You have /5 articles left.
Sign up for a free account or log in.
monsitj/iStock/Getty Images Plus/Getty Images
More than a dozen higher education–focused organizations are hitting back against a federal proposal that would require the country’s 5,000-plus colleges and universities to report cybersecurity attacks.
Educause, a nonprofit focused on education and technology, sent a letter July 1 to express concerns about a proposal from the Cybersecurity and Infrastructure Security Agency (CISA), which falls under the Department of Homeland Security.
The proposal, filed May 6, expands on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. That measure was born out of a larger effort to mitigate cyberattacks, which have increasingly seeped into the higher education sector in the last few years, namely following a mass breach by ransomware group Cl0p in 2023. It impacted thousands of higher education institutions and adjacent institutions, with some going as far as paying the group a ransom.
The 2022 legislation requires entities in “critical infrastructure sectors”—including manufacturing, government, health care and transportation systems—to report a cyber breach within 72 hours. The higher education sector was not included.
The new proposal would change that, requiring all institutions—small, large, public, private, two-year, four-year—that receive Title IV federal student aid funding to adhere to the reporting procedure.
“Colleges and universities already face a wide array of state and federal cyber incident reporting requirements, and CISA’s proposed mandates would add one more heavy brick to the pile when institutions have to address a significant incident,” said Jarret Cummings, senior adviser for policy and government relations at Educause, in an email to Inside Higher Ed.
The 24-page letter to Jennie M. Easterly, CISA’s director, spelled out several concerns with the proposal, including that higher education officials were not consulted about the proposal.
“We are led to believe that higher education was not at the forefront when Congress developed legislation to address cyber incident reporting in critical infrastructure sectors,” Cummings said, adding that the “history of engagement between higher education and the Department of Homeland Security as well as CISA itself further supports this view.”
The American Council on Education agrees with Educause, but ACE filed its own letter July 3, pointing toward the disappointing lack of conversation between DHS and the education sector. It has the backing of 15 other organizations that span across community colleges, admissions officers, business leaders and religious institutions. (This paragraph has been clarified to reflect that ACE did not co-sign Educause letter.)
“Educause are the experts; ours is focused on the fact [CISA] defined a covered entity in higher education so broadly, without having a conversation with our sector,” Sarah Spreitzer, ACE’s vice president and chief of staff for government relationships, said.
The ACE and Educause letters point out the strain the new proposals could put on both small and large institutions, which would have the exact same reporting requirements.
Large institutions may find themselves repeating efforts or processes in an attempt to meet the CISA guidelines, as well as local and state requirements. For smaller, underresourced colleges and universities, the reporting could create a serious financial and time burden.
While the CISA proposal has a minimum population standards for K-12 institutions, stating schools with “a student population of 1,000 or more” have to report, there is no minimum when it comes to higher education.
Spreitzer said that while ACE does not oppose a requirement to report cyberbreaches, the proposal needs to be clear on the size of institutions that should submit reports.
“I’m picturing a small community college in a rural setting with perhaps several hundred students,” Spreitzer said. “They may not have a large administration. They may not have a chief technology officer, or chief operating officer; they may have a small IT department … I don’t think it’s helpful to have the institutions reporting as if they’re all the same size and have all the same threats.”
The public comment period for the proposal ended July 3, after DHS received an onslaught of requests to extend the public comment period 30 days after its initial deadline. The final regulation is expected in October 2025.
A CISA spokesperson told Inside Higher Ed that the agency has “welcomed all feedback, both positive and negative” and has begun reviewing the comments.
ACE and Educause are both hopeful that at a minimum, higher ed parties will be included in further discussions as the cybersecurity proposal moves forward.
“We hope to see outreach from CISA well before it reaches that deadline,” Cummings said, “but we will have to consider how we can elevate our concerns with the agency if substantive engagement doesn’t occur over the next few months.”