Request Demo

NIST Cybersecurity Framework

NIST Small Business Cybersecurity Act Passed Into Law

down-arrow


U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act) into law on Tuesday, August 14, 2018. It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks." This is a massive achievement, as many small businesses want to adopt it, they are having trouble doing so because of the complexity.

In an article in SecurityWeek, The resources that NIST will provide will be generally applicable to a wide range of small businesses and will vary with the nature and size of small businesses. They are supposed to promote cybersecurity awareness and workplace cybersecurity culture and will include practical application strategies for small organizations. The resources must be technology-neutral and as much as possible.

Strong Bi-Partisan Support

The bi-partisan act was authored by U.S. Senators Brian Schatz (D-Hawai'i) and James Risch (R-Idaho), co-sponsored by Senators John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.).

"As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyber attacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers," said Schatz, who is the lead Democrat on the Commerce Subcommittee on Communications Technology, Innovation, and the Internet. "This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks."

Well-Received In The Security Industry

"Small businesses account for 99.7% (SBA) of employers in the United States and as many as 50% (CNBC) of those have experienced a cyber attack. Not surprising when you consider that websites are attacked as many as 50 times per day on average" says Jessica Ortega, a member of the SiteLock research team.

"The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordable", she says, "It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyber threats continue to evolve."

Small businesses and many large organizations struggle to comply with the existing NIST Security Framework. Some are saying that this change aided by government sets the stage for greater compliance and readiness from smaller organizations, especially those who have thought that NIST compliance was too costly, complex, or time-consuming to achieve.

Still, small organizations can't afford extensive cybersecurity resources in-house, and many still believe they will not be a target for cybercriminals now or in the future. Small businesses are a direct target for business email compromise and ransomware attacks, especially those who are part of the supply chain for larger organizations. In fact, small businesses suffer more from successful attacks than larger companies. They are also able to recover much less.

The act only requires NIST to make resources, or guidelines, methodologies, and other information. Small businesses can still risk falling vulnerable if they don't have an easy way to track, measure, and manage the best practices of the NIST Cybersecurity Framework.

Larger organizations are starting to insist that smaller companies who sell to them or partner with them show adequate compliance with the NIST Cybersecurity Framework. The CyberStrong Platform enables rapid NIST implementation that is so easy, small businesses, supply chains, and less technical teams can manage it without wasting time and resources. Larger companies with massive supply chains also use CyberStrong in-house to scale up the NIST CSF, ISO, GDPR, DFARS, and many other frameworks that they need across locations, applications, and vendors.

You may also like

Risk Register Examples for ...
on July 29, 2020

Risk registers are a widespread utility among many cybersecurity professionals that allow practitioners to track and measure risks in one place. This type of reporting can quickly ...

3 Templates for a Comprehensive ...
on July 27, 2020

What is a Cyber Risk Assessment Information security risk assessments are increasingly replacing checkbox compliance as the foundation for an effective cybersecurity program. As ...

Infographic: The Six Steps of the ...
on July 24, 2020

As many organizations begin to mature their cybersecurity program, they are shifting to a risk-based approach to security. In most cases, security leaders are no strangers to ...

3 Cybersecurity Risk Areas to ...
on July 20, 2020

2020 has brought with it immense change across the cybersecurity risk landscape. The effects of COVID-19 pandemic are still ongoing, and the opportunities for new cybersecurity ...

Alison Furneaux
Efficient Demotivation: How Black ...
on July 16, 2020

As information security shifts from a siloed function to an increasingly relied upon business function and enabler, business executives and Boards have taken a greater interest in ...

Developing Your Risk Management ...
on July 14, 2020

The scope and process for an organization seeking to implement the NIST Cybersecurity Framework (CSF) can be daunting for even the most experienced CISO to handle. Despite the ...