While the Family Educational Rights and Privacy Act of 1974 (FERPA) does not mandate specific security controls for educational institutions, cyber threats pose a significant risk for student privacy.  Educational data breaches are common and can lead to a violation of FERPA. Institutions should take steps to safeguard student records to prevent negative consequences such as identity theft, fraud, and extortion. The age of your students, their access to online services, and the types of data you process each determine the regulations you must follow.

US Department of Education provides the K-12 School Security Guide (3rd ed., 2022), a comprehensive doctrine and systems-based methodology to support schools in conducting vulnerability assessments and planning to implement layered physical security elements across K–12 districts and campuses. The primary focus is on protection and mitigation measures and strategies schools should consider in their broader school safety enterprise.

Emergency Services

Often First Responders in an emergency, this sector comprises millions of highly-skilled, paid and volunteer personnel, and their technical resources, which provide a wide range of prevention, preparedness, response, and recovery services. Both geographically distributed and highly coordinated, federal, state, local, tribal, and territorial agencies, both government and private, rely on information systems and on-demand access to data to communicate and collaborate in time sensitive situations. This includes law enforcement, fire departments, and emergency medical services against whom a successful cyber attack could literally mean the difference between life and death.


Energy infrastructure fuels the 21st century economy with a stable energy supply which enables public health and welfare services, financial transactions, and some component of every industry. More than 80 percent of the country's energy infrastructure is owned by the private sector, supplying fuels to the transportation industry, electricity to households and businesses, and other sources of energy that are integral to growth and production across the nation. An energy supply chain breakdown or denial of service would cripple the people, businesses, and government entities in an impacted area.


Financial gain is a primary motivator of many cyberattacks, which makes fiscal institutions a primary target. This sector represents a vital component of the nation's critical infrastructure as untold social unrest could result from a large-scale denial of services or access to funds caused by either natural disasters or sophisticated cyber breach or data compromise. The financial sector is made up of many sub-sectors, including those with access to and who processes funding and payment data, with all members large and small being viable targets. While insurance can cover certain financial losses, recovering from a data breach can cause irrecoverable damage to reputation and customer confidence.


Vendors and individuals supporting federal, state, and local governments are charged with protecting sensitive data processing of and access which enables critical public services and timely communication. Compromised cybersecurity at any of the hundreds of thousands of global government agency suppliers and service providers could negatively impact operational readiness, systems availability, data security, and organizational integrity. Depending on the agency you support, type of work you do, and access you have been granted, your organization could be subject to multiple levels of cybersecurity and compliance regulations.

Health Services

Healthcare and medical service providers protect the public from terrorism, infectious disease outbreaks, and natural disasters, and the vast majority of this sector's assets are privately owned and operated. Secure collaboration and information sharing between public and private sectors is essential to increasing resilience of the nation's Healthcare and Public Health critical infrastructure across all US states, territories, and tribal areas. This includes response and to natural and manmade disasters. While healthcare tends to be delivered and managed locally, the public health component of the sector, focused primarily on population health, is managed across all levels of government.

Information Technology

The IT sector enables services critical to the nation’s security, economy, public health, and virtually every aspect of private citizens’ modern life. This industry's complex and dynamic environment makes identifying threats and assessing vulnerabilities difficult, which requires these tasks be addressed in a collaborative and creative fashion. IT functions are operated by a combination of entities, including owners and operators of respective associations, to maintain and reconstitute the network, including the Internet. While IT service providers continue to mature their cyber resilience, the interdependent and interconnected nature of IT services present substantial challenges and opportunities for coordinating public and private sector preparedness and protection.


People must provide contact, financial, and even health information to purchase insurance; often before a policy can be written. This data is often shared by consumers and insurers to find the best deals, making insurance groups a natural target for cyberattacks. Products, policies, and pricing are all powered by data, which raises the risks of identity theft, loss of confidential data, and susceptibility to automated threats that disrupt business and damage reputations.


Legal firms combine attractive elements for motivated attackers, a wealth of sensitive client data and access to large sums of money. Whether compromising a firm’s capacity to serve clients or threatening to ruin both the firm and their clients’ reputations, legal firms have historically been targets for cyberattacks. Data breaches can incur financial costs, be that in the form of paid ransoms, regulatory fines, or business downtime because of the attack. However, reputation and credibility damage are arguably more serious consequences than financial costs because of lingering effects which could cost the firm current clients and untold new business opportunities.


Customer data, including Personally Identifiable Data (PII), drive marketing, with many sites and sources include remote connectivity and always-on technology. The variety and prevalence of use cases, sources, and partners with whom information is shared with makes detecting unauthorized access and data siphoning more difficult in marketing companies. Similar to financial and legal industries, some of the greatest risks are from negative customer experiences, impact to an agency’s reputation, and any other source that lowers client and user confidence.

Real Estate

With a plethora of Personally Identifiable Information (PII) and financial data, e.g., banking accounts and credit cards, real estate company are potential targets for cyberattack. A successful breach or ransomware attack can diminish customer confidence, hurt the company’s reputation, and lead to customer identity theft or fraud. As their work processes and payment systems get increasingly digitalized real estate agencies have the responsibility to keep clients’ and their own business information secure by deploying suitable cybersecurity measures.


The transportation industry quickly, safely, and securely moves people and goods across the country and overseas. Consisting of aviation, maritime, mass transit, shipping, and commercial transportation providers, businesses in this sector process high volumes of real-time data on complex infrastructures and large numbers of mobile and embedded devices. Each endpoint in these networks represents a possible point of entry for a malicious actor. High levels of connectivity and interdependent logistics raises the exposure and potential impact of a successful Denial of Service (DoS) attack, supply chain compromise, or data breach. With peoples’ lives and businesses’ livelihood at risk, preventing and defending against cyber crime in the transportation sector are critically important.