On August 14, 2018, the NIST Small Business Cybersecurity Act was enacted. In some ways, the Act appears to be a continuation of policies to enhance private sector cybersecurity through the use of voluntary resources, such as the NIST Cybersecurity Framework developed under Executive Order 13636. However, it takes a new step forward in directing the development of cybersecurity resources that are right-sized for small to medium-sized businesses.
Specifically, the Act requires that within one year of the law’s passage, the Director of the National Institute of Standards and Technology, in consultation with the heads of other appropriate Federal agencies, “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”
Given the varying types and sizes of small businesses, the Act requires NIST to take into consideration the needs of small businesses when developing resources. The resources disseminated should be generally applicable and usable by a wide range of small businesses. They should also be scalable depending on the size and nature of the small business as well as the sensitivity of the data collected or stored by the small business.
The resources must also “promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships,” include practical case studies, be technology-neutral, and be implemented using technologies that are commercial and off-the-shelf. The resources should be based on international standards to the extent possible.
Importantly, the use of the resources is voluntary and small businesses will have the discretion to determine if, and which, resources they will utilize. Since cybersecurity is not a “one size fits all,” the NIST Small Business Cybersecurity Act aims to provide small businesses with the resources to protect themselves against threats in a way that is flexible, practical, and cost-effective.