On October 11, 2017, the House of Representatives passed bill H.R. 2105, the NIST Small Business Cybersecurity Act (NIST Act), which would require the US Department of Commerce’s National Institute of Standards and Technology (NIST) to provide cybersecurity guidance to US small businesses. The NIST Act was passed shortly after the very similar Senate bill S. 770, the MAIN STREET Cybersecurity Act of 2017, which passed on September 28.
The NIST Act would require NIST to issue voluntary guidelines, within the year following enactment, specifically tailored to the cybersecurity needs of small businesses. As drafted, the guidelines must
- be generally applicable and usable by a wide range of small business concerns;
- vary depending on the size and nature of the implementing business concern and the sensitivity of data collected and stored;
- include elements to promote awareness of basic controls, a workplace cybersecurity culture, and third-party relationships in order to help mitigate common cybersecurity risks;
- include case studies;
- be technology neutral; and
- to the extent possible, be based on international standards and consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. §§ 3701 et seq.).