Policies, People, and Protective Measures: Legal Requirements for K-12 Cybersecurity>
Center for Democracy and Technology – Cody Venzke
Some of the basic legal requirements for K-12 cybersecurity are summarized in this CDT brief, along with strategies for compliance and working with vendors and external partners. However, the law sets only the minimum requirements, and educational institutions should also consider additional best practices around data ethics, data governance, and technical implementation.

Three laws or groups of laws have a widespread impact on K-12 cybersecurity: the Family Educational Rights and Privacy Act (FERPA); the Children’s Online Privacy Protection Act (COPPA); and varying state laws. These are not the only legal requirements around K-12 cybersecurity, but are the most important.

Both ED and the FTC have interpreted FERPA and COPPA to require reasonable security policies and governance, training and supporting personnel, and protective technical measures. The compliance strategies in this next section reflect recommendations by ED and the FTC as well as other agencies that provide cybersecurity support, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Multistate Information Sharing and Analysis Center (MS-ISAC).
Link: https://cdt.org/insights/policies-people-and-protective-measures-legal-requirements-for-k-12-cybersecurity/