[Congressional Record (Bound Edition), Volume 163 (2017), Part 11]
[House]
[Pages 15791-15794]
[From the U.S. Government Publishing Office, www.gpo.gov]




                 NIST SMALL BUSINESS CYBERSECURITY ACT

  Mr. WEBSTER of Florida. Mr. Speaker, I move to suspend the rules and 
pass the bill (H.R. 2105) to require the Director of the National 
Institute of Standards and Technology to disseminate guidance to help 
reduce small business cybersecurity risks, and for other purposes, as 
amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 2105

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``NIST Small Business 
     Cybersecurity Act''.

     SEC. 2. IMPROVING CYBERSECURITY OF SMALL BUSINESSES.

       (a) Definitions.--In this section:
       (1) Director.--The term ``Director'' means the Director of 
     the National Institute of Standards and Technology.
       (2) Resources.--The term ``resources'' means guidelines, 
     tools, best practices, standards, methodologies, and other 
     ways of providing information.
       (3) Small business concern.--The term ``small business 
     concern'' has the meaning given such term in section 3 of the 
     Small Business Act (15 U.S.C. 632).
       (b) Small Business Cybersecurity.--Section 2(e)(1)(A) of 
     the National Institute of Standards and Technology Act (15 
     U.S.C. 272(e)(1)(A)) is amended--
       (1) in clause (vii), by striking ``and'' at the end;
       (2) by redesignating clause (viii) as clause (ix); and
       (3) by inserting after clause (vii) the following:
       ``(viii) consider small business concerns (as defined in 
     section 3 of the Small Business Act (15 U.S.C. 632)); and''.
       (c) Dissemination of Resources for Small Businesses.--
       (1) In general.--Not later than one year after the date of 
     the enactment of this Act, the Director, in carrying out 
     section 2(e)(1)(A)(viii) of the National Institute of 
     Standards and Technology Act, as added by subsection (b) of 
     this Act, in consultation with the heads of other appropriate 
     Federal agencies, shall disseminate clear and concise 
     resources to help small business concerns identify, assess, 
     manage, and reduce their cybersecurity risks.
       (2) Requirements.--The Director shall ensure that the 
     resources disseminated pursuant to paragraph (1)--
       (A) are generally applicable and usable by a wide range of 
     small business concerns;
       (B) vary with the nature and size of the implementing small 
     business concern, and the nature and sensitivity of the data 
     collected or stored on the information systems or devices of 
     the implementing small business concern;
       (C) include elements, that promote awareness of simple, 
     basic controls, a workplace, cybersecurity culture, and 
     third-party stake-holder relationships, to assist small 
     business concerns in mitigating common cybersecurity risks;
       (D) include case studies of practical application;
       (E) are technology-neutral and can be implemented using 
     technologies that are commercial and off-the-shelf; and
       (F) are based on international standards to the extent 
     possible, and are consistent with the Stevenson-Wydler 
     Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.).
       (3) National cybersecurity awareness and education 
     program.--The Director shall ensure that the resources 
     disseminated under paragraph (1) are consistent with the 
     efforts of the Director under section 401 of the 
     Cybersecurity Enhancement Act of 2014 (15 U.S.C. 7451).
       (4) Small business development center cyber strategy.--In 
     carrying out paragraph (1), the Director, to the extent 
     practicable, shall consider any methods included in the Small 
     Business Development Center Cyber Strategy developed under 
     section 1841(a)(3)(B) of the National Defense Authorization 
     Act for Fiscal Year 2017 (Public Law 114-328).
       (5) Voluntary resources.--The use of the resources 
     disseminated under paragraph (1) shall be considered 
     voluntary.
       (6) Updates.--The Director shall review and, if necessary, 
     update the resources disseminated under paragraph (1) in 
     accordance with the requirements under paragraph (2).
       (7) Public availability.--The Director and the head of each 
     Federal agency that so elects shall make prominently 
     available on the respective agency's public Internet website 
     information about the resources and updates to the resources 
     disseminated under paragraph (1). The Director and the heads 
     shall each ensure that the information they respectively make 
     prominently available is consistent, clear, and concise.
       (d) Other Federal Cybersecurity Requirements.--Nothing in 
     this section may be construed to supersede, alter, or 
     otherwise affect any cybersecurity requirements applicable to 
     Federal agencies.
       (e) Funding.--This Act shall be carried out using funds 
     otherwise authorized to be appropriated or made available to 
     the National Institute of Standards and Technology.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Florida (Mr. Webster) and the gentleman from Illinois (Mr. Lipinski) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Florida.


                             General Leave

  Mr. WEBSTER of Florida. Mr. Speaker, I ask unanimous consent that all 
Members have 5 legislative days to revise and extend their remarks and 
include any extraneous material on H.R. 2105.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Florida?
  There was no objection.
  Mr. WEBSTER of Florida. Mr. Speaker, I yield myself such time as I 
may consume.
  Mr. Speaker, I thank the leadership for giving us this time to debate 
this important bill. It is especially timely as October is National 
Cyber Security Awareness Month, so taking up this bill at this time is 
a perfect time. We must come together to protect all businesses--large, 
small, and medium--from the constant threat of cyber attacks.
  America's small businesses are the backbone of our economy, 
accounting for 54 percent of all American sales and 55 percent of 
American jobs. Unfortunately, small businesses are especially 
vulnerable, with some reports noting that 43 percent of cyber attacks 
specifically target them. These small businesses are more susceptible 
to attacks due to the limited access to the tools they need to prepare 
for such an event. Implementation of the NIST Framework into these 
small businesses will protect small business owners, their employees, 
and their customer base all while contributing positively to the 
economy.
  H.R. 2105, the National Institute of Standards and Technology Small 
Business Cybersecurity Act, will help small businesses better address 
their cybersecurity risks to help them survive and thrive in the face 
of such adversity.
  As an owner of a multigenerational family air-conditioning and 
heating business, I understand firsthand the importance of equipping 
and empowering small businesses to tackle these challenges so that they 
can grow and prosper.
  About 10 months ago, my sons called me and said that there was a 
message on the screen of one of our computers that said: ``Your data 
has been frozen. You have been attacked.'' It had a little clock on 
there ticking down. ``If you don't pay a ransom by a certain time, then 
we will destroy your data. It is inaccessible.''
  Well, there was something we had done, fortunately--not that we do 
every day, but we had done several days before--which protected us from 
that. We were able to fix our problem and wipe it clean and get started 
all over. But most small businesses may or may not--including 
ourselves--have done that just a few days before.
  Thus, I introduced H.R. 2105 with the support and cosponsorship of 
many of my colleagues on the committee, including Chairman Smith, 
Chairwoman

[[Page 15792]]

Comstock, and Ranking Member Lipinski.
  H.R. 2105 would provide small businesses in my district, State, and 
across the country with the tools they need to meet the threats and 
challenges of the modern world.
  This bill describes the vital role played by small businesses in the 
U.S. economy, the devastating impact of cyber attacks on a majority of 
small businesses and large businesses and what they need to develop to 
specifically help themselves.
  It directs the NIST Director--within a year of the act's enactment--
to disseminate clear and concise resources, which are defined as 
guidelines, tools, best practices, standards, methodologies, and other 
ways of providing this information.
  Dissemination would be in consultation with heads of other Federal 
agencies. These resources--based on the NIST Framework for Improving 
Critical Infrastructure Cybersecurity--will help small businesses 
identify, assess, manage, and reduce their cybersecurity risks.

                              {time}  1400

  H.R. 2105 also clarifies that use of the resources by small 
businesses is voluntary, directs the NIST Director and heads of Federal 
agencies that so elect to make the resources available on their 
government websites, and specifies that no new funds are authorized to 
carry out this act.
  This bill is very similar to S. 770, the MAIN STREET Cybersecurity 
Act, which is supported by the National Small Business Association, 
National Restaurant Association, U.S. Chamber of Commerce, and the 
International TechneGroup. The Chamber and International TechneGroup 
have also come out in support H.R. 2105.
  On September 28, 2017, the Senate passed S. 770 by unanimous consent, 
and I ask my colleagues to similarly support H.R. 2105.
  Mr. Speaker, I reserve the balance of my time.
  Mr. LIPINSKI. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in support of H.R. 2105, the NIST Small Business 
Cybersecurity Act of 2017, a bipartisan effort to help small businesses 
implement the NIST Cybersecurity Framework for Critical Infrastructure.
  I thank Mr. Webster for his work on the bill and all of my colleagues 
on the Science, Space, and Technology Committee for their support of 
the bill.
  I would also like to thank Senator Schatz and my colleagues in the 
Senate for working to pass the companion version over there, which I 
hope that we can follow suit on here today.
  The NIST cybersecurity framework provides valuable guidance on 
cybersecurity best practices for organizations of all sizes, but small 
businesses often don't have the time or resources to figure out how to 
adapt it to their needs and implement it. This bill directs NIST to 
create clear guidelines, tools, and best practices specifically for 
small businesses so that they can protect their networked resources.
  Most small businesses do not have significant IT departments. Some do 
not even have any dedicated information security personnel. Thus, they 
may be more at risk of cyber attack than large enterprises.
  According to data released last month, 53 percent of American 
businesses of all sizes suffered a cyber attack in the past year. Of 
those, 72 percent spent more than $5,000 to investigate and recover. A 
2016 report found that 42 percent of businesses suffered a cyber attack 
of some kind.
  Incidents like these do not only hurt individual small-business 
owners, employees, and customers, they hurt American competitiveness.
  In my district in the southwest suburbs of Chicago, there is a 
fourth-generation family manufacturing business that has suffered 
multiple sophisticated phishing attacks. The few times they have fallen 
victim to these attacks, the costs have been significant. The owners 
have told me that they would welcome guidance on affordable, off-the-
shelf resources to strengthen their cyber defenses and let them get 
back to focusing on their business.
  This is a story repeated across the country. That is why we must act, 
and we must pass this bill for our small businesses. The guidelines 
created under this bill, like the NIST framework, will be voluntary, so 
we won't be adding to the regulatory burden on small businesses. 
Instead, we will be offering them an opportunity to secure their 
networks so that they can compete on a level playing field.
  Mr. Speaker, I urge my colleagues to support this bill, and I reserve 
the balance of my time.
  Mr. WEBSTER of Florida. Mr. Speaker, I yield 2 minutes to the 
gentleman from Florida (Mr. Dunn).
  Mr. DUNN. Mr. Speaker, today I rise in support of H.R. 2105, the 
National Institute of Standards and Technology Small Business 
Cybersecurity Act. This bipartisan legislation instructs the Director 
of NIST, in consultation with other Federal agencies, to disseminate 
guidance to help small businesses identify, assess, manage, and reduce 
their cybersecurity risks. As a small-business owner, I am honored to 
be a cosponsor of this bill.
  We know the importance of keeping all records safe and secure from 
outside threats. With the recent hacking of Equifax and many others, 
there is clearly a growing risk of online hacking and cyber warfare in 
the world today. It is imperative that we ensure that the backbone of 
our economy, our small- and medium-size businesses, have the resources 
they need to stay safe.
  I strongly believe that the businesses in Florida's Second District 
would benefit from this vital information, which will help them keep 
their data safe and secure. By increasing cybersecurity efforts, we are 
protecting both small businesses and their millions of customers across 
the country.
  This bill doesn't cost the taxpayers anything, but it could 
potentially save small-business owners and consumers both their privacy 
and livelihoods.
  Mr. LIPINSKI. Mr. Speaker, I yield such time as she may consume to 
the gentlewoman from Texas (Ms. Eddie Bernice Johnson), the ranking 
member of the Science, Space, and Technology Committee.
  Ms. EDDIE BERNICE JOHNSON of Texas. Mr. Speaker, I rise in support of 
H.R. 2105, the NIST Small Business Cybersecurity Act of 2017, which 
directs the National Institute of Standards and Technology to provide 
more guidance, resources, and tools to small businesses to improve 
their cybersecurity and protect the personal information of their 
customers.
  According to the Small Business Administration, the 28 million small 
businesses in America account for 54 percent of all U.S. sales and 55 
percent of all U.S. jobs. Small businesses play a central role in our 
economy.
  Unfortunately, the information systems and networks of small 
businesses are especially vulnerable to an increasing volume and 
sophistication of cyber attacks. Small businesses rarely have employees 
or leadership with education or training in cybersecurity. Further, 
small businesses typically have limited resources to invest in 
cybersecurity.
  The National Institute of Standards and Technology, or NIST, is a 
leader in developing standards and guidelines for cybersecurity in both 
the public and private sectors. In 2009, NIST developed a guidance 
document called, ``Small Business Information Security: The 
Fundamentals.'' The document described the fundamentals of an effective 
small-business information security program in nontechnical language.
  In 2014, in response to an executive order from President Obama, NIST 
published the Cybersecurity Framework for Critical Infrastructure. The 
cybersecurity framework, as written, is most useful for larger 
businesses with at least some cybersecurity expertise. Therefore, in 
November 2016, NIST published an update of their small-business 
guidance document using the framework as a template.
  These are just two examples of how NIST has long privatized 
supporting small-business efforts to strengthen cybersecurity. The 
requirements of H.R. 2105 are consistent with these ongoing efforts and 
help ensure that they will continue.
  Ideally, H.R. 2105 would have also provided resources for NIST to 
expand

[[Page 15793]]

these activities because the need is very clear. We cannot effectively 
support small business in this country unless we provide the relevant 
government agencies the resources to help protect those businesses from 
cyber threats.
  Mr. Speaker, I support H.R. 2105, and I thank the sponsors, including 
Mr. Webster, Mr. Lipinski, and Ms. Rosen, for their strong support for 
small businesses and NIST's important role in cybersecurity. However, I 
am concerned that the House bill contains an explicit unfunded mandate 
clause and that the Senate passed a version that is silent in funding. 
I hope Congress will provide NIST the adequate resources to fulfill the 
mandates in this legislation.
  Mr. Speaker, I urge passage of the bill.
  Mr. WEBSTER of Florida. Mr. Speaker, I yield 4 minutes to the 
gentleman from Texas (Mr. Smith), chairman of the committee.
  Mr. SMITH of Texas. Mr. Speaker, I thank the gentleman from Florida 
(Mr. Webster) for yielding me time and for introducing H.R. 2105, the 
NIST Small Business Cybersecurity Act.
  This important and timely bipartisan bill, cosponsored by 17 Members 
of Congress and approved by the Science Committee by voice vote, 
directs the National Institute of Standards and Technology to provide 
small businesses with cybersecurity guidelines, tools, best practices, 
standards, and methodologies necessary to better protect themselves 
from cyber attacks.
  Small businesses help produce a thriving economy that benefits our 
entire country. They bring innovative ideas, cutting-edge products and 
services, and jobs to the marketplace. In my home State, for example, 
there are more than 2.4 million small businesses that employ almost 4.5 
million Texans.
  Major cyber attacks dominate news coverage, such as the Equifax or 
Yahoo hacks that impacted millions and billions of people. But small 
businesses, which often do not have sufficient information to 
adequately monitor and protect their computer systems, are frequently 
the target of cyber attacks, as well.
  A 2016 Symantec report notes that cyber attacks against businesses 
with fewer than 250 employees have grown from 18 percent in 2011 to 43 
percent in 2015. This bill can help those businesses.
  October is National Cybersecurity Awareness Month, so it is 
appropriate that we consider a bill designed to help protect small 
businesses from cybersecurity attacks. Today's legislation provides 
small businesses with NIST expertise to reduce their cybersecurity 
risk.
  NIST experts developed a cybersecurity framework through 
collaboration between the government and the private sector. This 
framework is accepted and used by many private organizations to address 
and manage their information technology vulnerabilities in a cost-
effective way.
  The guidance described in this bill to help small businesses is based 
on the NIST cybersecurity framework. H.R. 2105 prioritizes 
dissemination of this guidance by NIST within its almost $1 billion 
budget.
  Mr. Speaker, I urge my colleagues to show their support for small 
business by approving Mr. Webster's fiscally responsible, innovation 
protection bill today.
  Mr. LIPINSKI. Mr. Speaker, I have no further speakers, and I reserve 
the balance of my time.
  Mr. WEBSTER of Florida. Mr. Speaker, I yield 2 minutes to the 
gentlewoman from Virginia (Mrs. Comstock), the chairwoman of the 
subcommittee.
  Mrs. COMSTOCK. Mr. Speaker, I rise in support of H.R. 2105.
  When I travel around my district, which is rich with technology 
workers, the thing that I hear repeated concern about is the increasing 
need for individuals with the skill set, education, training, and 
knowledge of cybersecurity matters.
  With the recent events with Equifax, WannaCry, and OPM breaches, it 
is clear that our cybersecurity infrastructure needs to be 
strengthened.
  In December 2016, the Commission on Enhancing National Cybersecurity 
specifically recommended that the administration should ``develop 
concrete efforts to support and strengthen the cybersecurity of small- 
and medium-sized businesses.''
  With small businesses accounting for most of the U.S. economy's jobs 
and sales, it is imperative that we provide guidance to help them 
identify, assess, manage, and reduce their cybersecurity risks. By 
making these resources readily available to small businesses across the 
country, this commonsense legislation will help them protect their 
sensitive data and business from cyber threats so they can grow our 
economy and provide more jobs instead.
  I am proud to be an original cosponsor of this measure, the NIST 
Small Business Cybersecurity Act, and I urge my colleagues to vote 
``yes'' on its passage.
  Mr. Speaker, I thank my colleague from Florida (Mr. Webster) for his 
leadership on this legislation.
  Mr. LIPINSKI. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. WEBSTER of Florida. Mr. Speaker, I yield 1 minute to the 
gentleman from South Carolina (Mr. Norman).

                              {time}  1415

  Mr. NORMAN. Mr. Speaker, I rise today in support of H.R. 2105, the 
National Institute of Standards and Technology Small Business 
Cybersecurity Act. This bill directs the National Institute of 
Standards and Technology to issue guidance for small businesses to use 
voluntarily to assist them in identifying and assessing, managing, and 
reducing the cybersecurity risk.
  As has been said, small businesses in the U.S. account for 54 percent 
of sales and 55 percent of U.S. jobs. However, a 2016 Symantec Internet 
Security Threat Report indicated that businesses with less than 250 
employees are facing increased cybersecurity threats, up from 18 
percent in 2011 to 43 percent in 2015.
  Mr. Speaker, I recently passed our real estate small business to my 
son Warren, so I understand the importance of equipping small 
businesses with the tools that will enable them to meet the emerging 
challenges.
  I urge passage of H.R. 2105, which will help prepare small businesses 
in the future, and I urge my colleagues to pass it.
  Mr. LIPINSKI. Mr. Speaker, I continue to reserve the balance of my 
time.
  Mr. WEBSTER of Florida. Mr. Speaker, I yield 1 minute to the 
gentleman from Nebraska (Mr. Bacon).
  Mr. BACON. Mr. Speaker, I rise in support of the National Institute 
of Standards and Technology Small Business Cybersecurity Act, a bill 
that I am proud to cosponsor. This legislation will help promote 
stronger cybersecurity practices amongst our Nation's small businesses, 
and it is fiscally responsible.
  The well-being of our small businesses is important to the overall 
health of our economy. According to the Small Business Administration, 
small businesses account for 55 percent of total jobs in the United 
States. In my home State of Nebraska, small businesses employed 390,000 
people in 2016.
  Some small businesses are not able to prioritize cybersecurity 
efforts over other aspects of their business or they lack the resources 
to secure their networks and systems. We must promote greater 
preparedness to protect small businesses from cyber attacks.
  H.R. 2105 directs NIST to disseminate guidance to help small 
businesses identify, assess, manage, and reduce their cyber risks based 
off NIST's extensive expertise. This is a big step towards promoting 
better cybersecurity practices amongst our Nation's small businesses.
  I urge my colleagues to support H.R. 2105.
  Mr. LIPINSKI. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, we all have come down here and talked about the 
importance of small business. We know how important small businesses 
are to our country, the real engine of our economic growth.
  We also know that, in most small businesses today, they don't have 
the

[[Page 15794]]

capabilities to have an IT department or the expertise that they need 
to protect themselves from the continual cyber attacks, the theft of 
data that we hear about. But those attacks and that theft of data does 
not only happen for large companies; it is also a threat to small 
businesses. Therefore, we need to do all that we can to make sure that 
they are capable of protecting themselves so that our small businesses 
can continue to thrive and be the economic engine that they are.
  I urge my colleagues to support this bill. We get something good done 
for our small businesses. I urge them to support this, and I yield back 
the balance of my time.
  Mr. WEBSTER of Florida. Mr. Speaker, I thank those from both sides--
Ranking Member Lipinski, Chairman Smith, and others--who have supported 
this bill. It is a great idea. It is an opportunity to not only have 
available for us, it has bipartisan support and also bicameral support. 
This is a good opportunity to help all small businesses.
  I know personally from my business and I know others who have small 
businesses who know that there is, in a sense, very little help right 
now for small businesses in this area of cybersecurity. The larger 
businesses certainly have their own IT people; we don't. So I am 
excited about the fact that this could happen, and I move passage.
  Mr. Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore (Mr. Barton). The question is on the motion 
offered by the gentleman from Florida (Mr. Webster) that the House 
suspend the rules and pass the bill, H.R. 2105, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________