[Congressional Record Volume 163, Number 163 (Wednesday, October 11, 2017)]
[House]
[Pages H7936-H7939]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
NIST SMALL BUSINESS CYBERSECURITY ACT
Mr. WEBSTER of Florida. Mr. Speaker, I move to suspend the rules and
pass the bill (H.R. 2105) to require the Director of the National
Institute of Standards and Technology to disseminate guidance to help
reduce small business cybersecurity risks, and for other purposes, as
amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 2105
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``NIST Small Business
Cybersecurity Act''.
SEC. 2. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.
(a) Definitions.--In this section:
(1) Director.--The term ``Director'' means the Director of
the National Institute of Standards and Technology.
(2) Resources.--The term ``resources'' means guidelines,
tools, best practices, standards, methodologies, and other
ways of providing information.
(3) Small business concern.--The term ``small business
concern'' has the meaning given such term in section 3 of the
Small Business Act (15 U.S.C. 632).
(b) Small Business Cybersecurity.--Section 2(e)(1)(A) of
the National Institute of Standards and Technology Act (15
U.S.C. 272(e)(1)(A)) is amended--
[[Page H7937]]
(1) in clause (vii), by striking ``and'' at the end;
(2) by redesignating clause (viii) as clause (ix); and
(3) by inserting after clause (vii) the following:
``(viii) consider small business concerns (as defined in
section 3 of the Small Business Act (15 U.S.C. 632)); and''.
(c) Dissemination of Resources for Small Businesses.--
(1) In general.--Not later than one year after the date of
the enactment of this Act, the Director, in carrying out
section 2(e)(1)(A)(viii) of the National Institute of
Standards and Technology Act, as added by subsection (b) of
this Act, in consultation with the heads of other appropriate
Federal agencies, shall disseminate clear and concise
resources to help small business concerns identify, assess,
manage, and reduce their cybersecurity risks.
(2) Requirements.--The Director shall ensure that the
resources disseminated pursuant to paragraph (1)--
(A) are generally applicable and usable by a wide range of
small business concerns;
(B) vary with the nature and size of the implementing small
business concern, and the nature and sensitivity of the data
collected or stored on the information systems or devices of
the implementing small business concern;
(C) include elements, that promote awareness of simple,
basic controls, a workplace, cybersecurity culture, and
third-party stake-holder relationships, to assist small
business concerns in mitigating common cybersecurity risks;
(D) include case studies of practical application;
(E) are technology-neutral and can be implemented using
technologies that are commercial and off-the-shelf; and
(F) are based on international standards to the extent
possible, and are consistent with the Stevenson-Wydler
Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
(3) National cybersecurity awareness and education
program.--The Director shall ensure that the resources
disseminated under paragraph (1) are consistent with the
efforts of the Director under section 401 of the
Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
(4) Small business development center cyber strategy.--In
carrying out paragraph (1), the Director, to the extent
practicable, shall consider any methods included in the Small
Business Development Center Cyber Strategy developed under
section 1841(a)(3)(B) of the National Defense Authorization
Act for Fiscal Year 2017 (Public Law 114-328).
(5) Voluntary resources.--The use of the resources
disseminated under paragraph (1) shall be considered
voluntary.
(6) Updates.--The Director shall review and, if necessary,
update the resources disseminated under paragraph (1) in
accordance with the requirements under paragraph (2).
(7) Public availability.--The Director and the head of each
Federal agency that so elects shall make prominently
available on the respective agency's public Internet website
information about the resources and updates to the resources
disseminated under paragraph (1). The Director and the heads
shall each ensure that the information they respectively make
prominently available is consistent, clear, and concise.
(d) Other Federal Cybersecurity Requirements.--Nothing in
this section may be construed to supersede, alter, or
otherwise affect any cybersecurity requirements applicable to
Federal agencies.
(e) Funding.--This Act shall be carried out using funds
otherwise authorized to be appropriated or made available to
the National Institute of Standards and Technology.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Florida (Mr. Webster) and the gentleman from Illinois (Mr. Lipinski)
each will control 20 minutes.
The Chair recognizes the gentleman from Florida.
General Leave
Mr. WEBSTER of Florida. Mr. Speaker, I ask unanimous consent that all
Members have 5 legislative days to revise and extend their remarks and
include any extraneous material on H.R. 2105.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Florida?
There was no objection.
Mr. WEBSTER of Florida. Mr. Speaker, I yield myself such time as I
may consume.
Mr. Speaker, I thank the leadership for giving us this time to debate
this important bill. It is especially timely as October is National
Cyber Security Awareness Month, so taking up this bill at this time is
a perfect time. We must come together to protect all businesses--large,
small, and medium--from the constant threat of cyber attacks.
America's small businesses are the backbone of our economy,
accounting for 54 percent of all American sales and 55 percent of
American jobs. Unfortunately, small businesses are especially
vulnerable, with some reports noting that 43 percent of cyber attacks
specifically target them. These small businesses are more susceptible
to attacks due to the limited access to the tools they need to prepare
for such an event. Implementation of the NIST Framework into these
small businesses will protect small business owners, their employees,
and their customer base all while contributing positively to the
economy.
H.R. 2105, the National Institute of Standards and Technology Small
Business Cybersecurity Act, will help small businesses better address
their cybersecurity risks to help them survive and thrive in the face
of such adversity.
As an owner of a multigenerational family air-conditioning and
heating business, I understand firsthand the importance of equipping
and empowering small businesses to tackle these challenges so that they
can grow and prosper.
About 10 months ago, my sons called me and said that there was a
message on the screen of one of our computers that said: ``Your data
has been frozen. You have been attacked.'' It had a little clock on
there ticking down. ``If you don't pay a ransom by a certain time, then
we will destroy your data. It is inaccessible.''
Well, there was something we had done, fortunately--not that we do
every day, but we had done several days before--which protected us from
that. We were able to fix our problem and wipe it clean and get started
all over. But most small businesses may or may not--including
ourselves--have done that just a few days before.
Thus, I introduced H.R. 2105 with the support and cosponsorship of
many of my colleagues on the committee, including Chairman Smith,
Chairwoman Comstock, and Ranking Member Lipinski.
H.R. 2105 would provide small businesses in my district, State, and
across the country with the tools they need to meet the threats and
challenges of the modern world.
This bill describes the vital role played by small businesses in the
U.S. economy, the devastating impact of cyber attacks on a majority of
small businesses and large businesses and what they need to develop to
specifically help themselves.
It directs the NIST Director--within a year of the act's enactment--
to disseminate clear and concise resources, which are defined as
guidelines, tools, best practices, standards, methodologies, and other
ways of providing this information.
Dissemination would be in consultation with heads of other Federal
agencies. These resources--based on the NIST Framework for Improving
Critical Infrastructure Cybersecurity--will help small businesses
identify, assess, manage, and reduce their cybersecurity risks.
{time} 1400
H.R. 2105 also clarifies that use of the resources by small
businesses is voluntary, directs the NIST Director and heads of Federal
agencies that so elect to make the resources available on their
government websites, and specifies that no new funds are authorized to
carry out this act.
This bill is very similar to S. 770, the MAIN STREET Cybersecurity
Act, which is supported by the National Small Business Association,
National Restaurant Association, U.S. Chamber of Commerce, and the
International TechneGroup. The Chamber and International TechneGroup
have also come out in support H.R. 2105.
On September 28, 2017, the Senate passed S. 770 by unanimous consent,
and I ask my colleagues to similarly support H.R. 2105.
Mr. Speaker, I reserve the balance of my time.
Mr. LIPINSKI. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in support of H.R. 2105, the NIST Small Business
Cybersecurity Act of 2017, a bipartisan effort to help small businesses
implement the NIST Cybersecurity Framework for Critical Infrastructure.
I thank Mr. Webster for his work on the bill and all of my colleagues
on the Science, Space, and Technology Committee for their support of
the bill.
I would also like to thank Senator Schatz and my colleagues in the
Senate for working to pass the companion version over there, which I
hope that we can follow suit on here today.
[[Page H7938]]
The NIST cybersecurity framework provides valuable guidance on
cybersecurity best practices for organizations of all sizes, but small
businesses often don't have the time or resources to figure out how to
adapt it to their needs and implement it. This bill directs NIST to
create clear guidelines, tools, and best practices specifically for
small businesses so that they can protect their networked resources.
Most small businesses do not have significant IT departments. Some do
not even have any dedicated information security personnel. Thus, they
may be more at risk of cyber attack than large enterprises.
According to data released last month, 53 percent of American
businesses of all sizes suffered a cyber attack in the past year. Of
those, 72 percent spent more than $5,000 to investigate and recover. A
2016 report found that 42 percent of businesses suffered a cyber attack
of some kind.
Incidents like these do not only hurt individual small-business
owners, employees, and customers, they hurt American competitiveness.
In my district in the southwest suburbs of Chicago, there is a
fourth-generation family manufacturing business that has suffered
multiple sophisticated phishing attacks. The few times they have fallen
victim to these attacks, the costs have been significant. The owners
have told me that they would welcome guidance on affordable, off-the-
shelf resources to strengthen their cyber defenses and let them get
back to focusing on their business.
This is a story repeated across the country. That is why we must act,
and we must pass this bill for our small businesses. The guidelines
created under this bill, like the NIST framework, will be voluntary, so
we won't be adding to the regulatory burden on small businesses.
Instead, we will be offering them an opportunity to secure their
networks so that they can compete on a level playing field.
Mr. Speaker, I urge my colleagues to support this bill, and I reserve
the balance of my time.
Mr. WEBSTER of Florida. Mr. Speaker, I yield 2 minutes to the
gentleman from Florida (Mr. Dunn).
Mr. DUNN. Mr. Speaker, today I rise in support of H.R. 2105, the
National Institute of Standards and Technology Small Business
Cybersecurity Act. This bipartisan legislation instructs the Director
of NIST, in consultation with other Federal agencies, to disseminate
guidance to help small businesses identify, assess, manage, and reduce
their cybersecurity risks. As a small-business owner, I am honored to
be a cosponsor of this bill.
We know the importance of keeping all records safe and secure from
outside threats. With the recent hacking of Equifax and many others,
there is clearly a growing risk of online hacking and cyber warfare in
the world today. It is imperative that we ensure that the backbone of
our economy, our small- and medium-size businesses, have the resources
they need to stay safe.
I strongly believe that the businesses in Florida's Second District
would benefit from this vital information, which will help them keep
their data safe and secure. By increasing cybersecurity efforts, we are
protecting both small businesses and their millions of customers across
the country.
This bill doesn't cost the taxpayers anything, but it could
potentially save small-business owners and consumers both their privacy
and livelihoods.
Mr. LIPINSKI. Mr. Speaker, I yield such time as she may consume to
the gentlewoman from Texas (Ms. Eddie Bernice Johnson), the ranking
member of the Science, Space, and Technology Committee.
Ms. EDDIE BERNICE JOHNSON of Texas. Mr. Speaker, I rise in support of
H.R. 2105, the NIST Small Business Cybersecurity Act of 2017, which
directs the National Institute of Standards and Technology to provide
more guidance, resources, and tools to small businesses to improve
their cybersecurity and protect the personal information of their
customers.
According to the Small Business Administration, the 28 million small
businesses in America account for 54 percent of all U.S. sales and 55
percent of all U.S. jobs. Small businesses play a central role in our
economy.
Unfortunately, the information systems and networks of small
businesses are especially vulnerable to an increasing volume and
sophistication of cyber attacks. Small businesses rarely have employees
or leadership with education or training in cybersecurity. Further,
small businesses typically have limited resources to invest in
cybersecurity.
The National Institute of Standards and Technology, or NIST, is a
leader in developing standards and guidelines for cybersecurity in both
the public and private sectors. In 2009, NIST developed a guidance
document called, ``Small Business Information Security: The
Fundamentals.'' The document described the fundamentals of an effective
small-business information security program in nontechnical language.
In 2014, in response to an executive order from President Obama, NIST
published the Cybersecurity Framework for Critical Infrastructure. The
cybersecurity framework, as written, is most useful for larger
businesses with at least some cybersecurity expertise. Therefore, in
November 2016, NIST published an update of their small-business
guidance document using the framework as a template.
These are just two examples of how NIST has long privatized
supporting small-business efforts to strengthen cybersecurity. The
requirements of H.R. 2105 are consistent with these ongoing efforts and
help ensure that they will continue.
Ideally, H.R. 2105 would have also provided resources for NIST to
expand these activities because the need is very clear. We cannot
effectively support small business in this country unless we provide
the relevant government agencies the resources to help protect those
businesses from cyber threats.
Mr. Speaker, I support H.R. 2105, and I thank the sponsors, including
Mr. Webster, Mr. Lipinski, and Ms. Rosen, for their strong support for
small businesses and NIST's important role in cybersecurity. However, I
am concerned that the House bill contains an explicit unfunded mandate
clause and that the Senate passed a version that is silent in funding.
I hope Congress will provide NIST the adequate resources to fulfill the
mandates in this legislation.
Mr. Speaker, I urge passage of the bill.
Mr. WEBSTER of Florida. Mr. Speaker, I yield 4 minutes to the
gentleman from Texas (Mr. Smith), chairman of the committee.
Mr. SMITH of Texas. Mr. Speaker, I thank the gentleman from Florida
(Mr. Webster) for yielding me time and for introducing H.R. 2105, the
NIST Small Business Cybersecurity Act.
This important and timely bipartisan bill, cosponsored by 17 Members
of Congress and approved by the Science Committee by voice vote,
directs the National Institute of Standards and Technology to provide
small businesses with cybersecurity guidelines, tools, best practices,
standards, and methodologies necessary to better protect themselves
from cyber attacks.
Small businesses help produce a thriving economy that benefits our
entire country. They bring innovative ideas, cutting-edge products and
services, and jobs to the marketplace. In my home State, for example,
there are more than 2.4 million small businesses that employ almost 4.5
million Texans.
Major cyber attacks dominate news coverage, such as the Equifax or
Yahoo hacks that impacted millions and billions of people. But small
businesses, which often do not have sufficient information to
adequately monitor and protect their computer systems, are frequently
the target of cyber attacks, as well.
A 2016 Symantec report notes that cyber attacks against businesses
with fewer than 250 employees have grown from 18 percent in 2011 to 43
percent in 2015. This bill can help those businesses.
October is National Cybersecurity Awareness Month, so it is
appropriate that we consider a bill designed to help protect small
businesses from cybersecurity attacks. Today's legislation provides
small businesses with NIST expertise to reduce their cybersecurity
risk.
NIST experts developed a cybersecurity framework through
collaboration between the government and the private sector. This
framework is accepted and used by many private organizations to address
and manage their information technology vulnerabilities in a cost-
effective way.
[[Page H7939]]
The guidance described in this bill to help small businesses is based
on the NIST cybersecurity framework. H.R. 2105 prioritizes
dissemination of this guidance by NIST within its almost $1 billion
budget.
Mr. Speaker, I urge my colleagues to show their support for small
business by approving Mr. Webster's fiscally responsible, innovation
protection bill today.
Mr. LIPINSKI. Mr. Speaker, I have no further speakers, and I reserve
the balance of my time.
Mr. WEBSTER of Florida. Mr. Speaker, I yield 2 minutes to the
gentlewoman from Virginia (Mrs. Comstock), the chairwoman of the
subcommittee.
Mrs. COMSTOCK. Mr. Speaker, I rise in support of H.R. 2105.
When I travel around my district, which is rich with technology
workers, the thing that I hear repeated concern about is the increasing
need for individuals with the skill set, education, training, and
knowledge of cybersecurity matters.
With the recent events with Equifax, WannaCry, and OPM breaches, it
is clear that our cybersecurity infrastructure needs to be
strengthened.
In December 2016, the Commission on Enhancing National Cybersecurity
specifically recommended that the administration should ``develop
concrete efforts to support and strengthen the cybersecurity of small-
and medium-sized businesses.''
With small businesses accounting for most of the U.S. economy's jobs
and sales, it is imperative that we provide guidance to help them
identify, assess, manage, and reduce their cybersecurity risks. By
making these resources readily available to small businesses across the
country, this commonsense legislation will help them protect their
sensitive data and business from cyber threats so they can grow our
economy and provide more jobs instead.
I am proud to be an original cosponsor of this measure, the NIST
Small Business Cybersecurity Act, and I urge my colleagues to vote
``yes'' on its passage.
Mr. Speaker, I thank my colleague from Florida (Mr. Webster) for his
leadership on this legislation.
Mr. LIPINSKI. Mr. Speaker, I continue to reserve the balance of my
time.
Mr. WEBSTER of Florida. Mr. Speaker, I yield 1 minute to the
gentleman from South Carolina (Mr. Norman).
{time} 1415
Mr. NORMAN. Mr. Speaker, I rise today in support of H.R. 2105, the
National Institute of Standards and Technology Small Business
Cybersecurity Act. This bill directs the National Institute of
Standards and Technology to issue guidance for small businesses to use
voluntarily to assist them in identifying and assessing, managing, and
reducing the cybersecurity risk.
As has been said, small businesses in the U.S. account for 54 percent
of sales and 55 percent of U.S. jobs. However, a 2016 Symantec Internet
Security Threat Report indicated that businesses with less than 250
employees are facing increased cybersecurity threats, up from 18
percent in 2011 to 43 percent in 2015.
Mr. Speaker, I recently passed our real estate small business to my
son Warren, so I understand the importance of equipping small
businesses with the tools that will enable them to meet the emerging
challenges.
I urge passage of H.R. 2105, which will help prepare small businesses
in the future, and I urge my colleagues to pass it.
Mr. LIPINSKI. Mr. Speaker, I continue to reserve the balance of my
time.
Mr. WEBSTER of Florida. Mr. Speaker, I yield 1 minute to the
gentleman from Nebraska (Mr. Bacon).
Mr. BACON. Mr. Speaker, I rise in support of the National Institute
of Standards and Technology Small Business Cybersecurity Act, a bill
that I am proud to cosponsor. This legislation will help promote
stronger cybersecurity practices amongst our Nation's small businesses,
and it is fiscally responsible.
The well-being of our small businesses is important to the overall
health of our economy. According to the Small Business Administration,
small businesses account for 55 percent of total jobs in the United
States. In my home State of Nebraska, small businesses employed 390,000
people in 2016.
Some small businesses are not able to prioritize cybersecurity
efforts over other aspects of their business or they lack the resources
to secure their networks and systems. We must promote greater
preparedness to protect small businesses from cyber attacks.
H.R. 2105 directs NIST to disseminate guidance to help small
businesses identify, assess, manage, and reduce their cyber risks based
off NIST's extensive expertise. This is a big step towards promoting
better cybersecurity practices amongst our Nation's small businesses.
I urge my colleagues to support H.R. 2105.
Mr. LIPINSKI. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, we all have come down here and talked about the
importance of small business. We know how important small businesses
are to our country, the real engine of our economic growth.
We also know that, in most small businesses today, they don't have
the capabilities to have an IT department or the expertise that they
need to protect themselves from the continual cyber attacks, the theft
of data that we hear about. But those attacks and that theft of data
does not only happen for large companies; it is also a threat to small
businesses. Therefore, we need to do all that we can to make sure that
they are capable of protecting themselves so that our small businesses
can continue to thrive and be the economic engine that they are.
I urge my colleagues to support this bill. We get something good done
for our small businesses. I urge them to support this, and I yield back
the balance of my time.
Mr. WEBSTER of Florida. Mr. Speaker, I thank those from both sides--
Ranking Member Lipinski, Chairman Smith, and others--who have supported
this bill. It is a great idea. It is an opportunity to not only have
available for us, it has bipartisan support and also bicameral support.
This is a good opportunity to help all small businesses.
I know personally from my business and I know others who have small
businesses who know that there is, in a sense, very little help right
now for small businesses in this area of cybersecurity. The larger
businesses certainly have their own IT people; we don't. So I am
excited about the fact that this could happen, and I move passage.
Mr. Speaker, I yield back the balance of my time.
The SPEAKER pro tempore (Mr. Barton). The question is on the motion
offered by the gentleman from Florida (Mr. Webster) that the House
suspend the rules and pass the bill, H.R. 2105, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.
____________________