NIST CSF tuned for K12 (and adding K12 SIX Essential Protections under Protect)

1. NIST CSF review – Essential Protections
(a K12 perspective)
cyberframework@nist.gov
adapted by April Mardock

2. Example Attacks in the K12 Space
Ransomware
Moses Lake SD (WA)
Bigfork Public Schools (MT)
Fairfax County SD (VA)
Toledo Public Schools (OH)**
Clark County SD (NV)*
Baltimore County SD (MD)
Results:
Hijacks of district resources, like systems, networks and
data (examples also include bitcoin mining operations in
schools, IoT botnet infections, and Denial of Service
attacks). Damage to student credit; exfiltration.

3. Why the NIST CSF (Cybersecurity Framework)
• Five key pillars of a successful
and wholistic cybersecurity
program
• Aid organizations in
expressing their management
of cybersecurity risk at a high
level
3

4. NIST CSF (Cybersecurity Framework)
Function Category ID
What processes and assets
need protection? Identify
Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Supply Chain Risk Management ID.SC
What safeguards are
available?
Protect
Identity Management & Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes & Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
What techniques can identify
incidents?
Detect
Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
What techniques can contain
impacts of incidents?
Respond
Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
What techniques can restore
capabilities?
Recover
Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO

5. NIST CSF (Cybersecurity Framework) version 1.1
Maturity Models
K12 Six Modified Example – Install Security Updates
Tier 1/At Risk: applies critical patches after more than 90 days
Tier 2/Baseline: applies critical patches <90 days for operating systems, applications, servers, & appliances
Tier 3/Good: applies critical patches <60 days for operating systems, applications, servers, & appliances
Tier 4/Better: applies critical patches <30 days for operating systems, applications, servers, & appliances, and
out of compliance/unpatched devices are mitigated

6. The Identify Function – What needs Protecting?
The Identify Function assists in developing an organizational
understanding of managing cybersecurity risk to systems,
people, assets, data, and capabilities
6
Example Outcomes:
• Identifying physical and software assets
to establish an Asset Management
program
• Identifying district Worry Indexes =
%impact x %probability
• Identifying a Risk Management Strategy
for the organization

7. My Top 3 Identify Tasks
7
Assess Your Risks – Go take a Cybersecurity Assessment on
behalf of your district. Then use it to prioritize your work.
K12six Essentials – basic/basline assessment
https://www.k12six.org/self-assessment
CIS controls self assessment - intermediate assessment
https://learn.cisecurity.org/cis-cat-lite
Nist CSF self assessment – advanced assessment
https://k12cybersecure.com/resources/k-12-cybersecurity-
self-assessment/
and (tuned for medical but quite useful)
https://www.montgomerymedicine.org/members/learningdoc
s/cyber-security-self-assessment-tool.docx
Inventory your stuff: Build an inventory of all your systems and
devices, both on premise and in the cloud. Then mark them as
high, medium and low priority.
Do an external vulnerability scan: Use a 3rd party to scan your
district from the outside, helping you identify critical or high
priority vulnerabilities you should address immediately.

8. The Protect Function – Leveraging Safeguards
The Protect Function supports the ability to limit or contain the
impact of potential cybersecurity events and outlines safeguards
for delivery of critical services
8
Example Outcomes:
• Establishing Data Security protection to
protect the confidentiality, integrity, and
availability
• Managing Protective Technology to ensure
the security and resilience of systems and
assists
• Empowering staff within the organization
through Awareness and Training

9. My Top 3 Protect Tasks
Restrict Local Admin Rights on user devices by
default. Create other accounts or mechanisms for
this function.
Block internet downloaded o365 Macros via GPO
or other global mechanism. Microsoft hasn’t fixed this
by default for Office 2013, 2016, 2019 or 2021 yet.
Automatically Patch Operating Systems, Apps and
Appliances Wherever Possible (stagger Dev and
Prod)

10. Essential K12
“Protect” Cyber Controls
https://assess.k12six.org

11. The Detect Function – Identify the incident!
The Detect Function defines the appropriate activities to identify
the occurrence of a cybersecurity event in a timely manner
11
Example Outcomes:
• Implementing Security Continuous
Monitoring capabilities to monitor
cybersecurity events
• Ensuring Anomalies and Events are
detected, and their potential impact is
understood
• Verifying the effectiveness of protective
measures

12. My Top 3 Detect Tasks
Detection after hours – What are you doing for nights and
weekend detections of incidents? MSSP? Automation?
Benchmarks – Do you know what normal looks like in your logs
and in your traffic? Not just volume, but types, ports, and
destinations?
Windows Defender Works! – add A3+Security to get ATP +
Sentinel SIEM and new auto-detection and isolation response
tools for your Microsoft systems (on-prem and in the cloud). I do
recommend enabling tamper protection and/or disabling admin
rights for users though, so defender can’t be disabled easily.

13. The Respond Function – Contain the Impact
The Respond Function includes appropriate activities to take action regarding a
detected cybersecurity incident to minimize impact
13
Example Outcomes:
• Ensuring Response Planning
processes are executed during and
after an incident
• Managing Communications during and
after an event
• Analyzing effectiveness of response
activities

14. My Top 3 Respond Tasks
Automate your isolation responses! – If something
smells fishy, isolate it immediately by disabling the
device and/or the account and then investigate.
Attacks move too fast to wait. Give your MSSP the
ability to isolate also. Script and automate. SOAR.
Document EVERYTHING – You should extracting
every log you can, AND recording every action you
take during the incident. It’ll be important for forensics
both during the event and after.
Alert Fatigue – You can’t respond if you aren’t
watching the events. Spend the time to tune out the
false positives

15. The Recover Function - Restoring Service
The Recover Function identifies appropriate activities to maintain
plans for resilience and to restore services impaired during
cybersecurity incidents
15
Example Outcomes:
• Ensuring the organization implements
Recovery Planning processes and
procedures
• Implementing improvements based on
lessons learned
• Coordinating communications during
recovery activities

16. My Top 3 Recover Tasks
Test and Update your Recovery Plans – To fail to plan is to plan
to fail; but to fail to TEST your plans and backups creates a false
sense of security.
Test and Update the Incident Response Plan – Your (offline)
incident response plan should be updated regularly (Perhaps add
FBI and law enforcement contacts? Cyber insurance contact?
State CISO? Your team SME home numbers?).
Work with Legal to PRE-approve emergency communication
templates – Use a tabletalk session with legal and cabinet to talk
through communication strategies and templates for the school
board, press, families, teachers, the community, and other
stakeholders. Tabletalks help IT practice too.

17. Framework for Improving Critical Infrastructure Cybersecurity and
related news, information:
www.nist.gov/cyberframework
Additional cybersecurity resources: http://csrc.nist.gov/ and
https://studentprivacy.ed.gov/topic/security-best-practices
NIST questions, comments, ideas : cyberframework@nist.gov
And k12 application questions: april.mardock@gmail.com
*K12 SIX is also offering free virtual CISO office hours for members
Resources
Where to Learn More and Stay Current
17

18.  Join an information sharing group (K12 SIX, MS-ISAC, InfraGuard, …)
 Ask your Peers (ACPE discord, OpSecEdu Slack, K12 SIX-Portal, …)
 Share! (templates, script snippets, board policies, …)
Questions for me?
Additional Resources
Where to Learn More and Stay Current
18