Small Business Cyberattack Protection Bills

October 11, 2017

On Oct. 11, the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act of 2017 (H.R. 2105) will come up under suspension on the House floor. Introduced by Rep. Daniel Webster (R-Fl.), this bill amends the National Institute of Standards and Technology Act to require the National Institute of Standards and Technology (NIST) to consider small businesses when it facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure.

NIST must consult with other federal agencies to disseminate, and publish on its website, standard and method resources that small business may use voluntarily to help identify, assess, manage, and reduce their cybersecurity risks. The resources must be: (1) technology-neutral, (2) based on international standards to the extent possible, (3) able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems, (4) capable of promoting awareness of third-party stakeholder relationships to assist small businesses in mitigating common cybersecurity risks, and (5) consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014. Other federal agencies may elect to publish the resources on their own websites.

Meanwhile, the Senate passed the companion bill, MAIN STREET Cybersecurity Act of 2017 (S. 770) on Sept. 28 that would also require the federal government to offer more tools to small businesses to guard their networks from cyber threats. Similarly, the legislation offered by Sens. James Risch (R-Idaho) and Brian Schatz (D-Hawaii) directs the NIST to publish and disseminate resources to small businesses that choose to use the cybersecurity framework produced by the institute.

Both Risch and Schatz cheered the unanimous passage of the bill in a voice vote, citing the massive Equifax data breach earlier this month as the most recent reminder of stark cyber threats to businesses and other organizations.

The bill, swiftly approved by the Senate Commerce Committee in April, has a slate of bipartisan cosponsors, including Sens. John Thune (R-S.D.), the committee chair, and Bill Nelson (D-Fla.), the ranking member.