Cybersecurity seems to be a hot topic in every boardroom and federal, state and local government.  Given the growing threats at home and abroad, as well as the constant barrage of published breaches or ransomware attacks, one can understand the focus by business and government leaders. The federal government has been taking action over the past several years to boost cybersecurity for critical infrastructure and one can expect this will continue. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is a Federal Law passed in 2022 requiring the reporting of all major cyber-attacks. It directs the Cybersecurity and Infrastructure Security Agency (CISA) to create rules requiring certain organizations — called covered entities — to report significant cyber incidents and ransomware payments to the federal government.

These reports would help:

• Identify and respond faster to widespread cyber threats.
• Spot trends and vulnerabilities across sectors.
• Share threat information widely to prevent similar attacks on others.

Schools should be aware that they may be covered entities under CIRCIA. CISA’s proposed regulations currently treat education facilities — including preK-12 schools — as part of the “Government Facilities” critical infrastructure sector. If final rules follow the proposal, public school districts (often based on size thresholds) would be covered entities that must report. For example, the proposal would require districts with 1,000+ students and all state education agencies to report major incidents. Private K-12 coverage was not included in the proposal but CISA asked for comments on whether to include them.

The rule isn’t final yet, and coverage definitions could change before implementation — but schools are very likely to be included. Under CIRCIA’s (proposed) framework, covered entities must report a “covered cyber incident” that generally means a cyberattack that is significant enough to materially disrupt operations, compromise data, or impact systems — for example:

• ransomware that disrupts school networks,
• unauthorized access to student/staff data,
• outages that prevent instruction or administrative operations.

CISA will define exact criteria in the final rule, but the proposal includes:

• major service disruptions,
• significant loss of confidentiality, integrity, or availability,
• unauthorized access through cloud or third-party providers.

If the final rule stays close to the proposal, schools will need to report within 72 hours after they reasonably believe a substantial cyber incident has occurred, and within 24 hours of making a ransomware payment to attackers.  These are much faster deadlines than many schools currently use for internal reporting — so planning and rapid assessment processes will be critical. This change will mean more federal oversight where schools have traditionally handled incident reporting internally or to state education agencies. CIRCIA would add a federal reporting obligation that was never required before. This will provide better national threat visibility since reporting incidents to CISA will help build a national picture of cyber threats, improving early warnings for other districts. In order to comply with time-sensitive deadlines, K-12 schools will need:

• Incident detection tools
• Clear incident response plans
• Designated reporting roles and workflows

Even schools not covered initially may want to adopt these practices because rapid reporting improves resiliency and may be required by state or grant conditions tied to federal cybersecurity funding. Since CISA’s final rule is expected to take effect in 2026, districts should start preparing now:
✔ Review and update incident response plans
✔ Identify who can make legal determinations about when a reporting clock starts
✔ Train technical staff on what constitutes a “substantial incident”
✔ Review data inventories and critical services to assess impact thresholds

Even if a school isn’t eventually required to report, voluntary reporting to CISA is encouraged because it improves threat intelligence for the whole sector.

In Summary, CIRCIA will have considerable impact on K-12 schools if implemented in its current form. It will likely make federal cyber incident reporting mandatory for many public K-12 districts and agencies. It will require reporting within tight deadlines (72 hrs / 24 hrs) that have not traditionally been required. It aims to improve national cybersecurity visibility and response through improved reporting. To meet the requirements of CIRCIA, schools will need to update incident response planning and readiness starting well before the rule’s implementation.

CxO Expertise has unparalleled experience in K-12 school district operations, technology, policies and procedures. We can assist your school district in getting prepared for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

Richard Cocchiara is the former Chief Information Security Officer (CISO) for the largest school district in the country, the New York City Department of Education. He is a retired IBM Distinguished Engineer having spent over 30 years helping to minimize and mitigate IT risk at companies and government agencies around the world. He has been featured as a keynote speaker at numerous IT Risk conferences and has been published in several industry publications. He holds patents for IT risk evaluation methodologies.

Peter Quinn is the former Chief Information Officer (CIO) for the New York City Department of Education. He is also the former Chief Information Officer (CIO) for the State of Massachusetts. He is a seasoned six-time CIO, who excels in rectifying dysfunctional business and IT organizations, as well as turning around large-scale failing projects and programs. Mr. Quinn’s expertise extends across retail and commercial banking, credit card services, wealth management, mortgage servicing, mutual fund operations, corporate stock transfer, trust, insurance, and more, both domestically and internationally.