Checking the Checkboxes: NIST Cybersecurity Framework

Checklists are widely recognized as important tools for many professions. Atal Gawande, a surgeon and the author of The Checklist Manifesto: How to Get Things Right, writes about checklists used in medicine and aviation to achieve better and safer results by ensuring that all necessary steps in a process, no matter how small, are completed. The checklist principle can by applied technology in K-12 schools and specifically to the area of cybersecurity.

Cybersecurity issues are regularly in the news, as illustrated by the number of incidents (681 at the time of this post) reported on the K12 Cyber Incident Map. The quantity of incidents increases each year, and it is the responsibility of the school district technology leader to ensure that either these incidents do not happen in the first place, or that the impact on people, time, and money is lessened. For many of the same reasons that medicine and aviation professionals adopted checklists, technology leaders should consider adopting a checklist like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which provides the functions, categories, and subcategories to form a high-level checklist of cybersecurity measures needed at an organizational level. The 5 major functions of the framework are Identify, Protect, Detect, Respond, and Recover and there are 23 categories and 108 sub-categories. This is the ultimate checklist for cybersecurity.

The checklist is complex, and several organizations provide free resources to help technology leaders to understand and apply the framework. The Center for Internet Security (CIS) has a set of tools, controls, and benchmarks that can be used to help identify, protect, detect, respond and recover. CIS SecureSuite provides free membership to schools that include tools, resources, and webinars. The Multi-State Information Sharing & Analysis Center (MS-ISAC) is also available through CIS, and it provides advisories and notifications, webcasts, malicious domains/ip reports, and awareness/education materials.

Additional ways to learn about ways to begin checking the checkboxes of the NIST CSF are to attend workshops and conferences that are offered by organizations such as the Learning Technology Center (LTC), Illinois Education Technology Leaders (IETL, State Chapter of COSN), and Illinois Digital Educators Association (IDEA, formerly ICE and is the State Chapter of ISTE). In addition to learning about ideas and discovering resources, another reason to attend professional learning events is to build a network of people who are encountering and sharing many of the same experiences.

To give you a headstart, here is a checklist of items that you can use to begin the process of learning more about the NIST Cybersecurity Framework, so you can start checking the checkboxes and make an impact on your school environment.

Build Your Network

• Join the LTC Community, specifically the  Data and Security Group
• Reach out to me at cwherley@ltcillinois.org with questions, comments, resources, and/or concerns.

Research and Learn

• Visit the Center for Internet Security
• Read reports from Nationwide Cybersecurity Review –
• Explore Cyber Resilience Review
• Learn about NIST CSF
• Use the NIST CSF Google Sheet
• Browse the K12 Cyber Incident Map

Sign Up for Memberships

• Sign up for a CIS SecureSuite Membership
• Join MS-ISAC
• Sign up for the K12 CyberSecure Newsletter

Attend Professional Learning Events

• Watch the LTC’s on demand webinar, Checking the Checkboxes: NIST Cybersecurity Framework
• Request access to a free month of CBT Nuggets from the LTC
• Present, register, and attend SecurED Schools (January 2020)
• Attend Illinois Education and Technology Conference in Springfield (November)
• Attend IDEA Cybersecurity event (September)
• Attend CoSN’s Cybersecurity event (October)
• Attend IDEACon in Schaumburg (February 2020)