President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formally known as the “Min Street Cybersecurity Act”) into law on August 14.
The new act amends the National Institute of Standards and Technology Act requiring it within the next year, in consultation with the heads of other appropriate federal agencies, to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks” and to require the National Institute of Standards and Technology (NIST) to consider small businesses when it “facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure.”
Resources provided are for the voluntary use of the small business and must
- be technology-neutral;
- be based on international standards to the extent possible;
- be able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems;
- be consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014; and
- include case studies of practical application.
While many believe the new act is a step in the right direction, others point out that there is little in the way of actual requirements for small businesses to comply with any of the recommendations on cybersecurity provided to them.