NCDPI K-12 Cybersecurity Program
Current Events
- CoSN 2023 Conference – The NCDPI K-12 Cybersecurity team will be presenting “Developing Statewide Cybersecurity Programs; North Carolina and Indiana” on March 21, 2023 at CoSN. You can see the full conference schedule here.
- Microsoft Outlook Elevation of Privilege Vulnerability – CVE-2023-23397 is a critical privilege elevation/authentication bypass vulnerability in Outlook, released as part of the March Patch Tuesday set of fixes. The vulnerability, which affects all versions of Windows Outlook, was given a 9.8 NIST CVSS rating in the NVD and is one of two zero-day exploits disclosed on March 14. See Microsoft Security Response Center and MCNC Alert for more details.
- FortiOS / FortiProxy Vulnerability – Heap buffer underflow in administrative interface. Several PSUs leverage this technology platform for their firewall services and should update immediately. See
CVE-2023-25610and FortiNet PSIRT Advisory FG-IR-23-001 and MCNC Alert for more details. - Cybersecurity Training – A new category has been added to FedVTE (Free to SLTTs, which includes PSUs) under the Cybersecurity Courses called Non-Technical Cybersecurity. Some new courses that fall into this category include Cloud Monitoring, Critical Infrastructure Protection and Cybersecurity Investigations. To see the full list of available courses in this category, visit https://fedvte.usalearning.gov/courses_nontech_cybersecurity.php
Overview
In 2021, NCDPI established the K-12 Cybersecurity Program with a purpose of organizing and aligning business and technical cybersecurity functions holistically across the state so that PSU and NCDPI stakeholders have greater visibility into the people, processes, and technologies deployed and have a measurable way to determine whether those efforts are sufficient and correct for current and future needs.
The goal is to help all PSUs achieve basic cyber hygiene!
PSUs can find more details about the current services and resources supporting the program below:
- Cybersecurity Awareness and Skills Training
- Web Security Services
- Managed Firewall Service
- Managed Endpoint Protection
- Vulnerability Management I
- Vulnerability Management II
- Vulnerability Management III
- Asset Discovery and Identification
- Identity and Access Management
- Network Monitoring and Defense
- Incident Response Management
- Network and Cybersecurity Consulting
In addition, the K-12 Cybersecurity Program has several partners with related services and resources available to the PSU community:
Management
The K-12 Cybersecurity Program is composed of cross-functional heterogeneous teams to work on tasks and deliverables of the projects. These teams will adapt and evolve over time, but identifying key members will be extremely important to getting the project started with good momentum. The teams should include representatives from all organizations that will interface with the Cybersecurity Program.
- Cybersecurity Executive Committee (CEC)
- The purpose of the executive committee is to provide the priority and policy advisory for the project and ensure the alignment of state agency and legislative requirements.
- The purpose of the executive committee is to provide the priority and policy advisory for the project and ensure the alignment of state agency and legislative requirements.
- Cybersecurity Core Teams (CCT)
- The core set of teams and organizations that collectively work together as part of the NCDPI K-12 Cybersecurity Program in providing the umbrella of cybersecurity services and resources for the PSUs
NCDPI, Friday Institute, MCNC, NCJCTF, NCDIT
- The core set of teams and organizations that collectively work together as part of the NCDPI K-12 Cybersecurity Program in providing the umbrella of cybersecurity services and resources for the PSUs
- Cybersecurity Advisory Council (CAC)
- The CAC consists of PSU cybersecurity leaders who meet monthly to discuss relevant threats, updates, and innovations. Overall focusing on supporting PSUs and NCDPI in improving the K-12 cybersecurity posture.
Key Program Contact
NCDPI K-12 Cybersecurity Team
k12cybersecteam@dpi.nc.gov
Strategy – Framework
NCDPI has aligned the K-12 Cybersecurity Program strategy with the
NIST Cybersecurity Framework (CSF) and its 5 Core Functions
- Identify
- Protect
- Detect
- Respond
- Recover
NCDPI will support a variety of countermeasures, composed of people, processes, and technologies, across the 5 functions of the CSF to reduce cybersecurity risks to PSU assets.
Strategy – Controls
Since the inception of the K-12 Cybersecurity program, NCDPI has leveraged the Center for Internet Security (CIS) Critical Security Controls as a guide for specific and actionable ways to thwart the most common attacks, with the goal of supporting PSUs to achieve CIS implementation group 1 level. The CIS Controls are a relatively short list of high-priority, effective defensive actions that provide a starting point for enterprises seeking to improve their cyber defense. NCDPI also leverages applicable Security and Privacy Controls from NIST NIST SP 800-53r5 to support the program purpose and vision.
Key Program Outreach and Engagements
- NCDPI K-12 Cybersecurity Program (March 2023)
- NCTIES 2023 – Re|Connect Cybersecurity Updates (March 2023)
- NCTIES 2023 – Data Privacy, Cybersecurity, and People Awareness and Skills Training for PSUs (March 2023)
- CoSN 2023 – Developing Statewide Cybersecurity Programs – North Carolina and Indiana (March 2023)