[Congressional Record Volume 164, Number 125 (Wednesday, July 25, 2018)]
[House]
[Pages H7201-H7202]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




MAKING AVAILABLE INFORMATION NOW TO STRENGTHEN TRUST AND RESILIENCE AND 
        ENHANCE ENTERPRISE TECHNOLOGY CYBERSECURITY ACT OF 2017

  Mr. WEBSTER of Florida. Mr. Speaker, I ask unanimous consent to take 
from the Speaker's table the bill (S. 770) to require the Director of 
the National Institute of Standards and Technology to disseminate 
resources to help reduce small business cybersecurity risks, and for 
other, and ask for its immediate consideration in the House.
  The Clerk read the title of the bill.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Florida?
  There was no objection.
  The text of the bill is as follows:

                                 S. 770

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Making Available Information 
     Now to Strengthen Trust and Resilience and Enhance Enterprise 
     Technology Cybersecurity Act of 2017'' or the ``MAIN STREET 
     Cybersecurity Act of 2017''.

     SEC. 2. FINDINGS.

       Congress makes the following findings:
       (1) Small businesses play a vital role in the economy of 
     the United States, accounting for 54 percent of all United 
     States sales and 55 percent of jobs in the United States.
       (2) Attacks targeting small and medium businesses account 
     for a high percentage of cyberattacks in the United States.
       (3) The Cybersecurity Enhancement Act of 2014 (15 U.S.C. 
     7421 et seq.) calls on the National Institute of Standards 
     and Technology to facilitate and support a voluntary public-
     private partnership to reduce cybersecurity risks to critical 
     infrastructure. Such a partnership continues to play a key 
     role in improving the cyber resilience of the United States 
     and making cyberspace safer.
       (4) There is a need to develop simplified resources that 
     are consistent with the partnership described in paragraph 
     (3) that improves its use by small businesses.

     SEC. 3. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.

       (a) Definitions.--In this section:
       (1) Director.--The term ``Director'' means the Director of 
     the National Institute of Standards and Technology.
       (2) Resources.--The term ``resources'' means guidelines, 
     tools, best practices, standards, methodologies, and other 
     ways of providing information.
       (3) Small business concern.--The term ``small business 
     concern'' has the meaning given such term in section 3 of the 
     Small Business Act (15 U.S.C. 632).
       (b) Small Business Cybersecurity.--Section 2(e)(1)(A) of 
     the National Institute of Standards and Technology Act (15 
     U.S.C. 272(e)(1)(A)) is amended--
       (1) in clause (vii), by striking ``and'' at the end;
       (2) by redesignating clause (viii) as clause (ix); and
       (3) by inserting after clause (vii) the following:
       ``(viii) consider small business concerns (as defined in 
     section 3 of the Small Business Act (15 U.S.C. 632)); and''.
       (c) Dissemination of Resources for Small Businesses.--
       (1) In general.--Not later than one year after the date of 
     the enactment of this Act, the Director, in carrying out 
     section 2(e)(1)(A)(viii) of the National Institute of 
     Standards and Technology Act, as added by subsection (b) of 
     this Act, in consultation with the heads of such other 
     Federal agencies as the Director considers appropriate, shall 
     disseminate clear and concise resources for small business 
     concerns to help reduce their cybersecurity risks.
       (2) Requirements.--The Director shall ensure that the 
     resources disseminated pursuant to paragraph (1)--
       (A) are generally applicable and usable by a wide range of 
     small business concerns;
       (B) vary with the nature and size of the implementing small 
     business concern, and the nature and sensitivity of the data 
     collected or stored on the information systems or devices of 
     the implementing small business concern;
       (C) include elements that promote awareness of simple, 
     basic controls, a workplace cybersecurity culture, and third 
     party stakeholder relationships, to assist small business 
     concerns in mitigating common cybersecurity risks;
       (D) are technology-neutral and can be implemented using 
     technologies that are commercial and off-the-shelf; and
       (E) are based on international standards to the extent 
     possible, and are consistent with the Stevenson-Wydler 
     Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
       (3) National cybersecurity awareness and education 
     program.--The Director shall ensure that the resources 
     disseminated under paragraph (1) are consistent with the 
     efforts of the Director under section 401 of the 
     Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
       (4) Small business development center cyber strategy.--In 
     carrying out paragraph (1), the Director, to the extent 
     practicable, shall consider any methods included in the Small 
     Business Development Center Cyber Strategy developed under 
     section 1841(a)(3)(B) of the National Defense Authorization 
     Act for Fiscal Year 2017 (Public Law 114-328).
       (5) Voluntary resources.--The use of the resources 
     disseminated under paragraph (1) shall be considered 
     voluntary.
       (6) Updates.--The Director shall review and, if necessary, 
     update the resources disseminated under paragraph (1) in 
     accordance with the requirements under paragraph (2).
       (7) Public availability.--The Director and such heads of 
     other Federal agencies as the Director considers appropriate 
     shall each make prominently available to the public on the 
     Director's or head's Internet website, as the case may be, 
     information about the resources and all updates to them 
     disseminated under paragraph (1). The Director and the heads 
     shall each ensure that the information they respectively make 
     prominently available is consistent, clear, and concise.
       (d) Consistency of Resources Published by Federal 
     Agencies.--If a Federal agency publishes resources to help 
     small business concerns reduce their cybersecurity risks, the 
     head of such Federal agency, to the degree practicable, shall 
     make such resources consistent with the resources 
     disseminated under subsection (c)(1).
       (e) Other Federal Cybersecurity Requirements.--Nothing in 
     this section may be construed to supersede, alter, or 
     otherwise affect any cybersecurity requirements applicable to 
     Federal agencies.

              Amendment Offered by Mr. Webster of Florida

  Mr. WEBSTER of Florida. Mr. Speaker, I have an amendment at the desk.
  The Clerk read as follows:
  Amendment offered by Mr. Webster of Florida:

       Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``NIST Small Business 
     Cybersecurity Act''.

     SEC. 2. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.

       (a) Definitions.--In this section:
       (1) Director.--The term ``Director'' means the Director of 
     the National Institute of Standards and Technology.

[[Page H7202]]

       (2) Resources.--The term ``resources'' means guidelines, 
     tools, best practices, standards, methodologies, and other 
     ways of providing information.
       (3) Small business concern.--The term ``small business 
     concern'' has the meaning given such term in section 3 of the 
     Small Business Act (15 U.S.C. 632).
       (b) Small Business Cybersecurity.--Section 2(e)(1)(A) of 
     the National Institute of Standards and Technology Act (15 
     U.S.C. 272(e)(1)(A)) is amended--
       (1) in clause (vii), by striking ``and'' at the end;
       (2) by redesignating clause (viii) as clause (ix); and
       (3) by inserting after clause (vii) the following:
       ``(viii) consider small business concerns (as defined in 
     section 3 of the Small Business Act (15 U.S.C. 632)); and''.
       (c) Dissemination of Resources for Small Businesses.--
       (1) In general.--Not later than one year after the date of 
     the enactment of this Act, the Director, in carrying out 
     section 2(e)(1)(A)(viii) of the National Institute of 
     Standards and Technology Act, as added by subsection (b) of 
     this Act, in consultation with the heads of other appropriate 
     Federal agencies, shall disseminate clear and concise 
     resources to help small business concerns identify, assess, 
     manage, and reduce their cybersecurity risks.
       (2) Requirements.--The Director shall ensure that the 
     resources disseminated pursuant to paragraph (1)--
       (A) are generally applicable and usable by a wide range of 
     small business concerns;
       (B) vary with the nature and size of the implementing small 
     business concern, and the nature and sensitivity of the data 
     collected or stored on the information systems or devices of 
     the implementing small business concern;
       (C) include elements, that promote awareness of simple, 
     basic controls, a workplace cybersecurity culture, and third-
     party stakeholder relationships, to assist small business 
     concerns in mitigating common cybersecurity risks;
       (D) include case studies of practical application;
       (E) are technology-neutral and can be implemented using 
     technologies that are commercial and off-the-shelf; and
       (F) are based on international standards to the extent 
     possible, and are consistent with the Stevenson-Wydler 
     Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
       (3) National cybersecurity awareness and education 
     program.--The Director shall ensure that the resources 
     disseminated under paragraph (1) are consistent with the 
     efforts of the Director under section 401 of the 
     Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
       (4) Small business development center cyber strategy.--In 
     carrying out paragraph (1), the Director, to the extent 
     practicable, shall consider any methods included in the Small 
     Business Development Center Cyber Strategy developed under 
     section 1841(a)(3)(B) of the National Defense Authorization 
     Act for Fiscal Year 2017 (Public Law 114-328).
       (5) Voluntary resources.--The use of the resources 
     disseminated under paragraph (1) shall be considered 
     voluntary.
       (6) Updates.--The Director shall review and, if necessary, 
     update the resources disseminated under paragraph (1) in 
     accordance with the requirements under paragraph (2).
       (7) Public availability.--The Director and the head of each 
     Federal agency that so elects shall make prominently 
     available on the respective agency's public Internet website 
     information about the resources and updates to the resources 
     disseminated under paragraph (1). The Director and the heads 
     shall each ensure that the information they respectively make 
     prominently available is consistent, clear, and concise.
       (d) Other Federal Cybersecurity Requirements.--Nothing in 
     this section may be construed to supersede, alter, or 
     otherwise affect any cybersecurity requirements applicable to 
     Federal agencies.
       (e) Funding.--This Act shall be carried out using funds 
     otherwise authorized to be appropriated or made available to 
     the National Institute of Standards and Technology.

  Mr. WEBSTER of Florida (during the reading). Mr. Speaker, I ask 
unanimous consent to dispense with the reading.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Florida?
  There was no objection.
  The amendment was agreed to.
  The bill was ordered to be read a third time, was read the third 
time, and passed.
  The title of the bill was amended so as to read: ``An Act to require 
the Director of the National Institute of Standards and Technology to 
disseminate guidance to help reduce small business cybersecurity risks, 
and for other purposes.''
  A motion to reconsider was laid on the table.

                          ____________________