President Donald Trump has signed the NIST Small Business Cybersecurity Act into law requiring the National Institute of Standards and Technology to provide cyber-security resources to small and medium businesses.
In this case, “resources” means guidelines, tools, best practices, standards, methodologies and other information designed to help SMBs. The law also requires the director of NIST to address small business concerns when putting together guidance and security requirements.
The law, which passed unanimously in the U.S. Senate before being signed by the president, is notable in that it delineates how information is to be made available to businesses and specifies what sort of information must be provided.
In this case, the requirement is that information is placed on agency websites and that it be kept updated. The law also requires the NIST director and heads of other agencies that get involved to ensure that “the information they respectively make prominently available is consistent, clear, and concise.”
The information that NIST must provide includes resources that apply to small businesses, keeping in mind the type of data such businesses typically handle. In addition NIST is required to help SMBs with simple, basic controls and workplace cyber-security culture as well as mitigating common cyber-security risks. The law also requires that the recommendations be technology-neutral and can be implemented using commercial off-the-shelf solutions based on international standards.
So NIST is being asked to do a lot. But what’s important is that it directs NIST to provide resources to small businesses that they can actually use, keeping in mind the fact that they may not have the financial resources nor the skills on hand to manage security to the level available to a large enterprise.
In addition, the law requires that commercial, off-the-shelf security technology be found and where possible provided. This gets past a major sticking point with NIST security guidance in the past, in which the tools and methods were frequently beyond the capability of smaller businesses that could not afford a full-time cyber-security team, and which didn’t have the skills to develop in-house security tools.
The law gives the director of NIST one year from the date of the signing to implement the changes it requires.
It’s unclear exactly what this might mean to your business. The administration has taken an inconsistent approach to cyber-security in general as well as to smaller businesses.
For example, the post of the national director of cyber-security has been eliminated, and there’s been an exodus of cyber-security professionals from the administration since then.
On the other hand, the Department of Homeland Security has been pressing security awareness hard. One reason the impact is unclear is that NIST is part of the Department of Commerce, which is not in the main line of responsibility for cyber-security.
On the other hand, NIST is responsible for creating and maintaining security standards for the entire U.S. government, and it’s the agency that creates the Federal Information Processing Standards.
What’s probably going to happen is that NIST will start publishing a series of guidelines and other publications intended to help SMBs deal with cyber-security. In the past, those NIST publications have generally been well-thought-out and well targeted, so there’s no reason to think this will change.
Because Congress directed NIST and other agencies involved in this process to put the information on their websites, that’s where most of those guidelines will appear. Beyond that, NIST can be expected to publish some best practices designed specifically for SMBs, meaning that they won’t require resources that are beyond the limited capabilities of such businesses.
The fact that Congress directed NIST to consider commercial off-the-shelf products and approaches in their recommendations for SMBs may mean that NIST will create some sort of program for listing products and services that are compliant with NIST small business security standards.
Whether this will mean that NIST will set up some sort of testing program to ensure compliance is unclear, but since that’s not specifically required in the law, you can hope that such testing will be done by independent technology media and analysts rather than expect a government agency to do it.
It would be easy to dismiss this new law as little more than an empty gesture, but in reality, it’s more than that. The law recognizes that SMBs are prime targets for cyber-attacks exactly because the factors that the law addresses.
Hackers assume they can penetrate an SMB’s network more easily than a large enterprise, so they attack the small businesses first. This tactic has proven to be effective, so anything the government can do to harden those defenses is good.
But it’s worth noting that the bill allocates no money for this, so while NIST will do what it can within its existing budget, you probably won’t see a major program roll-out, which is too bad, because that’s what’s actually needed.