[House Report 117-122] [From the U.S. Government Publishing Office] 117th Congress } { Report HOUSE OF REPRESENTATIVES 1st Session } { 117-122 ====================================================================== K-12 CYBERSECURITY ACT OF 2021 _______ September 14, 2021.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Thompson of Mississippi, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany H.R. 4691] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 4691) to establish a K-12 education cybersecurity initiative, and for other purposes, having considered the same, reports favorably thereon without amendment and recommends that the bill do pass. CONTENTS Page Purpose and Summary.............................................. 1 Background and Need for Legislation.............................. 2 Hearings......................................................... 3 Committee Consideration.......................................... 3 Committee Votes.................................................. 3 Committee Oversight Findings..................................... 3 C.B.O. Estimate, New Budget Authority, Entitlement Authority, and Tax Expenditures............................................... 4 Federal Mandates Statement....................................... 5 Duplicative Federal Programs..................................... 5 Statement of General Performance Goals and Objectives............ 5 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits Advisory Committee Statement.......................... 5 Applicability to Legislative Branch.............................. 5 Section-by-Section Analysis of the Legislation................... 5 PURPOSE AND SUMMARY H.R. 4691, the ``K-12 Cybersecurity Act'' requires the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study of the cybersecurity risks facing K-12 educational institutions, in consultation with teachers, school administrators, other Federal agencies, and private sector organizations. The bill further directs CISA to develop recommendations based on this study, including cybersecurity guidelines for K-12 educational institutions and an online training toolkit with information on the guidelines and how to implement them. Additionally, the bill requires CISA to make the study, recommendations, and online toolkit publicly available on the Department of Homeland Security's (DHS) website. BACKGROUND AND NEED FOR LEGISLATION K-12 educational institutions have experienced an increasing number of cyber incidents in recent years. According to one report, in 2020, there were 408 publicly disclosed cyber incidents at schools in the United States, an 18 percent increase over the prior year and the highest level since the tracking of incidents began in 2016.\1\ Additionally, the number of incidents was higher in the second half of 2020, as many schools were operating remotely due to the COVID-19 pandemic, creating new cyber risks, including disruptions to online classes and online school meetings.\2\ The Multi-State Information Sharing and Analysis Center (MS-ISAC) projects the number of K-12 cyber incidents could increase by 86 percent in 2021.\3\ The Federal Government has recognized this growing threat, and in December 2020, CISA, the MS-ISAC, and the Federal Bureau of Investigation (FBI) released a Joint Cybersecurity Advisory detailing the cyber threats to K-12 educational institutions and providing best practices to protect against cyber incidents.\4\ --------------------------------------------------------------------------- \1\Douglas A. Levin, The State of K-12 Cybersecurity: 2020 Year in Review, EdTech Strategies/K-12 Cybersecurity Resource Center and the K12 Security Information Exchange, (March 10, 2021), p. 3, Available at https://k12cybersecure.com/year-in-review/. \2\Id. \3\Joseph Marks, ``The Cybersecurity 202: Schools Are Another Prime Ransomware Target,'' The Washington Post, (July 12, 2021), Available at https://www.washingtonpost.com/politics/2021/07/12/cybersecurity-202- schools-are-another-prime-ransomware-target/. \4\Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center, Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data, (Dec. 10, 2020), Available at https://us-cert.cisa.gov/sites/default/files/publications/AA20- 345A_Joint_Cybersecurity_Advisory_Distance_ Learning_S508C.pdf. --------------------------------------------------------------------------- Cyber incidents at K-12 educational institutions can have a major impact on schools' ability to operate, can cause significant financial losses, and can put at risk student and employee privacy. For example, after the Broward County School District in Florida refused to pay a $40 million ransom demand, the ransomware group Conti posted 26,000 files online, including the name of a 9-year-old student being evaluated for a disability.\5\ In another incident, Haverhill Public Schools in Massachusetts were forced to close for a day, canceling remote classes and delaying the return of in-person instruction for some grades due a ransomware attack that disrupted the districts' networks.\6\ Furthermore, in November 2020, a ransomware incident shut down Baltimore County schools for two days for 111,000 students and cost the district at least $7.7 million to respond and recover from the attack.\7\ --------------------------------------------------------------------------- \5\Scott Travis, ``Hackers Post 26,000 Broward School Files Online,'' South Florida Sun-Sentinel, (April 19, 2021), Available at https://www.sun-sentinel.com/news/education/fl-ne-broward-schools- hackers-post-files-20210419-mypt2qtlc5a7xela4x6bcg5hdy-story.html. \6\Mike LaBella, ``Haverhill Schools Hit by Ransomware,'' The Eagle-Tribune, (April 7, 2021), Available at https:// www.eagletribune.com/news/haverhill/haverhill-schools-hit-by- ransomware/article_763617ee-9735-5f74-82f8-9ddbe38ec363.html. \7\Lillian Reed, ``Cost of Ransomware Attack on Baltimore County Public Schools Climbs to $7.7M,'' The Baltimore Sun, (June 11, 2021), Available at https://www.baltimoresun.com/education/bs-md-ransomware- cost-schools-20210609-20210611-6fipdck3h5b5peli6vgbgfsqyy-story.html. --------------------------------------------------------------------------- To assist K-12 educational institutions' efforts to enhance their cybersecurity, the ``K-12 Cybersecurity Act'' requires CISA to conduct a study of the cybersecurity risks facing K-12 educational institutions and develop recommendations based on that study. By developing an online training toolkit for schools, and making the study and recommendations publicly available, CISA will be able to provide K-12 educational institutions with information they can use to better protect their networks and reduce their cybersecurity risk. The Senate Homeland Security and Governmental Affairs Committee favorably reported an identical bill authored by Senator Gary C. Peters of Michigan, S. 1917, by voice vote on July 14, 2021. It passed the Senate by unanimous consent on August 9, 2021. HEARINGS For the purposes of clause 3(c)(6) of rule XIII of the Rules of the House of Representatives, the following hearing was used to develop H.R. 4691: The Committee did not hold a legislative hearing on H.R. 4691 in the 117th Congress. However, the legislation was informed by an oversight hearing on May 5, 2021. The Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation held a hearing entitled, ``Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis.'' The Subcommittee received testimony from Maj. Gen. John Davis (Ret.), Vice President and Federal Chief Security Officer at Palo Alto Networks; Ms. Megan Stifel, Executive Director, Americas at the Global Cyber Alliance; Mr. Denis Goulet, Commissioner, Department of Information Technology and Chief Information Officer, State of New Hampshire (on behalf of the National Association of State Chief Information Officers); and Mr. Christopher Krebs, former Director, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security. COMMITTEE CONSIDERATION The Committee met on July 28, 2021, a quorum being present, to consider H.R. 4691 and ordered the measure to be favorably reported to the House, without amendment, by voice vote. COMMITTEE VOTES Clause 3(b) of rule XIII requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of H.R. 4691. COMMITTEE OVERSIGHT FINDINGS In compliance with clause 3(c)(1) of rule XIII, the Committee advises that the findings and recommendations of the Committee, based on oversight activities under clause 2(b)(1) of rule X, are incorporated in the descriptive portions of this report. CONGRESSIONAL BUDGET OFFICE ESTIMATE, NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES With respect to the requirements of clause 3(c)(2) of rule XIII and section 308(a) of the Congressional Budget Act of 1974, and with respect to the requirements of clause 3(c)(3) of rule XIII and section 402 of the Congressional Budget Act of 1974, the Committee adopts as its own the estimate of any new budget authority, spending authority, credit authority, or an increase or decrease in revenues or tax expenditures contained in the cost estimate prepared by the Director of the Congressional Budget Office. U.S. Congress, Congressional Budget Office, Washington, DC, August 10, 2021. Hon. Bennie G. Thompson, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 4691, the K-12 Cybersecurity Act of 2021. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Aldo Prosperi. Sincerely, Phillip L. Swagel, Director. Enclosure.H.R. 4691 would require the Cybersecurity and Infrastructure Security Agency (CISA) to study cybersecurity challenges that are unique to primary and secondary schools, such as safeguarding student records and securing remote- learning technology. The bill also would require CISA to make available on a public website its recommendations on how schools can mitigate cybersecurity threats and vulnerabilities. On the basis of information from CISA about the costs of similar activities, CBO estimates that staff salaries and other expenses to produce the required study and recommendations would be less than $500,000 over the 2021-2026 period. Such spending would be subject to the availability of appropriations. For this estimate, CBO assumes that the bill will be enacted in fiscal year 2021. Under that assumption, CISA could incur some costs in 2021, but CBO expects that most of the costs would be incurred in 2022 and later. On July 21, 2021, CBO transmitted a cost estimate for S. 1917, the K-12 Cybersecurity Act of 2021, as ordered reported by the Senate Committee on Homeland Security and Governmental Affairs on July 14, 2021. The two bills are similar, and CBO's estimates of their costs are the same. The CBO staff contact for this estimate is Aldo Prosperi. The estimate was reviewed by Leo Lex, Deputy Director of Budget Analysis. FEDERAL MANDATES STATEMENT The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. DUPLICATIVE FEDERAL PROGRAMS Pursuant to clause 3(c) of rule XIII, the Committee finds that H.R. 4691 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES Pursuant to clause 3(c)(4) of rule XIII, the objective of H.R. 4691 is to direct the Cybersecurity and Infrastructure Security Agency to study the specific cybersecurity risks facing K-12 educational institutions and to develop cybersecurity recommendations to assist K-12 educational institutions in securing their information systems and records. CONGRESSIONAL EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS ADVISORY COMMITTEE STATEMENT In compliance with rule XXI, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(d), 9(e), or 9(f) of rule XXI. APPLICABILITY TO LEGISLATIVE BRANCH The Committee finds that H.R. 4691 does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short Title. This section states that the Act may be cited as the ``K-12 Cybersecurity Act of 2021''. Sec. 2. Findings. This section provides congressional findings that K-12 educational institutions in the United States are facing cyber attacks, that these cyber attacks put at risk the disclosure of sensitive student and employee information, and that providing resources to K-12 educational institutions will help them prevent, detect, and respond to cyber events. Sec. 3. K-12 Education Cybersecurity Initiative. Subsection (a) defines the terms ``cybersecurity risk,'' ``director,'' ``information system,'' and ``K-12 educational institutions.'' Subsection (b) directs the CISA Director to conduct a study within 120 days on the cybersecurity risks facing K-12 educational institutions. The study will consider how cybersecurity risks impact K-12 educational institutions and will evaluate the challenges K-12 educational institutions face in securing systems and records and in implementing cybersecurity protocols. It will also identify the cybersecurity challenges in remote learning and will evaluate the most accessible ways to communicate cybersecurity recommendations and tools. The Committee expects the study to consider the unique cybersecurity risks facing rural and small K-12 educational institutions. Within 120 days of enactment, CISA must brief Congress on its findings. Subsection (c) requires the CISA Director to develop, within 60 days of the study's completion, recommendations based on the study, including cybersecurity guidelines for K-12 educational institutions. Subsection (d) requires the CISA Director to develop, within 120 days of the completion of the development of the recommendations, an online training toolkit for K-12 educational institutions to assist in implementing the recommendations. Subsection (e) requires the CISA Director to make the findings of the study, the cybersecurity recommendations, and the online training toolkit publicly available on the Department of Homeland Security's website. Subsection (f) clarifies that use of the cybersecurity recommendations is voluntary. Subsection (g) directs the CISA Director to consult with teachers, school administrators, Federal agencies, non-Federal cybersecurity agencies with experience in education issues, and private sector organizations while conducting the required study and developing the cybersecurity recommendations. It also exempts those consultations from the Federal Advisory Committee Act.