Building up Cyber Defenses in Compliance with State Laws

Hillsboro-Deering School District (HDSD) is a K-12 district with 1,100 students and approximately 300 staff members. It's part of School Administrative Unit (SAU) 34.

"In partnership with our communities and families, SAU 34 empowers all students to grow in safe and caring learning environments that inspire creativity, curiosity, and connection," the SAU 34 website reads.

We sat down with Neal Richardson at HDSD. Neal has been at the school for five years as its Director of Technology and Chief Information Security Officer (CISO). In this role, Neal has total ownership of all technology in the district. Chromebooks, laptops, printers, servers, digital signs, phone-based emergency notification systems, and anything else that connects to the network – along with what's in place to secure them – fall under his purview.

We chatted with Neal previously about his journey of using resources from the Center for Internet Security (CIS), particularly the CIS Critical Security Controls (CIS Controls), to build up HDSD’s cyber defenses. Let’s review how this happened and examine what's changed since the last time we spoke to him.

The Challenge: Complying with a State Data Security and Privacy Law

The State of New Hampshire previously enacted a data privacy and security law that defined how K-12 school districts must protect and defend the data of students and staff.

When he first came on, Neal found that the district didn't have anything in place to address the law or cybersecurity more broadly. The State did provide NH school districts at the time with a list of controls from NIST SP 800-171, but the list didn't include the full suite of controls. As a result, the list was insufficient for HDSD to take a global approach to cybersecurity and data privacy.

Neal's main challenge was to comply with the State law in a holistic fashion.

The Solution: IG1 as the Perfect Fit

Neal decided to enact Implementation Group 1 (IG1) of the CIS Controls v7.1. The process took about six months, with Neal serving as the project's lead.

He got started by splitting HDSD in half – staff on one side and students on the other. Neal did this because all students pursue their studies using Google Chromebooks and Google accounts. (He uses Google's admin console to manage these assets in particular.) By contrast, staff use Windows devices primarily, with Neal and his team using group policies to manage them.

Implementation Group 1 (IG1) of the CIS Controls v7.1 constituted the perfect fit for HDSD. It provided Neal with a roadmap of what configuration changes he and his team needed to make in order to comply with the State law. It also gave him a stepping stone that he could use to scale out to Implementation Group 2 (IG2) and Implementation Group 3 (IG3) as the school district matured.

One of HDSD's challenges was that students could install whatever Chrome extensions they wanted on their Google Chromebooks. As a result, many students had multiple VPN extensions and chat apps installed on their devices. It was a lot of complexity to manage.

The CIS Controlvs v7.1 made things simple. Specifically, Safeguard 2.6: Address Unapproved Software pointed out everything that they needed to do to get unapproved software under control. As a result, Neal found it easy to restrict software for students and staff alike by blocking any unapproved programs in Google's admin console.

During the implementation process, Neal used the CIS Controls' mapping to NIST SP 800-171 to prove their compliance with the State law. At the time, the State of New Hampshire CISO was on CIS's board. He knew how HDSD was using the CIS Controls to achieve its security objectives.

Neal and his team ultimately pivoted once CIS Controls v8 came out. They needed to account for certain changes, but the changes themselves weren't significant. As part of the transition, Neal made use of the new functionalities added by Google to its admin console to improve the security of HDSD's assets and systems. He and his team also used other products, including other resources from CIS. They began by manually implementing the CIS Benchmarks, but when they discovered that CIS had group policies pre-configured to the Benchmarks, they obtained a CIS SecureSuite Membership and used it to implement CIS Build Kits. 

The Impact: Show, Justify, and Explain Compliance with Intent of State Law

As there was a direct mapping of the Controls to NIST SP 800-171, Neal and his team were able to show, justify, and explain why they chose the CIS Controls and how they mapped to the State law. They did this for HDSD's leadership and the State CISO to ensure they were meeting the cybersecurity intent of the law. (To meet the privacy intent, they needed to use other resources.)

Beyond complying with the State law, HDSD now had cyber defenses in place for the first time since Neal had arrived. This development brought structure, accountability, and increased awareness of the true threats confronting schools. It also enabled his team to focus on filling gaps that the Controls did not address. The technical measures of IG1 were in place, but HDSD still needed a firewall, host-based anti-virus software, and other technologies. With a view of these gaps, Neal and his team were able to focus more closely on what to purchase.

Such a strategic approach is crucial when you have a tight budget. Neal's entire software budget line for all things software is $200K. The student information system costs about $30K, and the Google licensing is around $20K. That's already a quarter of his budget.

Neal and his team didn't just save time and money by making more strategic purchasing decisions. They also saved in terms of administrative hours. By implementing the CIS Controls, Neal and his team saved the school district 25 person hours per week from email and spam filtering along with browser and app configuration. They also saved an additional 40 hours from using the CIS Controls for account and group provisioning.

Going Beyond: Evangelizing IG1 in K-12 School Districts

Using his experience at HDSD as a springboard, Neal has taken it upon himself to evangelize the implementation of IG1 for other K-12 organizations. His journey began in 2013 when he first became a member of the Multi-State Information Sharing and Analysis Center (MS-ISAC). Neal recalls that MS-ISAC did calendars back then; 50 members would be listed at the back of the calendar. 

Things changed in the years that followed. The MS-ISAC added its 15,000th member in 2023, and Neal became co-chair of the MS-ISAC's K-12 working group. School districts all over the country use the working group to share some of the cybersecurity challenges that they're facing. One of their struggles is the reality that many organizations and resource groups charge K-12 school districts to use their platform for cybersecurity services. By contrast, the MS-ISAC doesn't charge anything for members who are looking to strengthen their cyber defenses.

Neal is also working in partnership with Google to raise awareness for IG1 among K-12 school districts. Anthony Duncan at Google has this to say about Neal's involvement:

"At the MS-ISAC's Annual Meeting in 2022, Neal and representatives of other school districts attended a Birds of a Feather session," he explained. "Phyllis Lee, VP of Security Best Practices Content Development at CIS, and I presented at the event with a focus on helping K-12 school districts implement IG1. Since then, CIS and Google's relationship around this effort has blossomed. While discussing how we could provide an update on our progress in 2023, we thought it would be a good idea to have someone from a school district present. Neal immediately came to mind. He was active in the Q&A in 2022; he shared his experience as a member school district. It felt only natural to follow up with him this year so that he could lend his voice to the audience as a practitioner. My hope is that other school districts will hear him speak and use his example to implement IG1 at their school districts."

A Different Place of Cybersecurity Maturity

When Neal first arrived at HDSD in 2018, he was very apprehensive about the state of cybersecurity at the district. He felt better once the CIS Controls were in place the first time around, but he knew that there were still a lot of underlying issues tied to cybersecurity at the school district. Fast forward five years, and Neal and his team are in the process of implementing IG2.

Neal has two recommendations for those who are looking to implement the Controls.

"First, start small," he explained. "Pick one Control that you're comfortable with, start from there, and take it in steps. Don't tackle it all at once, as this will get overwhelming. Be slow and methodical. Second, if you're switching from v7.1 to v8, focus on the right things – that is, take everything you've invested in v7.1 and focus on the v8 documentation rather than trying to map v7.1 to v8."

Now It’s Your Turn

Through the use of CIS Controls, HDSD complied with the State security law, built a cyber defense program, and laid the foundation for growing its maturity through IG2 and beyond.

Interested in learning how the CIS Controls can benefit your organization?