plans, and procedures, delivering live training, supporting risk and compliance management of PCI and PII data, and performing vulnerability assessments, penetration testing, and social engineering engagements.

To learn more:

References:

1: https://www.k12six.org/

2: https://www.cisa.gov/sites/default/files/2023-01/K-12report_FINAL_V2_508c_0.pdf

3: https://www.sophos.com/en-us/content/state-of-ransomware

4: https://docs.fcc.gov/public/attachments/DOC-403037A1.pdf

5: https://docs.fcc.gov/public/attachments/FCC-24-63A2.pdf

6: https://docs.fcc.gov/public/attachments/FCC-24-63A3.pdf

 

Related Content