On September 28, 2017, the US Senate passed the Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017 (the “Act”). The purpose of the Act is to require the National Institute of Standards and Technology (“NIST”) to disseminate resources to help reduce small business cybersecurity risks.
The Act notes that small businesses play a vital role in the US economy, and that attacks targeting small and medium businesses account for a high percentage of cyberattacks in the United States. In discussing a voluntary public-private partnership facilitated by NIST under the Cybersecurity Enhancement Act of 2014, the Act states there is a need for simplified resources that would improve use of the public-private partnership by small businesses.
Specifically, the Act would require NIST to provide resources for small businesses to help reduce their cybersecurity risks within one year of the Act’s enactment. These resources would need to be clear and concise, generally applicable and usable by a wide range of small businesses, taking into account variances in the nature and size of small businesses as well as the nature and sensitivity of relevant data. Furthermore, the Act would require, among other things, that NIST promote awareness of simple and basic controls and workplace cybersecurity culture, provide technology-neutral resources that can be implemented with commercially available off-the-shelf technologies, and also provide resources that are based on international standards to the extent possible.
The Act’s text is available here. The House has yet to vote on a companion measure, the NIST Small Business Cybersecurity Act of 2017, which was introduced in the House on April 20, 2017.