[115th Congress Public Law 236]
[From the U.S. Government Publishing Office]

[[Page 2443]]


[[Page 132 STAT. 2444]]

Public Law 115-236
115th Congress

                                 An Act

   To require the Director of the National Institute of Standards and 
    Technology to disseminate guidance to help reduce small business 
     cybersecurity risks, and for other purposes. <<NOTE: Aug. 14, 
                           2018 -  [S. 770]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled, <<NOTE: NIST Small 
Business Cybersecurity Act. 15 USC 271 note.>> 

    This Act may be cited as the ``NIST Small Business Cybersecurity 
                    SMALL BUSINESSES.

    (a) Definitions.--In this section:
            (1) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (2) Resources.--The term ``resources'' means guidelines, 
        tools, best practices, standards, methodologies, and other ways 
        of providing information.
            (3) Small business concern.--The term ``small business 
        concern'' has the meaning given such term in section 3 of the 
        Small Business Act (15 U.S.C. 632).

    (b) Small Business Cybersecurity.--Section 2(e)(1)(A) of the 
National Institute of Standards and Technology Act (15 U.S.C. 
272(e)(1)(A)) is amended--
            (1) in clause (vii), by striking ``and'' at the end;
            (2) by redesignating clause (viii) as clause (ix); and
            (3) by inserting after clause (vii) the following:
                          ``(viii) consider small business concerns (as 
                      defined in section 3 of the Small Business Act (15 
                      U.S.C. 632)); and''.

    (c) Dissemination of Resources for Small Businesses.--
            (1) <<NOTE: Deadline. Consultation.>>  In general.--Not 
        later than one year after the date of the enactment of this Act, 
        the Director, in carrying out section 2(e)(1)(A)(viii) of the 
        National Institute of Standards and Technology Act, as added by 
        subsection (b) of this Act, in consultation with the heads of 
        other appropriate Federal agencies, shall disseminate clear and 
        concise resources to help small business concerns identify, 
        assess, manage, and reduce their cybersecurity risks.
            (2) Requirements.--The Director shall ensure that the 
        resources disseminated pursuant to paragraph (1)--
                    (A) are generally applicable and usable by a wide 
                range of small business concerns;
                    (B) vary with the nature and size of the 
                implementing small business concern, and the nature and 

[[Page 132 STAT. 2445]]

                of the data collected or stored on the information 
                systems or devices of the implementing small business 
                    (C) include elements, that promote awareness of 
                simple, basic controls, a workplace cybersecurity 
                culture, and third-party stakeholder relationships, to 
                assist small business concerns in mitigating common 
                cybersecurity risks;
                    (D) include case studies of practical application;
                    (E) are technology-neutral and can be implemented 
                using technologies that are commercial and off-the-
                shelf; and
                    (F) are based on international standards to the 
                extent possible, and are consistent with the Stevenson-
                Wydler Technology Innovation Act of 1980 (15 U.S.C. 3701 
                et seq.).
            (3) National cybersecurity awareness and education 
        program.--The Director shall ensure that the resources 
        disseminated under paragraph (1) are consistent with the efforts 
        of the Director under section 401 of the Cybersecurity 
        Enhancement Act of 2014 (15 U.S.C. 7451).
            (4) Small business development center cyber strategy.--In 
        carrying out paragraph (1), the Director, to the extent 
        practicable, shall consider any methods included in the Small 
        Business Development Center Cyber Strategy developed under 
        section 1841(a)(3)(B) of the National Defense Authorization Act 
        for Fiscal Year 2017 (Public Law 114-328).
            (5) Voluntary resources.--The use of the resources 
        disseminated under paragraph (1) shall be considered voluntary.
            (6) <<NOTE: Review.>>  Updates.--The Director shall review 
        and, if necessary, update the resources disseminated under 
        paragraph (1) in accordance with the requirements under 
        paragraph (2).
            (7) <<NOTE: Web posting.>>  Public availability.--The 
        Director and the head of each Federal agency that so elects 
        shall make prominently available on the respective agency's 
        public Internet website information about the resources and 
        updates to the resources disseminated under paragraph (1). The 
        Director and the heads shall each ensure that the information 
        they respectively make prominently available is consistent, 
        clear, and concise.

    (d) Other Federal Cybersecurity Requirements.--Nothing in this 
section may be construed to supersede, alter, or otherwise affect any 
cybersecurity requirements applicable to Federal agencies.

[[Page 132 STAT. 2446]]

    (e) Funding.--This Act shall be carried out using funds otherwise 
authorized to be appropriated or made available to the National 
Institute of Standards and Technology.

    Approved August 14, 2018.


SENATE REPORTS: No. 115-153 (Comm. on Commerce, Science, and 
                                                        Vol. 163 (2017):
                                    Sept. 28, considered and passed 
                                                        Vol. 164 (2018):
                                    July 25, considered and passed 
                                        House, amended.
                                    Aug. 1, Senate concurred in House