NIST Small Business Cybersecurity Act Passed Into Law

U.S. President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act) into law on Tuesday, August 14, 2018. It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks." This is a massive achievement, as many small businesses want to adopt it, they are having trouble doing so because of the complexity.

In an article in SecurityWeek, The resources that NIST will provide will be generally applicable to a wide range of small businesses and will vary with the nature and size of small businesses. They are supposed to promote cybersecurity awareness and workplace cybersecurity culture and will include practical application strategies for small organizations. The resources must be technology-neutral and as much as possible.

Strong Bi-Partisan Support

The bi-partisan act was authored by U.S. Senators Brian Schatz (D-Hawai'i) and James Risch (R-Idaho), co-sponsored by Senators John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.).

"As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyber attacks. But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers," said Schatz, who is the lead Democrat on the Commerce Subcommittee on Communications Technology, Innovation, and the Internet. "This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks."

Well-Received In The Security Industry

small business cybersecurity meeting

"Small businesses account for 99.7% (SBA) of employers in the United States and as many as 50% (CNBC) of those have experienced a cyber attack. Not surprising when you consider that websites are attacked as many as 50 times per day on average" says Jessica Ortega, a member of the SiteLock research team.

"The NIST Small Business Cybersecurity Act aims to provide cyberdefense resources for small businesses by creating a set of guidelines for basic security measures that should be easy to follow and implement affordable", she says, "It also creates guidelines for making security best practices a required component of corporate training and workplace culture, something that is very needed as cyber threats continue to evolve."

Small businesses and many large organizations struggle to comply with the existing NIST Security Framework. Some are saying that this change aided by government sets the stage for greater compliance and readiness from smaller organizations, especially those who have thought that NIST compliance was too costly, complex, or time-consuming to achieve.

Still, small organizations can't afford extensive cybersecurity resources in-house, and many still believe they will not be a target for cybercriminals now or in the future. Small businesses are a direct target for business email compromise and ransomware attacks, especially those who are part of the supply chain for larger organizations. In fact, small businesses suffer more from successful attacks than larger companies. They are also able to recover much less.

The act only requires NIST to make resources, or guidelines, methodologies, and other information. Small businesses can still risk falling vulnerable if they don't have an easy way to track, measure, and manage the best practices of the NIST Cybersecurity Framework.

Larger organizations are starting to insist that smaller companies who sell to them or partner with them show adequate compliance with the NIST Cybersecurity Framework. The CyberStrong Platform enables rapid NIST implementation that is so easy, small businesses, supply chains, and less technical teams can manage it without wasting time and resources. Larger companies with massive supply chains also use CyberStrong in-house to scale up the NIST CSF, ISO, GDPR, DFARS, and many other frameworks that they need across locations, applications, and vendors.