The NIST Small Business Cybersecurity Act of 2018, Pub. L. No. 115-236, was signed into law on August 14, 2018, by President Trump.
The NIST SBCA Section 2 amends Section 2(e)(1)(A) of the National Institute of Standards and Technology Act (15 U.S.C. 272(e)(1)(A)) to require the National Institute of Standards and Technology (NIST) to incorporate the needs of small businesses when it provides support for promulgation of voluntary industry guidelines to reduce cyber risks to infrastructure.
NIST, in consultation with other federal agencies, shall publish on its website resources that small business may use to assist in managing and reducing cybersecurity risks.
(c)(2) The Director shall ensure that the resources disseminated:
(A) are generally applicable and usable by a wide range of small business concerns;
(B) vary with the nature and size of the implementing small business concern, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing small business concern;
(C) include elements, that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist small business concerns in mitigating common cybersecurity risks;
(D) include case studies of practical application;
(E) are technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and
(F) are based on international standards to the extent possible, and are consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
(c)(3) NATIONAL CYBERSECURITY AWARENESS AND EDUCATION PROGRAM.—The Director shall ensure that the resources disseminated under paragraph (1) are consistent with the efforts of the Director under section 401 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
(c)(4) SMALL BUSINESS DEVELOPMENT CENTER CYBER STRATEGY.—In carrying out paragraph (1), the Director, to the extent practicable, shall consider any methods included in the Small Business Development Center Cyber Strategy developed under section 1841(a)(3)(B) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328).
(5) VOLUNTARY RESOURCES.—The use of the resources disseminated under paragraph (1) shall be considered voluntary.
Other federal agencies may elect to publish the resources on their own websites.
Action Cyber Times™ © 2018 All Rights Reserved.
Action Cyber Times™ provides resources for cybersecurity, data privacy, compliance, breach reporting and risk management, intellectual property theft, and the utilization of emerging technologies such as artificial intelligence, machine learning, blockchain DLT, advances in cryptographic applications, and more.
Disclaimer: The content available on the web site and in the blog posts is for informational purposes only and is not intended to, and does not, provide legal advice. Contact and retain an appropriate professional for legal advice. Use of this content or any of the links contained within the site do not create an attorney-client relationship. The opinions expressed are the opinions of the author.