[United States Statutes at Large, Volume 132, 115th Congress, 2nd Session]
[From the U.S. Government Publishing Office, www.gpo.gov]


Public Law 115-236
115th Congress

An Act


 
To require the Director of the National Institute of Standards and
Technology to disseminate guidance to help reduce small business
cybersecurity risks, and for other purposes. <>

Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled, <>
SECTION 1. SHORT TITLE.

This Act may be cited as the ``NIST Small Business Cybersecurity
Act''.
SEC. 2. <>  IMPROVING CYBERSECURITY OF
SMALL BUSINESSES.

(a) Definitions.--In this section:
(1) Director.--The term ``Director'' means the Director of
the National Institute of Standards and Technology.
(2) Resources.--The term ``resources'' means guidelines,
tools, best practices, standards, methodologies, and other ways
of providing information.
(3) Small business concern.--The term ``small business
concern'' has the meaning given such term in section 3 of the
Small Business Act (15 U.S.C. 632).

(b) Small Business Cybersecurity.--Section 2(e)(1)(A) of the
National Institute of Standards and Technology Act (15 U.S.C.
272(e)(1)(A)) is amended--
(1) in clause (vii), by striking ``and'' at the end;
(2) by redesignating clause (viii) as clause (ix); and
(3) by inserting after clause (vii) the following:
``(viii) consider small business concerns (as
defined in section 3 of the Small Business Act (15
U.S.C. 632)); and''.

(c) Dissemination of Resources for Small Businesses.--
(1) <>  In general.--Not
later than one year after the date of the enactment of this Act,
the Director, in carrying out section 2(e)(1)(A)(viii) of the
National Institute of Standards and Technology Act, as added by
subsection (b) of this Act, in consultation with the heads of
other appropriate Federal agencies, shall disseminate clear and
concise resources to help small business concerns identify,
assess, manage, and reduce their cybersecurity risks.
(2) Requirements.--The Director shall ensure that the
resources disseminated pursuant to paragraph (1)--
(A) are generally applicable and usable by a wide
range of small business concerns;
(B) vary with the nature and size of the
implementing small business concern, and the nature and
sensitivity

[[Page 2445]]

of the data collected or stored on the information
systems or devices of the implementing small business
concern;
(C) include elements, that promote awareness of
simple, basic controls, a workplace cybersecurity
culture, and third-party stakeholder relationships, to
assist small business concerns in mitigating common
cybersecurity risks;
(D) include case studies of practical application;
(E) are technology-neutral and can be implemented
using technologies that are commercial and off-the-
shelf; and
(F) are based on international standards to the
extent possible, and are consistent with the Stevenson-
Wydler Technology Innovation Act of 1980 (15 U.S.C. 3701
et seq.).
(3) National cybersecurity awareness and education
program.--The Director shall ensure that the resources
disseminated under paragraph (1) are consistent with the efforts
of the Director under section 401 of the Cybersecurity
Enhancement Act of 2014 (15 U.S.C. 7451).
(4) Small business development center cyber strategy.--In
carrying out paragraph (1), the Director, to the extent
practicable, shall consider any methods included in the Small
Business Development Center Cyber Strategy developed under
section 1841(a)(3)(B) of the National Defense Authorization Act
for Fiscal Year 2017 (Public Law 114-328).
(5) Voluntary resources.--The use of the resources
disseminated under paragraph (1) shall be considered voluntary.
(6) <>  Updates.--The Director shall review
and, if necessary, update the resources disseminated under
paragraph (1) in accordance with the requirements under
paragraph (2).
(7) <>  Public availability.--The
Director and the head of each Federal agency that so elects
shall make prominently available on the respective agency's
public Internet website information about the resources and
updates to the resources disseminated under paragraph (1). The
Director and the heads shall each ensure that the information
they respectively make prominently available is consistent,
clear, and concise.

(d) Other Federal Cybersecurity Requirements.--Nothing in this
section may be construed to supersede, alter, or otherwise affect any
cybersecurity requirements applicable to Federal agencies.

[[Page 2446]]

(e) Funding.--This Act shall be carried out using funds otherwise
authorized to be appropriated or made available to the National
Institute of Standards and Technology.

Approved August 14, 2018.

LEGISLATIVE HISTORY--S. 770 (H.R. 2105):
---------------------------------------------------------------------------

SENATE REPORTS: No. 115-153 (Comm. on Commerce, Science, and
Transportation).
CONGRESSIONAL RECORD:
Vol. 163 (2017):
Sept. 28, considered and passed
Senate.
Vol. 164 (2018):
July 25, considered and passed
House, amended.
Aug. 1, Senate concurred in House
amendments.