A year and nearly four months after the measure was introduced, the NIST Small Business Cybersecurity Act officially passed after President Donald Trump signed the legislation into law.
Originally proposed as H.R. 2105 in April 2017, the act was later absorbed into U.S. federal law S.770, and requires the director of the National Institute of Standards and Technology, within within one year of the law's passing, to issue guidance and a consistent set of resources to help SMBs identify, assess and reduce their cybersecurity risks.
S.770 also tasks NIST, a division of the U.S. Commerce Department, with considering the needs of small businesses when developing these recommendations, which among other key qualities should be widely applicable and technology-neutral and "include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships."The legislation in its current form was introduced by Sen. Brian Schatz, D-Hawaii, along with Sen. James Risch, R-Idaho, and was sponsored by fellow lawmakers John Thune, R-S.D.; Maria Cantwell, D-Wash.; Bill Nelson, D-Fla.; Cory Gardner, R-Colo.; Catherine Cortez Masto, D-Nev.; Maggie Hassan, D-N.H.; Claire McCaskill, D-Mo.; and Kirsten Gillibrand, D-N.Y.
In a press release, Schatz, the the lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, said that “As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers."
“This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks,” Schatz continued.
“The NIST Cybersecurity Small Business Act is a significant win for the cybersecurity industry and for small-to-medium size businesses who struggle to operate consistent with the NIST standards," said Dr. Bret Fund, founder and CEO of cybersecurity academy SecureSet, in emailed comments. "This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain."
"Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks," remarked Dirk Morris, chief product officer at Untangle, a provider of network security for SMBs. "The NIST Small Business Cybersecurity Act will provide small businesses the resources and a simplified cybersecurity framework so they can effectively protect their businesses from threats.”