NSBA Testifies on Cyber Crime

March 14, 2019

On March 13, the Senate Committee on Small Business and Entrepreneurship held a hearing entitled: “Cyber Crime: An Existential Threat to Small Business. NSBA Leadership Council and the Small Business Technology Council (SBTC) member, Karen Harper, President and Principal Scientist at Charles River Analytics, Inc., a small business headquartered in Cambridge, Massachusetts was among the witnesses testifying at the hearing.

Since 1983, Charles River Analytics has been delivering intelligent systems that transform our customers’ data into mission-relevant tools and solutions to support critical assessment and decision-making. Charles River continues to grow its technology, customer base, and strategic alliances through research and development programs for the DOD, DHS, NASA, and the Intelligence Community. Her company addresses a broad spectrum of mission areas and functional domains, including sensor and image processing, situation assessment and decision aiding, human systems integration, cyber security, human-robot interaction, and robot localization and automation.

Small businesses face unique challenges and vulnerabilities when it comes to digital security. Business owners rely on information technology more than ever, yet the very tools that make small businesses competitive have also put them in the crosshairs of cyber attackers. The security of our online data and finances is a huge concern for America’s small businesses.

Early indicators from a forthcoming NSBA survey show that 62 percent of small-businesses owners are very concerned that their business could be vulnerable to a cyber-attack. That same data suggests that more than one-in-three have been the victim of a cyber-attack. The most common type of cyber-attack, according to NSBA’s data, caused a service interruption or information falsely sent out under the businesses name. The time it takes to resolve these issues is significant as well, with one-in-four saying it took them more than 3 days to find a resolution.

Ms. Harper’s testimony focused on the challenges small businesses face with the adoption of the National Institute of Standards and Technology (NIST) Special Publication 800-171 requirements to protect Controlled Unclassified Information (CUI) in non-federal IT systems. She states, “While small-business leaders such as myself, understand the intentions of the NIST SP 800-171 standard to protect the cyber vulnerabilities we all face, compliance with NIST SP 800-171 is extremely costly and overly burdensome, particularly for small businesses. The publication includes 110 IT control requirements, many of which require highly complex solutions. As a result, many contractors are still grappling with the complexities of NIST SP 800-171, as well as other aspects of DFARS, such as what actually constitutes “Controlled Unclassified Information (CUI)” under the clause.”

Given the challenge, expense, and business impacts of Charles River’s NIST compliance program, her testimony included recommendation for improving the NIST SP 800-171 for small defense contracting businesses across three areas. Her testimony includes the following:

“First, we require clarity in the definition and management of Confidential Unclassified Information (CUI), both provided by our DOD customer base, but also information generated by our company in the course of business execution. Second, we require flexibility in the application of the defined NIST controls. IT requirements across industries and companies varies widely, and the implementation of NIST-compliant controls should reflect this diversity in IT system needs. Finally, we require clear guidance to support the nation’s small businesses in the defense sector to comply properly. This guidance must be delivered in easily accessible implementation guides—using plain language—that target the range of IT challenges faced across the community.”


Click here to view Karen Harper’s testimony.