On October 11, 2017, the House of Representatives passed bill H.R. 2105, the NIST Small Business Cybersecurity Act (NIST Act), which would require the US Department of Commerce’s National Institute of Standards and Technology (NIST) to provide cybersecurity guidance to US small businesses. The NIST Act was passed shortly after the very similar Senate bill S. 770, the MAIN STREET Cybersecurity Act of 2017, which passed on September 28.
The NIST Act would require NIST to issue voluntary guidelines, within the year following enactment, specifically tailored to the cybersecurity needs of small businesses. As drafted, the guidelines must
- be generally applicable and usable by a wide range of small business concerns;
- vary depending on the size and nature of the implementing business concern and the sensitivity of data collected and stored;
- include elements to promote awareness of basic controls, a workplace cybersecurity culture, and third-party relationships in order to help mitigate common cybersecurity risks;
- include case studies;
- be technology neutral; and
- to the extent possible, be based on international standards and consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. §§ 3701 et seq.).
The initial version of the NIST Act, introduced on April 20, presented findings to highlight the need for cybersecurity guidance given the importance of small businesses to the US economy. The April 20 version states that small businesses account “for 54 percent of all United States sales and 55 percent of jobs in the United States.” It further states that a high percentage of cyberattacks target small and medium businesses and that, according to the National Cyber Security Alliance, 60% of small businesses that suffer such attacks go out of business within the following six months.
Reconciliation with Senate Bill
The NIST Act and the Senate bill are substantively very similar and provide comparable findings and requirements. Both outline nearly identical standards for NIST’s future guidelines—with the exception that the NIST Act requires case studies. Also, the Senate bill provides that if another federal agency publishes any resources to guide small businesses with respect to cybersecurity risks, the head of such agency must ensure that such guidance is consistent with those resources published by NIST.
Given the similarity of both bills, as well as bipartisan support of each, reconciliation is not expected to be a difficult task.
We will continue to provide updates on each of these bills and possible reconciliation as they are made available.