Healthcare Information Security

Cybersecurity News

House Committee Passes NIST Small Business Cybersecurity Act

The NIST Small Business Cybersecurity Act hopes to guide smaller entities on identifying, assessing, managing, and reducing their cybersecurity risk.

Smaller organizations should benefit from the recent NIST Small Business Cybersecurity Act.

Source: Thinkstock

By Elizabeth Snell

- The US House Committee on Science, Space, and Technology passed the NIST Small Business Cybersecurity Act of 2017 earlier this week in an effort to ensure that small businesses are given necessary resources to reduce their risk for cybersecurity issues.

NIST “shall disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks,” according to H.R. 2105, which is also the House companion bill to S.770.

Within one year, the NIST director will also need to collaborate with other federal agency leaders to “disseminate clear and concise guidelines, tools, best practices, standards and methodologies, based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, to help small businesses identify, assess, manage, and reduce their cybersecurity risks.”

The Act also maintains that it is voluntary for small businesses to use such guidance, and that funds to carry out the legislation are authorized out of existing spending.

The NIST director and other federal agency leaders will also need to make the guidance available on their websites, according to the bill.

“The Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7421 et seq.) calls on NIST to facilitate and support a voluntary public-private partnership to reduce cybersecurity risks to critical infrastructure, including that of medium and small businesses,” the House committee explained on its website.

Furthermore, small businesses are a vital aspect to the national economy. These organizations account for approximately half of US sales – 54 percent – and 55 percent of the nation’s jobs.

Small businesses are also increasingly the target of cybersecurity attacks, the House committee stated, with 60 percent of the small businesses that experience a cyberattack forced to close within six months.

“The NIST Small Business Cybersecurity Act will help ensure that our small businesses have the information they need to protect themselves from cyber-attacks,” explained Committee Chairman Lamar Smith. “Many small businesses lack the expertise to successfully monitor and protect their computer systems, but NIST’s global cybersecurity expertise will assist small businesses in reducing their cybersecurity risks.”

Rep. Daniel Webster introduced the bill, and reiterated that small businesses are especially vulnerable to cyber attacks and are often top targets.

“This bill will provide small businesses in my district, state, and across the country with the tools they need to meet the threats and challenges of the modern world,” Webster said in a statement.

NIST also made strides toward improving small business approaches to cybersecurity with its Small Business Information Security: The Fundamentals guide released toward the end of 2016.

The guide was meant to help companies that believe cybersecurity is too expensive or too difficult. NIST used its own Framework for Improving Critical Infrastructure Cybersecurity as a template. That guide had strong processes and tools that “provide key standards and best practices developed over decades by the federal government and industry,” the agency explained.

“Businesses of all sizes face potential risks when operating online and therefore need to consider their cybersecurity,” explained lead author Pat Toth, who also leads NIST outreach efforts to small businesses. “Small businesses may even be seen as easy targets to get into bigger businesses through the supply chain or payment portals.”

The guide from 2016 also describes how an information security program can be implemented in small businesses, along with discussing key actions to develop or improve information security and cybersecurity.

Organizations can also learn how to identify “key practices directed towards users that organizations can implement immediately and that will protect their system and information.”

“It is not possible for any business to be completely secure,” the guide stated. “Nevertheless, it is possible—and reasonable—to implement a program that balances security with the needs and capabilities of your business.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks