WASHINGTON - The U.S. House Committee on Science, Space, and Technology today unanimously approved H.R. 2105, the “NIST Small Business Cybersecurity Act of 2017,” introduced by Rep. Daniel Webster (R-Fla.). This bill calls on the National Institute of Standards and Technology (NIST) to provide small businesses with guidance to help them identify, assess, manage, and reduce their cybersecurity risks. Chairman Lamar Smith (R-Texas) and Rep. Webster praised the bill’s passage:
Chairman Smith: “The NIST Small Business Cybersecurity Act will help ensure that our small businesses have the information they need to protect themselves from cyber-attacks. Many small businesses lack the expertise to successfully monitor and protect their computer systems, but NIST’s global cybersecurity expertise will assist small businesses in reducing their cybersecurity risks.
“We must ensure that small businesses, which employ nearly four and a half million workers in my home state and countless more across the country, have the tools they need to secure their systems and confidential information. I thank Congressman Webster for his leadership on this important issue and look forward to putting this bill on the president’s desk soon.”
Rep. Webster: “America’s small businesses are the backbone of our economy. They account for fifty-four percent of all sales in the United States, provide more than half of all American jobs, and are a critical part of the job market in my district and my home state of Florida. Unfortunately, small businesses are especially vulnerable, with some reports noting that 43 percent of cyber-attacks specifically target them. This bill will provide small businesses in my district, state, and across the country with the tools they need to meet the threats and challenges of the modern world.”
On Feb. 14, the Research and Technology Subcommittee held a hearing titled “Strengthening U.S. Cybersecurity Capabilities.” Witness testimony included a review and discussion of recommendations provided by two recent reports, including the Report on Securing and Growing the Digital Economy, published by the Commission on Enhancing National Cybersecurity in December 2016. The Commission’s report specifically recommends that a presidential administration “develop concrete efforts to support and strengthen the cybersecurity of small and medium-sized businesses.” The report further notes that for some small businesses, “the security of their information, systems, and networks either is not their highest priority or is something they do not have the resources to address.”
The Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7421 et seq.) calls on NIST to facilitate and support a voluntary public-private partnership to reduce cybersecurity risks to critical infrastructure, including that of medium and small businesses.
Small businesses play a vital role in the economy of the United States, accounting for 54 percent of all U.S. sales and 55 percent of U.S. jobs. They are also a major target of cyberattacks, which are particularly harmful to them as 60 percent of small businesses that suffer a cyberattack are out of business within six months.
H.R. 2105 is the House companion bill to S.770, which was favorably reported by the Senate Commerce, Science, and Transportation Committee on April 5.
The NIST Small Business Cybersecurity Act of 2017:
- directs the NIST Director, in consultation with heads of other federal agencies, to disseminate clear and concise guidelines, tools, best practices, standards and methodologies, based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, to help small businesses identify, assess, manage, and reduce their cybersecurity risks, within a year of the Act’s enactment;
- clarifies that use of such guidance by small businesses is voluntary;
- directs the NIST director and heads of federal agencies that so elect to make the guidance available on their government websites; and
- specifies that funds to carry out this act are authorized out of existing spending.
Text of the bill can be found here.