A year and nearly four months after the measure was introduced, the NIST Small Business Cybersecurity Act officially passed after President Donald Trump signed the legislation into law.
Originally proposed as H.R. 2105 in April 2017, the act was later absorbed into U.S. federal law S.770, and requires the director of the National Institute of Standards and Technology, within within one year of the law’s passing, to issue guidance and a consistent set of resources to help SMBs identity, assess and reduce their cybersecurity risks.
S.770 also tasks NIST, a division of the U.S. Commerce Department, with considering the needs of small businesses when developing these recommendations, which among other key qualities should be widely applicable and technology-neutral and “include elements that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships.”
The legislation in its current form was introduced by Sen. Brian Schatz, D-Hawaii, along with Sen. James Risch, R-Idaho, and was sponsored by fellow lawmakers John Thune, R-S.D.; Maria Cantwell, D-Wash.; Bill Nelson, D-Fla.; Cory Gardner, R-Colo.; Catherine Cortez Masto, D-Nev.; Maggie Hassan, D-N.H.; Claire McCaskill, D-Mo.; and Kirsten Gillibrand, D-N.Y.
In a press release, Schatz, the the lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, said that “As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers.”
“This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks,” Schatz continued.