WASHINGTON - U.S. Rep. Daniel Webster (R-Fla.) today led U.S. House Science, Space, and Technology Committee Chairman Lamar Smith (R-Texas) in introducing the NIST Small Business Cybersecurity Act of 2017 (H.R. 2105). This bipartisan bill is cosponsored by Research and Technology Subcommittee Ranking Member Daniel Lipinski (D-Ill.),  Chairman Lamar Smith (R-Texas),  Research and Technology Subcommittee Chairwoman Barbara Comstock (R-Va.), and Reps. Jacky Rosen (D-Nev.), Randy Hultgren (R-Ill.), Stephen Knight (R-Calif.), Darin LaHood (R-Ill.), Roger Marshall (R-Kan.), and Bill Posey (R-Fla.).

Chairman Smith: “This legislation is vital to ensuring our small businesses have the technical understanding they need to keep their confidential business and customer information secure. I’d like to thank Congressman Webster for his leadership on this important issue. Small businesses frequently don’t have the expertise to adequately monitor and protect their computer systems, making them especially susceptible to crippling cyber-attacks. The National Institute of Standards and Technology’s unique position as a global leader in cybersecurity knowledge and readiness provides the impetus for a public-private cybersecurity partnership to generate simplified guidance that small businesses can implement to increase their cyber resilience across the board.

“We must do everything we can to ensure our small businesses, which make up a substantial portion of our economy and employ almost four and a half million workers in my home state of Texas, have the necessary capabilities to protect themselves. I look forward to working with my colleagues to get this crucial legislation passed and sent to the president’s desk quickly.”

 Rep. Webster: “America’s small businesses are the backbone of our economy, accounting for more than half of all American jobs and a critical part of the job market in my district. As an owner of a multi-generational small business, I understand the importance of equipping and empowering small businesses to tackle challenges so they can grow and prosper. This bill will provide small businesses in my district, state and across the country with the tools they need to meet the threats and challenges of the modern world.”

Background

On Feb. 14, the Research and Technology Subcommittee held a hearing titled “Strengthening U.S. Cybersecurity Capabilities.” Witness testimony included a review and discussion of recommendations provided by two recent reports, including the Report on Securing and Growing the Digital Economy, published by the Commission on Enhancing National Cybersecurity in December 2016. The Commission’s report specifically recommends that a presidential administration “develop concrete efforts to support and strengthen the cybersecurity of small and medium-sized businesses.” The report further notes that for some small businesses, “the security of their information, systems, and networks either is not their highest priority or is something they do not have the resources to address.”

The Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7421 et seq.) calls on NIST to facilitate and support a voluntary public-private partnership to reduce cybersecurity risks to critical infrastructure, including that of medium and small businesses.  

Small businesses play a vital role in the economy of the United States, accounting for 54 percent of all U.S. sales and 55 percent of U.S. jobs. They are also a major target of cyberattacks, which are particularly harmful to them as 60 percent of small businesses that suffer a cyberattack are out of business within six months.

H.R. 2105 is the House companion bill to S.770, which was favorably reported by the Senate Commerce, Science, and Transportation Committee on April 5.

The NIST Small Business Cybersecurity Act of 2017:

  • directs the NIST Director, in consultation with heads of other federal agencies, to disseminate clear and concise guidelines, tools, best practices, standards and methodologies, based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, to help small businesses identify, assess, manage, and reduce their cybersecurity risks, within a year of the Act’s enactment;
  • clarifies that use of such guidance by small businesses is voluntary;
  • directs the NIST director and heads of federal agencies that so elect to make the guidance available on their government websites; and
  • specifies that funds to carry out this act are authorized out of existing spending.

Draft text of the bill can be found here.