Introducing the K-12 Cybersecurity Self-Assessment

A vendor-neutral, free, quick, useful, private, and anonymous self-assessment for school district IT leaders created by school district IT leaders


By April Mardock, Information Security Manager, Seattle Public Schools

Want to reduce the odds of ransomware (or other show-stopping cybersecurity incidents) from impacting your school district? It’s really about the basics…but what basics? Where can you find a (free!) assessment that can generate a list of the most important practical steps you can take to protect your school district that is also private, anonymous, and pragmatic?

Long story, short: since I couldn’t find a self-assessment tool that met those criteria, I collaborated with my k12 infosec peers** to build one and today I’m pleased to share it with you!

Introducing the “K-12 Cybersecurity Self Assessment” (version 1.0):

Take the K-12 Cybersecurity Self-Assessment

The self-assessment is based on the NIST Cybersecurity Framework (NIST CSF), and the advice I summarized – and associated references – in a May 2019 blog post on this site (“Guide to the NIST Cybersecurity Framework: A K-12 Perspective“). Of note, that same post is now being recommended as a ‘risk management resource for academia‘ by NIST.

It’s a 50-question self-assessment that a K-12 IT leader (or team) can complete in about 20 minutes or less that provides:

  • An overall score and rating of their school district’s cybersecurity risk exposure (i.e., high, medium, low);
  • Subscores of their district’s strengths and weaknesses by the 5 NIST CSF domains (i.e., Identify, Protect, Detect, Respond, and Recover); and,
  • A ranked list of practical next steps/recommended activities, based on the answers provided.

Plan to complete the assessment in one session and save/print your report. By design, the assessment does not collect identifying information or allow users to save work in progress/reports across browser sessions.

What does a report from the self-assessment look like? Here’s a sample self-assessment report [PDF], not based on any specific district.

Thanks for joining me in the Version 1.0 launch! Please use it. Please share it. And, please take action to reduce the cybersecurity risks your school district may be facing. Let’s make K-12 cyber security better – together!

** A big thank you to the following K-12 IT experts who reviewed this work while in progress and provided valuable input: Doug Levin, Jared Folkins, Nathan McNulty, Nick Vassari, Bill Patterson, Angela Deboo, David Mendez, and Rachel Wente-Chaney. Nonetheless, any errors or omissions in the final product are mine (and Doug’s!) alone. 


April Mardock has supported cybersecurity and InfoTech in 132 different companies and is featured in Tribe of Hackers Blue Team: Tribal Knowledge from the Best in Defensive Cybersecurity. She is well versed in complex, multilayered environments, and is currently the functional CISO for more than 60,000 users at Seattle Public Schools. She holds a masters in IT and a CISSP security certification, as well as several other industry specific certs. April’s currently responsibilities include site-based technology audits, infosec policy management, disaster recovery and business continuity consulting, firewall management, penetration testing, email spam and web filtering, and on-site network forensics.