By Sati Harutyunyan
The full Senate will consider a bill that seeks to equip small businesses with resources to shield against and manage cybersecurity risks, following the Senate Commerce Committee’s passage of the Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology (“Main Street”) Cybersecurity Act on April 5, 2017. The crux of the bill is a requirement that the National Institute of Standards and Technology (NIST) provide resources to small business wishing to implement the voluntary NIST Cybersecurity Framework. The term “resources” refers to guidelines, tools, best practices, standards, methodologies, and other ways of providing information, and does not indicate financial contributions. S. 770, 115th Cong. § 3(a)(2) (2017).
The bill proposes that that NIST must, under the Cybersecurity Enhancement Act of 2014, facilitate and support a voluntary public-private partnership that is crucial to reducing cybersecurity risk and making U.S. cyberspace safer. Id. at § 2. In an apparent effort to promote that partnership, the bill requires NIST to consult with heads of federal agencies and disseminate clear and concise resources for small businesses to help reduce their cybersecurity risks. Id. at § 3(c)(1) (2017). In designing the resources, NIST must tailor them to fit the nature and size of the small business implementing the Cybersecurity Framework. Id. at § 3 (c)(2)(B) (2017). Moreover, NIST must ensure that all resources are technologically neutral and implementable using commercial and off-the-shelf technologies. Id. at § 3 (c)(2)(D) (2017). Finally, the bill clarifies that the use of the disseminated resources by small businesses is to be voluntary. Essentially, the bill is designed to help small businesses help themselves, and to ensure that the NIST Framework evolves to incorporate the needs of small businesses. Previous cybersecurity legislation (including the Cybersecurity Act of 2015) have focused on owners and operators of critical infrastructure industries, given their heightened obligations for security. This bill’s focus on small business demonstrates that cybersecurity should be a priority for all companies, and that there should be improved ways to assist small businesses in increasing their own cybersecurity.
A date for full consideration has not yet been scheduled.