This week, the president signed into law the NIST Small Business Cybersecurity Act, S.770. This legislation was originally introduced as the Main Street Cybersecurity Act.
If you are not familiar with NIST, it is the National Institute of Standards and Technology. You can learn about NIST by visiting www.nist.gov. NIST is part of the U.S. Department of Commerce and is one of the nation’s oldest physical science labs, having been established in 1901. I encourage you to visit it’s About page at www.nist.gov/about-nist to review the quick video on that page, which gives a great history of the organization. For those who prefer to read, here is a concise summary that describes the mission:
“Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations – from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.”
With regard to this new law, I had hoped it would have more teeth that would put actual requirements on small businesses with regard to cybersecurity. Unfortunately, there is not. This law is about mandating that a federal agency, in this case NIST, produce and disseminate educational materials to help small businesses improve their cybersecurity posture. While a good thing and a necessary step, the law lacks a mandate that requires these same businesses to actually comply with the recommendations.
In terms of what the law does provide, here are some of the details:
To require the director of the National Institute of Standards and Technology to disseminate guidance to help reduce small business cybersecurity risks, and for other purposes.
Resources: The term “resources” means guidelines, tools, best practices, standards, methodologies and other ways of providing information.
Not later than one year after the date of the enactment of this act, the director, in carrying out section 2(e)(1)(A)(viii) of the NIST, as added by subsection (b) of this act, in consultation with the heads of other appropriate federal agencies, shall disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.
The director shall ensure the resources disseminated pursuant to paragraph (1) – (A) are generally applicable and usable by a wide range of small business concerns; (B) vary with the nature and size of the implementing small business concern, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing small business concern; (C) include elements, that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist small business concerns in mitigating common cybersecurity risks; (D) include case studies of practical application; (E) are technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and (F) are based on international standards to the extent possible, and are consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
These four points summarize this new law. As I said, this is a step in the right direction, unfortunately it just lacks teeth. Many of the principles are ones that most small businesses already understand, and most IT service firms are providing to their clients now. Certainly, a guiding framework on a national level will help increase awareness and understanding. It astounds me how large the knowledge gap is around this topic to this day. Even simple management of passwords remains a challenge for most small businesses.
As these resources become available over the next year, I will make an effort to point them out to all who will listen. I encourage you to make yourself aware of these resources to help educate your staff on cybersecurity issues, to help you maintain a proper posture that will allow you to continue business as usual, while increasing your level of protection. If you have any knowledge of current events, you understand how important this is.