[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 770 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 217
115th CONGRESS
  1st Session
                                 S. 770

                          [Report No. 115-153]

  To require the Director of the National Institute of Standards and 
   Technology to disseminate resources to help reduce small business 
              cybersecurity risks, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 29, 2017

   Mr. Schatz (for himself, Mr. Risch, Mr. Thune, Ms. Cantwell, Mr. 
Nelson, Mr. Gardner, Ms. Cortez Masto, Ms. Hassan, Mrs. McCaskill, and 
 Mrs. Gillibrand) introduced the following bill; which was read twice 
 and referred to the Committee on Commerce, Science, and Transportation

                           September 11, 2017

                Reported by Mr. Thune, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
  To require the Director of the National Institute of Standards and 
   Technology to disseminate resources to help reduce small business 
              cybersecurity risks, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Making Available 
Information Now to Strengthen Trust and Resilience and Enhance 
Enterprise Technology Cybersecurity Act of 2017'' or the ``MAIN STREET 
Cybersecurity Act of 2017''.</DELETED>

<DELETED>SEC. 2. FINDINGS.</DELETED>

<DELETED>    Congress makes the following findings:</DELETED>
        <DELETED>    (1) Small businesses play a vital role in the 
        economy of the United States, accounting for 54 percent of all 
        United States sales and 55 percent of jobs in the United 
        States.</DELETED>
        <DELETED>    (2) Attacks targeting small and medium businesses 
        account for a high percentage of cyberattacks in the United 
        States. Sixty percent of small businesses that suffer a 
        cyberattack are out of business within 6 months, according to 
        the National Cyber Security Alliance.</DELETED>
        <DELETED>    (3) The Cybersecurity Enhancement Act of 2014 (15 
        U.S.C. 7421 et seq.) calls on the National Institute of 
        Standards and Technology to facilitate and support a voluntary 
        public-private partnership to reduce cybersecurity risks to 
        critical infrastructure. Such a partnership continues to play a 
        key role in improving the cyber resilience of the United States 
        and making cyberspace safer.</DELETED>
        <DELETED>    (4) There is a need to develop simplified 
        resources that are consistent with the partnership described in 
        paragraph (3) that improves its use by small 
        businesses.</DELETED>

<DELETED>SEC. 3. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Director.--The term ``Director'' means the 
        Director of the National Institute of Standards and 
        Technology.</DELETED>
        <DELETED>    (2) Resources.--The term ``resources'' means 
        guidelines, tools, best practices, standards, methodologies, 
        and other ways of providing information.</DELETED>
        <DELETED>    (3) Small business concern.--The term ``small 
        business concern'' has the meaning given such term in section 3 
        of the Small Business Act (15 U.S.C. 632).</DELETED>
<DELETED>    (b) Small Business Cybersecurity.--Section 2(e)(1)(A) of 
the National Institute of Standards and Technology Act (15 U.S.C. 
272(e)(1)(A)) is amended--</DELETED>
        <DELETED>    (1) in clause (vii), by striking ``and'' at the 
        end;</DELETED>
        <DELETED>    (2) by redesignating clause (viii) as clause (ix); 
        and</DELETED>
        <DELETED>    (3) by inserting after clause (vii) the 
        following:</DELETED>
                        <DELETED>    ``(viii) consider small business 
                        concerns (as defined in section 3 of the Small 
                        Business Act (15 U.S.C. 632)); and''.</DELETED>
<DELETED>    (c) Dissemination of Resources for Small Businesses.--
</DELETED>
        <DELETED>    (1) In general.--Not later than one year after the 
        date of the enactment of this Act, the Director, in carrying 
        out section 2(e)(1)(A)(viii) of the National Institute of 
        Standards and Technology Act, as added by subsection (b) of 
        this Act, in consultation with the heads of such other Federal 
        agencies as the Director considers appropriate, shall 
        disseminate clear and concise resources for small business 
        concerns to help reduce their cybersecurity risks.</DELETED>
        <DELETED>    (2) Requirements.--The Director shall ensure that 
        the resources disseminated pursuant to paragraph (1)--
        </DELETED>
                <DELETED>    (A) are effective and usable by small 
                business concerns;</DELETED>
                <DELETED>    (B) vary with the nature and size of the 
                implementing small business concern, and the nature and 
                sensitivity of the data collected or stored on the 
                information systems or devices of the implementing 
                small business concern;</DELETED>
                <DELETED>    (C) include elements, such as simple, 
                basic controls, to assist small business concerns in 
                defending against common cybersecurity risks;</DELETED>
                <DELETED>    (D) are technology-neutral and can be 
                implemented using technologies that are commercial and 
                off-the-shelf; and</DELETED>
                <DELETED>    (E) are based on international standards 
                to the extent possible, and are consistent with the 
                Stevenson-Wydler Technology Innovation Act of 1980 (15 
                U.S.C. 3701 et seq.).</DELETED>
        <DELETED>    (3) National cybersecurity awareness and education 
        program.--The Director shall ensure that the resources 
        disseminated under paragraph (1) are consistent with the 
        efforts of the Director under section 401 of the Cybersecurity 
        Enhancement Act of 2014 (15 U.S.C. 7451).</DELETED>
        <DELETED>    (4) Small business development center cyber 
        strategy.--In carrying out paragraph (1), the Director, to the 
        extent practicable, shall consider any methods included in the 
        Small Business Development Center Cyber Strategy developed 
        under section 1841(a)(3)(B) of the National Defense 
        Authorization Act for Fiscal Year 2017 (Public Law 114-
        328).</DELETED>
        <DELETED>    (5) Voluntary resources.--The use of the resources 
        disseminated under paragraph (1) shall be considered 
        voluntary.</DELETED>
        <DELETED>    (6) Updates.--The Director shall review and, if 
        necessary, update the resources disseminated under paragraph 
        (1).</DELETED>
        <DELETED>    (7) Public availability.--The Director and such 
        heads of other Federal agencies as the Director considers 
        appropriate shall each make prominently available to the public 
        on the Director's or head's Internet website, as the case may 
        be, information about the resources disseminated under 
        paragraph (1). The Director and the heads shall each ensure 
        that the information they respectively make prominently 
        available is consistent, clear, and concise.</DELETED>
<DELETED>    (d) Consistency of Resources Published by Federal 
Agencies.--If a Federal agency publishes resources to help small 
business concerns reduce their cybersecurity risks, the head of such 
Federal agency, to the degree practicable, shall make such resources 
consistent with the resources disseminated under subsection 
(c)(1).</DELETED>
<DELETED>    (e) Other Federal Cybersecurity Requirements.--Nothing in 
this section may be construed to supersede, alter, or otherwise affect 
any cybersecurity requirements applicable to Federal 
agencies.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Making Available Information Now to 
Strengthen Trust and Resilience and Enhance Enterprise Technology 
Cybersecurity Act of 2017'' or the ``MAIN STREET Cybersecurity Act of 
2017''.

SEC. 2. FINDINGS.

    Congress makes the following findings:
            (1) Small businesses play a vital role in the economy of 
        the United States, accounting for 54 percent of all United 
        States sales and 55 percent of jobs in the United States.
            (2) Attacks targeting small and medium businesses account 
        for a high percentage of cyberattacks in the United States. 
        Sixty percent of small businesses that suffer a cyberattack are 
        out of business within 6 months, according to the National 
        Cyber Security Alliance.
            (3) The Cybersecurity Enhancement Act of 2014 (15 U.S.C. 
        7421 et seq.) calls on the National Institute of Standards and 
        Technology to facilitate and support a voluntary public-private 
        partnership to reduce cybersecurity risks to critical 
        infrastructure. Such a partnership continues to play a key role 
        in improving the cyber resilience of the United States and 
        making cyberspace safer.
            (4) There is a need to develop simplified resources that 
        are consistent with the partnership described in paragraph (3) 
        that improves its use by small businesses.

SEC. 3. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.

    (a) Definitions.--In this section:
            (1) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (2) Resources.--The term ``resources'' means guidelines, 
        tools, best practices, standards, methodologies, and other ways 
        of providing information.
            (3) Small business concern.--The term ``small business 
        concern'' has the meaning given such term in section 3 of the 
        Small Business Act (15 U.S.C. 632).
    (b) Small Business Cybersecurity.--Section 2(e)(1)(A) of the 
National Institute of Standards and Technology Act (15 U.S.C. 
272(e)(1)(A)) is amended--
            (1) in clause (vii), by striking ``and'' at the end;
            (2) by redesignating clause (viii) as clause (ix); and
            (3) by inserting after clause (vii) the following:
                            ``(viii) consider small business concerns 
                        (as defined in section 3 of the Small Business 
                        Act (15 U.S.C. 632)); and''.
    (c) Dissemination of Resources for Small Businesses.--
            (1) In general.--Not later than one year after the date of 
        the enactment of this Act, the Director, in carrying out 
        section 2(e)(1)(A)(viii) of the National Institute of Standards 
        and Technology Act, as added by subsection (b) of this Act, in 
        consultation with the heads of such other Federal agencies as 
        the Director considers appropriate, shall disseminate clear and 
        concise resources for small business concerns to help reduce 
        their cybersecurity risks.
            (2) Requirements.--The Director shall ensure that the 
        resources disseminated pursuant to paragraph (1)--
                    (A) are generally applicable and usable by a wide 
                range of small business concerns;
                    (B) vary with the nature and size of the 
                implementing small business concern, and the nature and 
                sensitivity of the data collected or stored on the 
                information systems or devices of the implementing 
                small business concern;
                    (C) include elements that promote awareness of 
                simple, basic controls, a workplace cybersecurity 
                culture, and third party stakeholder relationships, to 
                assist small business concerns in mitigating common 
                cybersecurity risks;
                    (D) are technology-neutral and can be implemented 
                using technologies that are commercial and off-the-
                shelf; and
                    (E) are based on international standards to the 
                extent possible, and are consistent with the Stevenson-
                Wydler Technology Innovation Act of 1980 (15 U.S.C. 
                3701 et seq.).
            (3) National cybersecurity awareness and education 
        program.--The Director shall ensure that the resources 
        disseminated under paragraph (1) are consistent with the 
        efforts of the Director under section 401 of the Cybersecurity 
        Enhancement Act of 2014 (15 U.S.C. 7451).
            (4) Small business development center cyber strategy.--In 
        carrying out paragraph (1), the Director, to the extent 
        practicable, shall consider any methods included in the Small 
        Business Development Center Cyber Strategy developed under 
        section 1841(a)(3)(B) of the National Defense Authorization Act 
        for Fiscal Year 2017 (Public Law 114-328).
            (5) Voluntary resources.--The use of the resources 
        disseminated under paragraph (1) shall be considered voluntary.
            (6) Updates.--The Director shall review and, if necessary, 
        update the resources disseminated under paragraph (1) in 
        accordance with the requirements under paragraph (2).
            (7) Public availability.--The Director and such heads of 
        other Federal agencies as the Director considers appropriate 
        shall each make prominently available to the public on the 
        Director's or head's Internet website, as the case may be, 
        information about the resources and all updates to them 
        disseminated under paragraph (1). The Director and the heads 
        shall each ensure that the information they respectively make 
        prominently available is consistent, clear, and concise.
    (d) Consistency of Resources Published by Federal Agencies.--If a 
Federal agency publishes resources to help small business concerns 
reduce their cybersecurity risks, the head of such Federal agency, to 
the degree practicable, shall make such resources consistent with the 
resources disseminated under subsection (c)(1).
    (e) Other Federal Cybersecurity Requirements.--Nothing in this 
section may be construed to supersede, alter, or otherwise affect any 
cybersecurity requirements applicable to Federal agencies.
                                                       Calendar No. 217

115th CONGRESS

  1st Session

                                 S. 770

                          [Report No. 115-153]

_______________________________________________________________________

                                 A BILL

  To require the Director of the National Institute of Standards and 
   Technology to disseminate resources to help reduce small business 
              cybersecurity risks, and for other purposes.

_______________________________________________________________________

                           September 11, 2017

                       Reported with an amendment