The U.S. Senate is poised to consider passage of the MAIN STREET Cybersecurity Act of 2017 to require the National Institute of Standards and Technology (NIST) to support better cybersecurity among small businesses, JD Supra reports.
Citing the National Cyber Security Alliance, the Act says that 60 percent of small businesses are put out of business within six months of a cyberattack, making their protection vital to the U.S. economy. The Committee on Commerce, Science, and Transportation approved the Act last month, and it would need to pass through both houses of Congress and be signed by the President to become law. Here are five things you need to know.
- NIST Guidance – The end result of the bill would be guidance resources, developed and distributed by NIST, to help small businesses guard against common cybersecurity threats. The guidance would be produced within a year, according to the original text of the Act, and promote “effective and usable” practices, based on international standards.
- Small Business Version of the CSF – NIST released the Framework for Improving Critical Infrastructure Cybersecurity, otherwise known as the Cybersecurity Framework (CSF), in 2014 to establish cybersecurity best practices at large organizations. A year ago, research by Tenable indicated that it had been adopted by 29 percent of U.S. organizations with over 100 employees, with another 14 percent planning to implement it in 2016, although many reported that it requires a high level of investment.
- Varying Criteria – The guidance is to vary based on the size and nature of the business, and the nature and sensitivity of the data it handles. Many small businesses dealing with sensitive information are already required to comply with regulations such as HIPAA and PCI, which would be unaffected.
- “Technology-neutral” – The practices suggested in the guidance are meant to be “implemented using technologies that are commercial and off-the-shelf.” The practices will also include “simple, basic controls,” and like the CSF, they will be suggested, rather than required, meaning that, as Tenable found with the CSF, most adopting organizations will leave out implementations they consider too expensive.
- Almost Certain to Become Law – The Act has bipartisan sponsorship and support, and is consistent with the Small Business Development Cyber Strategy enacted in 2016. In a congressional session in which all sides are seeking to show progress, and against a backdrop of heightened concern about cybersecurity fueled by headline-grabbing hacking incidents, the MAIN STREET Cybersecurity Act of 2017 is legislative low-hanging fruit.