[Congressional Record (Bound Edition), Volume 163 (2017), Part 11]
[Senate]
[Pages 15272-15273]
[From the U.S. Government Publishing Office, www.gpo.gov]




                 MAIN STREET CYBERSECURITY ACT OF 2017

  Mr. McCONNELL. Mr. President, I ask unanimous consent that the Senate 
proceed to the immediate consideration of Calendar No. 217, S. 770.
  The PRESIDING OFFICER. The clerk will report the bill by title.
  The senior assistant legislative clerk read as follows:

       A bill (S. 770) to require the Director of the National 
     Institute of Standards and Technology to disseminate 
     resources to help reduce small business cybersecurity risks, 
     and for other purposes.

  There being no objection, the Senate proceeded to consider the bill, 
which had been reported from the Committee on Commerce, Science, and 
Transportation, with an amendment to strike all after the enacting 
clause and insert in lieu thereof the following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Making Available Information 
     Now to Strengthen Trust and Resilience and Enhance Enterprise 
     Technology Cybersecurity Act of 2017'' or the ``MAIN STREET 
     Cybersecurity Act of 2017''.

     SEC. 2. FINDINGS.

       Congress makes the following findings:
       (1) Small businesses play a vital role in the economy of 
     the United States, accounting for 54 percent of all United 
     States sales and 55 percent of jobs in the United States.
       (2) Attacks targeting small and medium businesses account 
     for a high percentage of cyberattacks in the United States. 
     Sixty percent of small businesses that suffer a cyberattack 
     are out of business within 6 months, according to the 
     National Cyber Security Alliance.
       (3) The Cybersecurity Enhancement Act of 2014 (15 U.S.C. 
     7421 et seq.) calls on the National Institute of Standards 
     and Technology to facilitate and support a voluntary public-
     private partnership to reduce cybersecurity risks to critical 
     infrastructure. Such a partnership continues to play a key 
     role in improving the cyber resilience of the United States 
     and making cyberspace safer.
       (4) There is a need to develop simplified resources that 
     are consistent with the partnership described in paragraph 
     (3) that improves its use by small businesses.

     SEC. 3. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.

       (a) Definitions.--In this section:
       (1) Director.--The term ``Director'' means the Director of 
     the National Institute of Standards and Technology.
       (2) Resources.--The term ``resources'' means guidelines, 
     tools, best practices, standards, methodologies, and other 
     ways of providing information.
       (3) Small business concern.--The term ``small business 
     concern'' has the meaning given such term in section 3 of the 
     Small Business Act (15 U.S.C. 632).
       (b) Small Business Cybersecurity.--Section 2(e)(1)(A) of 
     the National Institute of Standards and Technology Act (15 
     U.S.C. 272(e)(1)(A)) is amended--
       (1) in clause (vii), by striking ``and'' at the end;
       (2) by redesignating clause (viii) as clause (ix); and
       (3) by inserting after clause (vii) the following:
       ``(viii) consider small business concerns (as defined in 
     section 3 of the Small Business Act (15 U.S.C. 632)); and''.
       (c) Dissemination of Resources for Small Businesses.--
       (1) In general.--Not later than one year after the date of 
     the enactment of this Act, the Director, in carrying out 
     section 2(e)(1)(A)(viii) of the National Institute of 
     Standards and Technology Act, as added by subsection (b) of 
     this Act, in consultation with the heads of such other 
     Federal agencies as the Director considers appropriate, shall 
     disseminate clear and concise resources for small business 
     concerns to help reduce their cybersecurity risks.
       (2) Requirements.--The Director shall ensure that the 
     resources disseminated pursuant to paragraph (1)--
       (A) are generally applicable and usable by a wide range of 
     small business concerns;
       (B) vary with the nature and size of the implementing small 
     business concern, and the nature and sensitivity of the data 
     collected or stored on the information systems or devices of 
     the implementing small business concern;
       (C) include elements that promote awareness of simple, 
     basic controls, a workplace cybersecurity culture, and third 
     party stakeholder relationships, to assist small business 
     concerns in mitigating common cybersecurity risks;
       (D) are technology-neutral and can be implemented using 
     technologies that are commercial and off-the-shelf; and
       (E) are based on international standards to the extent 
     possible, and are consistent with the Stevenson-Wydler 
     Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
       (3) National cybersecurity awareness and education 
     program.--The Director shall ensure that the resources 
     disseminated under paragraph (1) are consistent with the 
     efforts of the Director under section 401 of the 
     Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
       (4) Small business development center cyber strategy.--In 
     carrying out paragraph (1), the Director, to the extent 
     practicable, shall consider any methods included in the Small 
     Business Development Center Cyber Strategy developed under 
     section 1841(a)(3)(B) of the National Defense Authorization 
     Act for Fiscal Year 2017 (Public Law 114-328).
       (5) Voluntary resources.--The use of the resources 
     disseminated under paragraph (1) shall be considered 
     voluntary.
       (6) Updates.--The Director shall review and, if necessary, 
     update the resources disseminated under paragraph (1) in 
     accordance with the requirements under paragraph (2).
       (7) Public availability.--The Director and such heads of 
     other Federal agencies as the Director considers appropriate 
     shall each make prominently available to the public on the 
     Director's or head's Internet website, as the case may be, 
     information about the resources and all updates to them 
     disseminated under paragraph (1). The Director and the heads 
     shall each ensure that the information they respectively make 
     prominently available is consistent, clear, and concise.
       (d) Consistency of Resources Published by Federal 
     Agencies.--If a Federal agency publishes resources to help 
     small business concerns reduce their cybersecurity risks, the 
     head of such Federal agency, to the degree practicable, shall 
     make such resources consistent with the resources 
     disseminated under subsection (c)(1).
       (e) Other Federal Cybersecurity Requirements.--Nothing in 
     this section may be construed to supersede, alter, or 
     otherwise affect any cybersecurity requirements applicable to 
     Federal agencies.
  Mr. McCONNELL. I ask unanimous consent that the committee-reported 
substitute amendment be considered; that the Schatz amendment No. 977, 
as modified with the changes at the desk, be considered and agreed to; 
that the committee-reported substitute amendment, as amended, be agreed 
to; that the bill, as amended, be considered read a third time and 
passed; and that the motion to reconsider be considered made and laid 
upon the table.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The amendment (No. 977), as modified, was agreed to, as follows:

                     (Purpose: To improve the bill)

       On page 7, beginning on line 14, strike ``Sixty'' and all 
     that follows through line 17.
  The committee-reported amendment in the nature of a substitute, as 
amended, was agreed to.
  The bill (S. 770), as amended, was ordered to be engrossed for a 
third reading, was read the third time, and passed, as follows:

                                 S. 770

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Making Available Information 
     Now to Strengthen Trust and Resilience and Enhance Enterprise 
     Technology Cybersecurity Act of 2017'' or the ``MAIN STREET 
     Cybersecurity Act of 2017''.

     SEC. 2. FINDINGS.

       Congress makes the following findings:
       (1) Small businesses play a vital role in the economy of 
     the United States, accounting for 54 percent of all United 
     States sales and 55 percent of jobs in the United States.
       (2) Attacks targeting small and medium businesses account 
     for a high percentage of cyberattacks in the United States.
       (3) The Cybersecurity Enhancement Act of 2014 (15 U.S.C. 
     7421 et seq.) calls on the National Institute of Standards 
     and Technology to facilitate and support a voluntary public-
     private partnership to reduce cybersecurity risks to critical 
     infrastructure. Such a partnership continues to play a key 
     role in improving the cyber resilience of the United States 
     and making cyberspace safer.
       (4) There is a need to develop simplified resources that 
     are consistent with the partnership described in paragraph 
     (3) that improves its use by small businesses.

     SEC. 3. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.

       (a) Definitions.--In this section:
       (1) Director.--The term ``Director'' means the Director of 
     the National Institute of Standards and Technology.
       (2) Resources.--The term ``resources'' means guidelines, 
     tools, best practices, standards, methodologies, and other 
     ways of providing information.
       (3) Small business concern.--The term ``small business 
     concern'' has the meaning given such term in section 3 of the 
     Small Business Act (15 U.S.C. 632).

[[Page 15273]]

       (b) Small Business Cybersecurity.--Section 2(e)(1)(A) of 
     the National Institute of Standards and Technology Act (15 
     U.S.C. 272(e)(1)(A)) is amended--
       (1) in clause (vii), by striking ``and'' at the end;
       (2) by redesignating clause (viii) as clause (ix); and
       (3) by inserting after clause (vii) the following:
       ``(viii) consider small business concerns (as defined in 
     section 3 of the Small Business Act (15 U.S.C. 632)); and''.
       (c) Dissemination of Resources for Small Businesses.--
       (1) In general.--Not later than one year after the date of 
     the enactment of this Act, the Director, in carrying out 
     section 2(e)(1)(A)(viii) of the National Institute of 
     Standards and Technology Act, as added by subsection (b) of 
     this Act, in consultation with the heads of such other 
     Federal agencies as the Director considers appropriate, shall 
     disseminate clear and concise resources for small business 
     concerns to help reduce their cybersecurity risks.
       (2) Requirements.--The Director shall ensure that the 
     resources disseminated pursuant to paragraph (1)--
       (A) are generally applicable and usable by a wide range of 
     small business concerns;
       (B) vary with the nature and size of the implementing small 
     business concern, and the nature and sensitivity of the data 
     collected or stored on the information systems or devices of 
     the implementing small business concern;
       (C) include elements that promote awareness of simple, 
     basic controls, a workplace cybersecurity culture, and third 
     party stakeholder relationships, to assist small business 
     concerns in mitigating common cybersecurity risks;
       (D) are technology-neutral and can be implemented using 
     technologies that are commercial and off-the-shelf; and
       (E) are based on international standards to the extent 
     possible, and are consistent with the Stevenson-Wydler 
     Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
       (3) National cybersecurity awareness and education 
     program.--The Director shall ensure that the resources 
     disseminated under paragraph (1) are consistent with the 
     efforts of the Director under section 401 of the 
     Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
       (4) Small business development center cyber strategy.--In 
     carrying out paragraph (1), the Director, to the extent 
     practicable, shall consider any methods included in the Small 
     Business Development Center Cyber Strategy developed under 
     section 1841(a)(3)(B) of the National Defense Authorization 
     Act for Fiscal Year 2017 (Public Law 114-328).
       (5) Voluntary resources.--The use of the resources 
     disseminated under paragraph (1) shall be considered 
     voluntary.
       (6) Updates.--The Director shall review and, if necessary, 
     update the resources disseminated under paragraph (1) in 
     accordance with the requirements under paragraph (2).
       (7) Public availability.--The Director and such heads of 
     other Federal agencies as the Director considers appropriate 
     shall each make prominently available to the public on the 
     Director's or head's Internet website, as the case may be, 
     information about the resources and all updates to them 
     disseminated under paragraph (1). The Director and the heads 
     shall each ensure that the information they respectively make 
     prominently available is consistent, clear, and concise.
       (d) Consistency of Resources Published by Federal 
     Agencies.--If a Federal agency publishes resources to help 
     small business concerns reduce their cybersecurity risks, the 
     head of such Federal agency, to the degree practicable, shall 
     make such resources consistent with the resources 
     disseminated under subsection (c)(1).
       (e) Other Federal Cybersecurity Requirements.--Nothing in 
     this section may be construed to supersede, alter, or 
     otherwise affect any cybersecurity requirements applicable to 
     Federal agencies.

                          ____________________