What happens when 4,000 school districts simultaneously lose access to their digital infrastructure in the middle of the school day and can’t reopen for days or weeks? Millions of families scramble to pick up children and can’t go to work. Schools can’t bus students home, contact families, or determine to whom they can release children. Millions of students who rely on the school meal programs go hungry.

With an average of 5 cyber incidents occurring a week, ransomware shutting down schools across the country, and one data breach impacting over 60 million students across thousands of school districts, this scenario is not out of the realm of possibility. As the speed, scope, and impact of cyber threats to K-12 schools continue to increase and more responsibilities shift to state and local governments, education leaders need a convening mechanism to specifically address K-12 cybersecurity policy and practice. 

That is why today, the Institute for Security and Technology (IST) is announcing the launch of the K-12 Cyber Defense Coalition (K-12 CDC). Composed of 13 membership organizations representing superintendents, schools boards, technology leaders, principals, and state leaders, the K-12 CDC will drive state and local collaboration, policy development, and information sharing to defend our nation’s schools from cyber threats. The K-12 CDC builds on a strong foundation provided by the Education Government Coordinating Council (Education GCC), which the U.S. Department of Education established in March 2024. The original GCC led the development of the nation’s first K-12 cybersecurity sector risk assessment and drove the rapid sector-wide response to the PowerSchool cyber incident. Since the vast majority of funding and authorities in education live at the state and local level, by convening the 13 GCC membership organizations at IST, the K-12 CDC will be able to dig more deeply into K-12 cybersecurity policy where the rubber meets the road: at the state and local levels, with crucial involvement from civil society. Ultimately, the K-12 CDC aims to protect students, teachers, and families from the very real impacts of cyber attacks and to improve their resilience should one occur. 

The K-12 Cyber Defense Coalition Member organizations are: 

• AASA: The School Superintendents Association
• AESA: Association of Educational Service Agencies
• CASE: Council of Administrators of Special Education
• CCSSO: Council of Chief State School Officers
• CGCS: Council of Great City Schools
• CoSN: Consortium for School Networking
• K12 SIX: K-12 Security Information eXchange
• NAESP: National Association of Elementary School Principals
• NASCIO: National Association of State Chief Information Officers
• NASSP: National Association of Secondary School Principals
• NREA: National Rural Education Association
• NSBA: National School Boards Association
• SETDA: State Educational Technology Directors Association

Coming out of the K-12 CDC’s first meeting on Friday May 23, 2025, the group expressed excitement at the opportunity to continue to learn together (we are all educators, of course), interest in building cyber policy capacity across membership organizations, and a sense of urgency for developing actionable recommendations to mitigate third party risk in the wake of the PowerSchool incident.