Text of S. 770 (115th): NIST Small Business Cybersecurity Act (Passed Congress version)

On GovTrack Insider:

Congressional pay just reached its lowest inflation-adjusted level since 1955

If Sarah Palin wins her election to Alaska’s U.S. House seat this November, she will earn less money in Congress than she does recording… Jul 1, 2022

Fentanyl is a WMD Act would classify the synthetic opioid drug as a weapon of mass destruction

Nobody disputes that fentanyl is dangerous when misused and kills many Americans, but is it a “weapon of mass destruction,” exactly? Jun 30, 2022

One Hundred Fifteenth Congress of the United States of America

2d Session

Begun and held at the City of Washington on Wednesday, the third day of January, two thousand and eighteen

S. 770

IN THE SENATE OF THE UNITED STATES

AN ACT

To require the Director of the National Institute of Standards and Technology to disseminate guidance to help reduce small business cybersecurity risks, and for other purposes.

This Act may be cited as the NIST Small Business Cybersecurity Act.

(a)

In this section:

(1)

The term Director means the Director of the National Institute of Standards and Technology.

(2)

The term resources means guidelines, tools, best practices, standards, methodologies, and other ways of providing information.

(3)

The term small business concern has the meaning given such term in section 3 of the Small Business Act (15 U.S.C. 632).

(b)

Section 2(e)(1)(A) of the National Institute of Standards and Technology Act (15 U.S.C. 272(e)(1)(A)) is amended—

(1)

in clause (vii), by striking and at the end;

(2)

by redesignating clause (viii) as clause (ix); and

(3)

by inserting after clause (vii) the following:

(viii)

consider small business concerns (as defined in section 3 of the Small Business Act (15 U.S.C. 632)); and

(c)

(1)

Not later than one year after the date of the enactment of this Act, the Director, in carrying out section 2(e)(1)(A)(viii) of the National Institute of Standards and Technology Act, as added by subsection (b) of this Act, in consultation with the heads of other appropriate Federal agencies, shall disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.

(2)

The Director shall ensure that the resources disseminated pursuant to paragraph (1)—

(A)

are generally applicable and usable by a wide range of small business concerns;

(B)

vary with the nature and size of the implementing small business concern, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing small business concern;

(C)

include elements, that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist small business concerns in mitigating common cybersecurity risks;

(D)

include case studies of practical application;

(E)

are technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and

(F)

are based on international standards to the extent possible, and are consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).

(3)

The Director shall ensure that the resources disseminated under paragraph (1) are consistent with the efforts of the Director under section 401 of the Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).

(4)

In carrying out paragraph (1), the Director, to the extent practicable, shall consider any methods included in the Small Business Development Center Cyber Strategy developed under section 1841(a)(3)(B) of the National Defense Authorization Act for Fiscal Year 2017 (Public Law 114–328).

(5)

The use of the resources disseminated under paragraph (1) shall be considered voluntary.

(6)

The Director shall review and, if necessary, update the resources disseminated under paragraph (1) in accordance with the requirements under paragraph (2).

(7)

The Director and the head of each Federal agency that so elects shall make prominently available on the respective agency’s public Internet website information about the resources and updates to the resources disseminated under paragraph (1). The Director and the heads shall each ensure that the information they respectively make prominently available is consistent, clear, and concise.

(d)

Nothing in this section may be construed to supersede, alter, or otherwise affect any cybersecurity requirements applicable to Federal agencies.

(e)

This Act shall be carried out using funds otherwise authorized to be appropriated or made available to the National Institute of Standards and Technology.

Speaker of the House of Representatives

Vice President of the United States and President of the Senate

S. 770 (115^th): NIST Small Business Cybersecurity Act

This bill has 5 versions. Select a version to view:

Compare to a previous version to see how the bill has changed:

Compare this bill to another bill:

React to this bill with an emoji

Save your opinion on this bill on a six-point scale from strongly oppose to strongly support

Primary Source

Widget for your website

Follow GovTrack on social media for more updates:

On GovTrack Insider:

S. 770 (115th): NIST Small Business Cybersecurity Act

This bill has 5 versions. Select a version to view: Mar 29, 2017: Introduced Sep 11, 2017: Reported by Senate Committee Sep 28, 2017: Passed the Senate Jul 25, 2018: Passed the House with an Amendment Aug 2, 2018: Passed Congress

Compare to a previous version to see how the bill has changed:

Compare this bill to another bill:

React to this bill with an emoji

Save your opinion on this bill on a six-point scale from strongly oppose to strongly support

Primary Source

Widget for your website

Follow GovTrack on social media for more updates:

On GovTrack Insider:

S. 770 (115^th): NIST Small Business Cybersecurity Act

This bill has 5 versions. Select a version to view: