NC K-12 Cyber Objectives, Recommendations, and Essentials (NC K-12 CORE)

The North Carolina K-12 Cyber Objectives, Recommendations, and Essentials (NC K-12 CORE) is a comprehensive strategy aimed at enhancing the cybersecurity awareness, practices, and posture of PSUs across North Carolina. This approach incorporates cybersecurity and data privacy best practices from national frameworks while ensuring alignment with specific NC educational initiatives, ultimately fostering a secure digital teaching and learning environment for all K-12 stakeholders.

A successful K-12 cybersecurity program demands a comprehensive and collaborative approach involving multiple teams and stakeholders, including IT and security staff as well as administrators, educators, students, and families. A well-defined cybersecurity plan grounded in established and reputable frameworks provides the foundation for consistent practices and policies. Continuous awareness and training across all participant groups are essential to ensure everyone understands their role in maintaining security. Recognizing that cybersecurity is an ongoing process, the program must include mechanisms for regular validation, evaluation, and improvement. Additionally, adequate support and resources, both technical and financial, are critical to sustain efforts. Fostering a culture of cybersecurity, where open communication and proactive mediation are encouraged, helps embed security into the daily fabric of school operations.

C – Cyber

Cybersecurity is defined as the effort by organizations and its members to uphold the confidentiality, integrity, and availability of its assets, data, and overall digital infrastructure. This is conducted through diligent planning and provisioning of the organization to both prevent against and prepare to respond to threats towards critical information. Within the K-12 Cybersecurity Program in North Carolina, data privacy is also grouped under the responsibilities of cybersecurity to protect individuals and their personally identifiable information (PII)

O – Objectives

The designation defines clear, specific cybersecurity goals for North Carolina PSUs. These objectives are aligned with broader educational and operational goals to ensure that cybersecurity is integrated into the overall strategy of the institutions. Objectives revolve around implementing a cybersecurity plan that maintains a clear understanding the root problems that need to be addressed to increase cybersecurity stature. Additionally developing a supportive environment and motivating culture are crucial for continuous improvement and ongoing support.

R – Recommendations

The designation provides actionable recommendations for PSUs to implement best practices in cybersecurity. These recommendations cover areas such as network security, incident response planning, and compliance with state and federal regulations (e.g., FERPA, CIPA). PSUs are encouraged to adopt a layered security approach, including employee training, secure access controls, and up-to-date threat detection systems.

E – Essentials

CORE outlines the essential cybersecurity practices that every PSU must adopt to mitigate risks effectively. These essentials focus on creating a culture of cybersecurity awareness, conducting regular risk assessments, and ensuring continuous monitoring of systems. Additionally, PSUs are encouraged to develop incident response plans and ensure that disaster recovery procedures are in place to handle potential cyber incidents.

By formalizing these objectives, recommendations, and essentials, CORE helps North Carolina PSUs create a proactive and comprehensive cybersecurity strategy. The initiative not only improves the safety and security of educational environments but also ensures that PSUs are prepared to handle emerging threats while meeting compliance and regulatory requirements. Through CORE, PSUs are equipped with the tools and guidance needed to foster a secure digital learning space for students and staff.

CORE Influences & Supporting Material

As previously indicated, the CORE designation is guided by the recommendations and principles of the CIS Controls & Safeguards framework. However, the CORE has several additional influences from reputable cybersecurity publications and frameworks.

Center for Information Security (CIS) Controls & Safeguards

The CIS Controls & Safeguards is a prioritized cybersecurity framework developed by the Center for Internet Security (CIS). It’s designed to help organizations improve their cybersecurity posture by focusing on a set of best practices that are both practical and effective in defending against common threats.

What Are the CIS Controls?

The CIS Controls are a set of 18 high-level actions, known as controls, which are further broken down into 153 safeguards (formerly called sub-controls). These controls are mapped to real-world attack data, such as that from the MITRE ATT&CK® framework and other threat intelligence sources.

Three Implementation Groups (IGs)

To make the framework more accessible to organizations of all sizes and capabilities, the CIS Controls are divided into three Implementation Groups (IGs):

• IG1 – Basic cyber hygiene, intended for small organizations with limited resources.
• IG2 – Intermediate level, for organizations handling sensitive data or with moderate risk exposure.
• IG3 – Advanced level, for enterprises with complex infrastructure and high-value assets or facing significant risk.

Key Categories of CIS Controls (v8)

Here are the 18 controls in version 8 of the CIS Controls:

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defenses
11. Data Recovery
12. Network Infrastructure Management
13. Security Awareness and Skills Training
14. Security Operations Center (SOC) Capabilities
15. Incident Response Management
16. Application Software Security
17. Penetration Testing
18. Security Service Provider Management

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) – v. 2.0

The NIST Cybersecurity Framework (CSF) v2.0, released in February 2024, is a voluntary framework designed to help organizations of all sizes and sectors manage and reduce cybersecurity risk. It offers a flexible, risk-based approach and is used globally as a baseline for building strong cybersecurity programs.

Core Purpose

To provide organizations with a structured and repeatable process for:

• Identifying and protecting assets
• Detecting and responding to threats
• Recovering from incidents
• Managing cybersecurity risk across the enterprise

Key Components of the NIST CSF v2.0

Framework Core

The Core consists of 6 high-level Functions, each broken into Categories and Subcategories:

Six Core Functions (v2.0 update):

1. Govern (new in v2.0) – Establish and monitor the organization’s cybersecurity risk management strategy, policies, roles, and responsibilities.
2. Identify – Understand and manage cybersecurity risks to systems, assets, data, and capabilities.
3. Protect – Safeguard systems and assets to limit or contain cybersecurity events.
4. Detect – Identify the occurrence of cybersecurity events.
5. Respond – Take action regarding detected events.
6. Recover – Maintain plans for resilience and restore capabilities after an incident.

Each function contains Categories (e.g., “Access Control”) and Subcategories (specific outcomes), which are mapped to references such as NIST SP 800-53, ISO/IEC 27001, CIS Controls, etc.

Framework Implementation Tiers

These help organizations understand the maturity of their cybersecurity risk management:

• Tier 1 – Partial
• Tier 2 – Risk Informed
• Tier 3 – Repeatable
• Tier 4 – Adaptive

Tiers reflect how well cybersecurity risk is managed and integrated into an organization’s overall risk management practices—not a maturity model, but a lens for self-assessment.

Framework Profiles

A Profile represents the outcomes your organization is currently achieving or aims to achieve:

• Current Profile – What’s in place today
• Target Profile – The desired future state
• Helps identify gaps and prioritize improvements

National Institute of Standards and Technology (NIST) Special Publication 800-53

NIST Special Publication 800-53, titled “Security and Privacy Controls for Information Systems and Organizations”, provides a catalog of controls for protecting the confidentiality, integrity, and availability of information systems. It’s published by the National Institute of Standards and Technology (NIST) and is primarily used by U.S. federal agencies, but it’s also adopted by private organizations, contractors, and critical infrastructure sectors.

Structure of NIST SP 800-53

Control Families (20 total)

Each control is organized into control families, which group similar types of safeguards. Examples include:

Control Family Code	Family Name
AC	Access Control
AU	Audit and Accountability
CM	Configuration Management
CP	Contingency Planning
IA	Identification and Authentication
IR	Incident Response
MP	Media Protection
PE	Physical and Environmental Protection
PL	Planning
RA	Risk Assessment
SC	System and Communications Protection
SI	System and Information Integrity
SR	Supply Chain Risk Management
…	(Plus others covering privacy, awareness, etc.)

Each family contains individual controls, which may have control enhancements to increase effectiveness or apply to higher security tiers.

Control Structure

Each control has:

• Control ID (e.g., AC-2: Account Management)
• Control Statement (what must be done)
• Discussion/Guidance (how to implement)
• Control Enhancements (additional protections)
• References (related NIST docs, laws, or frameworks)

Security & Privacy Control Baselines (via SP 800-53B)

Organizations use predefined baselines to implement only the controls needed for their risk environment:

• Low baseline – Minimal protection (e.g., public-facing data)
• Moderate baseline – Protects sensitive information
• High baseline – Protects critical or national security data
• Privacy baseline – Focuses on personal information

Baselines can be tailored to fit organizational context using the Risk Management Framework (RMF).