[Congressional Record Volume 164, Number 125 (Wednesday, July 25, 2018)]
[House]
[Pages H7201-H7202]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
MAKING AVAILABLE INFORMATION NOW TO STRENGTHEN TRUST AND RESILIENCE AND
ENHANCE ENTERPRISE TECHNOLOGY CYBERSECURITY ACT OF 2017
Mr. WEBSTER of Florida. Mr. Speaker, I ask unanimous consent to take
from the Speaker's table the bill (S. 770) to require the Director of
the National Institute of Standards and Technology to disseminate
resources to help reduce small business cybersecurity risks, and for
other, and ask for its immediate consideration in the House.
The Clerk read the title of the bill.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Florida?
There was no objection.
The text of the bill is as follows:
S. 770
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Making Available Information
Now to Strengthen Trust and Resilience and Enhance Enterprise
Technology Cybersecurity Act of 2017'' or the ``MAIN STREET
Cybersecurity Act of 2017''.
SEC. 2. FINDINGS.
Congress makes the following findings:
(1) Small businesses play a vital role in the economy of
the United States, accounting for 54 percent of all United
States sales and 55 percent of jobs in the United States.
(2) Attacks targeting small and medium businesses account
for a high percentage of cyberattacks in the United States.
(3) The Cybersecurity Enhancement Act of 2014 (15 U.S.C.
7421 et seq.) calls on the National Institute of Standards
and Technology to facilitate and support a voluntary public-
private partnership to reduce cybersecurity risks to critical
infrastructure. Such a partnership continues to play a key
role in improving the cyber resilience of the United States
and making cyberspace safer.
(4) There is a need to develop simplified resources that
are consistent with the partnership described in paragraph
(3) that improves its use by small businesses.
SEC. 3. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.
(a) Definitions.--In this section:
(1) Director.--The term ``Director'' means the Director of
the National Institute of Standards and Technology.
(2) Resources.--The term ``resources'' means guidelines,
tools, best practices, standards, methodologies, and other
ways of providing information.
(3) Small business concern.--The term ``small business
concern'' has the meaning given such term in section 3 of the
Small Business Act (15 U.S.C. 632).
(b) Small Business Cybersecurity.--Section 2(e)(1)(A) of
the National Institute of Standards and Technology Act (15
U.S.C. 272(e)(1)(A)) is amended--
(1) in clause (vii), by striking ``and'' at the end;
(2) by redesignating clause (viii) as clause (ix); and
(3) by inserting after clause (vii) the following:
``(viii) consider small business concerns (as defined in
section 3 of the Small Business Act (15 U.S.C. 632)); and''.
(c) Dissemination of Resources for Small Businesses.--
(1) In general.--Not later than one year after the date of
the enactment of this Act, the Director, in carrying out
section 2(e)(1)(A)(viii) of the National Institute of
Standards and Technology Act, as added by subsection (b) of
this Act, in consultation with the heads of such other
Federal agencies as the Director considers appropriate, shall
disseminate clear and concise resources for small business
concerns to help reduce their cybersecurity risks.
(2) Requirements.--The Director shall ensure that the
resources disseminated pursuant to paragraph (1)--
(A) are generally applicable and usable by a wide range of
small business concerns;
(B) vary with the nature and size of the implementing small
business concern, and the nature and sensitivity of the data
collected or stored on the information systems or devices of
the implementing small business concern;
(C) include elements that promote awareness of simple,
basic controls, a workplace cybersecurity culture, and third
party stakeholder relationships, to assist small business
concerns in mitigating common cybersecurity risks;
(D) are technology-neutral and can be implemented using
technologies that are commercial and off-the-shelf; and
(E) are based on international standards to the extent
possible, and are consistent with the Stevenson-Wydler
Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
(3) National cybersecurity awareness and education
program.--The Director shall ensure that the resources
disseminated under paragraph (1) are consistent with the
efforts of the Director under section 401 of the
Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
(4) Small business development center cyber strategy.--In
carrying out paragraph (1), the Director, to the extent
practicable, shall consider any methods included in the Small
Business Development Center Cyber Strategy developed under
section 1841(a)(3)(B) of the National Defense Authorization
Act for Fiscal Year 2017 (Public Law 114-328).
(5) Voluntary resources.--The use of the resources
disseminated under paragraph (1) shall be considered
voluntary.
(6) Updates.--The Director shall review and, if necessary,
update the resources disseminated under paragraph (1) in
accordance with the requirements under paragraph (2).
(7) Public availability.--The Director and such heads of
other Federal agencies as the Director considers appropriate
shall each make prominently available to the public on the
Director's or head's Internet website, as the case may be,
information about the resources and all updates to them
disseminated under paragraph (1). The Director and the heads
shall each ensure that the information they respectively make
prominently available is consistent, clear, and concise.
(d) Consistency of Resources Published by Federal
Agencies.--If a Federal agency publishes resources to help
small business concerns reduce their cybersecurity risks, the
head of such Federal agency, to the degree practicable, shall
make such resources consistent with the resources
disseminated under subsection (c)(1).
(e) Other Federal Cybersecurity Requirements.--Nothing in
this section may be construed to supersede, alter, or
otherwise affect any cybersecurity requirements applicable to
Federal agencies.
Amendment Offered by Mr. Webster of Florida
Mr. WEBSTER of Florida. Mr. Speaker, I have an amendment at the desk.
The Clerk read as follows:
Amendment offered by Mr. Webster of Florida:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``NIST Small Business
Cybersecurity Act''.
SEC. 2. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.
(a) Definitions.--In this section:
(1) Director.--The term ``Director'' means the Director of
the National Institute of Standards and Technology.
[[Page H7202]]
(2) Resources.--The term ``resources'' means guidelines,
tools, best practices, standards, methodologies, and other
ways of providing information.
(3) Small business concern.--The term ``small business
concern'' has the meaning given such term in section 3 of the
Small Business Act (15 U.S.C. 632).
(b) Small Business Cybersecurity.--Section 2(e)(1)(A) of
the National Institute of Standards and Technology Act (15
U.S.C. 272(e)(1)(A)) is amended--
(1) in clause (vii), by striking ``and'' at the end;
(2) by redesignating clause (viii) as clause (ix); and
(3) by inserting after clause (vii) the following:
``(viii) consider small business concerns (as defined in
section 3 of the Small Business Act (15 U.S.C. 632)); and''.
(c) Dissemination of Resources for Small Businesses.--
(1) In general.--Not later than one year after the date of
the enactment of this Act, the Director, in carrying out
section 2(e)(1)(A)(viii) of the National Institute of
Standards and Technology Act, as added by subsection (b) of
this Act, in consultation with the heads of other appropriate
Federal agencies, shall disseminate clear and concise
resources to help small business concerns identify, assess,
manage, and reduce their cybersecurity risks.
(2) Requirements.--The Director shall ensure that the
resources disseminated pursuant to paragraph (1)--
(A) are generally applicable and usable by a wide range of
small business concerns;
(B) vary with the nature and size of the implementing small
business concern, and the nature and sensitivity of the data
collected or stored on the information systems or devices of
the implementing small business concern;
(C) include elements, that promote awareness of simple,
basic controls, a workplace cybersecurity culture, and third-
party stakeholder relationships, to assist small business
concerns in mitigating common cybersecurity risks;
(D) include case studies of practical application;
(E) are technology-neutral and can be implemented using
technologies that are commercial and off-the-shelf; and
(F) are based on international standards to the extent
possible, and are consistent with the Stevenson-Wydler
Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
(3) National cybersecurity awareness and education
program.--The Director shall ensure that the resources
disseminated under paragraph (1) are consistent with the
efforts of the Director under section 401 of the
Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
(4) Small business development center cyber strategy.--In
carrying out paragraph (1), the Director, to the extent
practicable, shall consider any methods included in the Small
Business Development Center Cyber Strategy developed under
section 1841(a)(3)(B) of the National Defense Authorization
Act for Fiscal Year 2017 (Public Law 114-328).
(5) Voluntary resources.--The use of the resources
disseminated under paragraph (1) shall be considered
voluntary.
(6) Updates.--The Director shall review and, if necessary,
update the resources disseminated under paragraph (1) in
accordance with the requirements under paragraph (2).
(7) Public availability.--The Director and the head of each
Federal agency that so elects shall make prominently
available on the respective agency's public Internet website
information about the resources and updates to the resources
disseminated under paragraph (1). The Director and the heads
shall each ensure that the information they respectively make
prominently available is consistent, clear, and concise.
(d) Other Federal Cybersecurity Requirements.--Nothing in
this section may be construed to supersede, alter, or
otherwise affect any cybersecurity requirements applicable to
Federal agencies.
(e) Funding.--This Act shall be carried out using funds
otherwise authorized to be appropriated or made available to
the National Institute of Standards and Technology.
Mr. WEBSTER of Florida (during the reading). Mr. Speaker, I ask
unanimous consent to dispense with the reading.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Florida?
There was no objection.
The amendment was agreed to.
The bill was ordered to be read a third time, was read the third
time, and passed.
The title of the bill was amended so as to read: ``An Act to require
the Director of the National Institute of Standards and Technology to
disseminate guidance to help reduce small business cybersecurity risks,
and for other purposes.''
A motion to reconsider was laid on the table.
____________________