K-12 ed tech providers pledge to improve software security to reduce cyberattacks

The Cybersecurity and Infrastructure Security Agency (CISA) announced on Sept. 5 a voluntary pledge for K-12 education technology software manufacturers to commit to designing products with greater security built in as part of the continued effort to thwart threats to local educational agencies.

“We need to address K-12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” CISA Director Jen Easterly said in a statement thanking those companies who had already signed the pledge. “We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”

As of Sept. 1, CISA had received commitments from six K-12 software technology providers, including some of the largest providers of K-12 education software in the U.S. — PowerSchool, ClassLink, Clever, GG4L, Instructure and D2L.

The pledge aligns with the White House’s National Cybersecurity Strategy released earlier this year. By participating, manufacturers pledge, among other things, to:

  • Provide single sign on (SSO) at no extra charge. SSO can improve security by reducing password-based attacks.
  • Provide security audit logs — necessary for monitoring and responding to cybersecurity incidents — at no extra charge to schools.
  • Embrace transparency and accountability by publicly publishing security-relevant statistics and trends, as well as a vulnerability disclosure policy that (1) authorizes testing against all products offered by the manufacturer, (2) provides legal safe harbor that authorizes testing under the policy, and (3) allows public disclosure of vulnerabilities after a set timeline.
  • Publish a Secure by Design roadmap to document how changes are being made to improve customer security, including actions taken to eliminate entire classes of vulnerabilities (e.g. by usage of memory-safe languages, parametrized queries, and web template frameworks).