Blog

There Ought To Be a Law: Texas SB 820 Mandates Cybersecurity for Schools

Ted Gruenloh
CEO @ Nomic Networks
May 2, 2022

We advocate for the little guy when it comes to cybersecurity. And, when it comes to underfunded, understaffed, and overloaded networks – school districts can be the littlest guy of all. However, it doesn’t take a parent to know that protecting the digital information of children is important, or that it can’t be left in just anyone’s hands. Texas Senate Bill 820 seeks to remediate that problem by requiring some cybersecurity oversight in K-12 schools, but we just ask – are those schools equipped to implement a laundry list of technical requirements? If not, we can help.

Key cybersecurity challenges for K-12 schools

There are a few crucial challenges facing “schools as IT departments”. First of all, many school districts don’t necessarily have one to speak of, or if they do, they’re woefully understaffed. For example, one of our customer’s technical point of contact is the school principal; the second POC is a teacher. When a CISO and System Administrator are their counterparts in the private sector, educators-turned-cyber-staff certainly have their work cut out for them. Too much, some might say.

The second challenge (and an eternal one): school districts are notoriously underfunded, so hiring a new IT department en masse would be challenging at best. Try vying for a pen tester when some districts can’t even afford pencils (or iPads, rather). It’s a tough job, and unfortunately this bill didn’t come with any additional funding. So, even though the new requirements are a start, schools that are already ill-equipped to deal with cyber challenges are also not able to afford new talent that can.

And, school networks are massive. With everyone doing some form of online schooling now – be it grading, virtual classrooms or just turning in homework – the networks in school districts are actually some of the biggest and most complicated you’ll see. There’s tons of traffic, heavy connections, a plethora of connected devices from the students and teachers, and a largely non-technical support staff left to deal with the security implications of it all. Large companies would be challenged to keep up with an environment of this scope; underfunded, understaffed and non-cyber savvy school administrators face a daunting task.

What is the Texas Senate Bill 820?

Texas Senate Bill (SB) 820 was a bill passed in May 2019 and slated to take effect in September 2019, just before the pandemic hit and the world changed. Now that we’re nearly post-pandemic (knock on wood), we know firsthand how vital those security controls are – especially when they involve the sensitive information of our children. Texas SB 820 acknowledges the cyber threats, risks and costs of having entire schools operating online and seeks to offset that danger by implementing the following three guidelines. School districts must:

  • Have a cybersecurity policy that does not conflict with the Texas Cybersecurity Framework
  • Appoint a coordinator (a district contact that is a liaison to the TEA, or the larger Texas educational organization)
  • Report any cybersecurity incidents to the TEA

Sounds simple enough. However, creating a framework without cybersecurity expertise (even one based off a known framework) can be challenging. Implementing it can be even harder. But we’ll get into how to deal with that later.

If you’re not in Texas, should you care? The short answer is yes, why not? It can only be good for when cybersecurity threats come to a school district near you, and although this one does point to the Texas Cybersecurity Framework specifically, the same lessons can be learned. Schools are no exception – and should probably be the first priority – in securing against cyber threats, using NIST-based standards (of which the TCF is one).

Along these lines, Texas House Bill 3834 states that state employees must complete mandatory cybersecurity awareness training from a list of approved programs. These programs can be helpful to give an initial cyber overview to teachers and school admins as well.

What is the Texas Cybersecurity Framework?

The Texas Cybersecurity Framework is the standard that must not be crossed when making your cybersecurity policy, as stated in Senate Bill 820 (see above). It’s based on NIST principles and follows the same guidelines. The five basic categories are:

  • IDENTIFY. Find out what assets are on your network and what you need to protect.
  • PROTECT. Get the right tooling in place to secure your assets (devices, logins, systems, use of encryption)
  • DETECT. Monitor for malware and other threats, and test for vulnerabilities.
  • RESPOND. What is your incident response plan in case of attack? It should include all phases from investigation to resolution.
  • RECOVER. What disaster recovery procedures are in place? How will you recover lost data?

The framework gives you a 0-5 rating on how well you perform in each category, and then divides out into 48 specific security recommendations. The problem is, without any further prioritization or sense of where to start, school admins could be looking at a laundry list of jargon without their mouths gaping open. That’s where advice from Sentinel can come in.

What you can do, and how Sentinel IPS can help

Here’s what we recommend. First of all, those 48 recommendations within the Texas Cybersecurity Framework are useful only if you know what to do with them, so here’s how you can prioritize.

The Center for Internet Security (CIS) offers Critical Security Controls. Take advantage of them. Prioritize your action steps (all 48 of them) based on CIS requirements, and don’t worry; it’s based on NIST, just like the Texas Cybersecurity Framework, so you won’t run afoul of the rules.

CIS Controls break down into three Implementation Groups, or IGs, which act as a roadmap for applying those controls. Useful. So, start at IG1, which covers “essential cyber hygiene and represents an emerging minimum standard of information security for all enterprises.” It is described as “the on-ramp to the CIS Controls and consists of a foundational set of 56 cyber defense Safeguards. The Safeguards included in IG1 are what every enterprise should apply to defend against the most common attacks.” You use the Safeguards in IG1 to establish baselines for where you are in your cyber hygiene. It helps you:

  • Know what’s on your network
  • Know what systems are patched
  • Just get a good overview of the assets you’re working with, where they are and what you need to protect.

And, it gives you a good starting point. A while back, Sentinel cracked some cases in which IG1 implementations could have saved the day before we did. From a high volume of spyware at a school district to suspected Mirai-based events at a state agency in Texas, all parties involved could have benefited from the Safeguards of IG1. If you’re a school district trying to make sense of all this, it’s a great place to start.

Also, Sentinel is here to help. Like we said, we advocate for the little guy in cybersecurity, and when it comes to small organizations with big, complex networks, school districts are at the top of the list. We can sit down with you and help you know where to start. We can go through the list with you and get things checked off. We‘ve got the tools and we’ve got the talent, but at the end of the day, just avail yourself of whatever means necessary to understand the cybersecurity protocols, make them less complicated, and stay on the right side of Texas Senate Bill 820. After all, you could say Sentinel and school districts are in the same business – protecting the little guy.

Ted Gruenloh
CEO @ Nomic Networks

Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.

Subscribe to our newsletter
By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.