The NIST Small Business Cybersecurity Act was signed by the President recently. In summary, the Act essentially charges NIST with the responsibility of creating guidance and a consistent set of resources specifically for small to medium sized businesses.
NIST 800-171 was put in place to keep sensitive Government data, such as CUI and CDI, protected in its' lifecycle. This set of controls and policies are now the cornerstone of DFARS, and will eventually undergird the FAR cyber security mandates to come. With consistent incoming attacks on government contractors, it is only responsible to establish standards and a consistent means to protect sensitive data. The only problem: it can be complex and costly to implement.
Many Small Businesses (SB) are crumpling under the pressure to become NIST 800-171 compliant and do not have the adequate resources to implement these standards to the letter. Additionally, it is often requiring many businesses to move to the cloud for the first time.
The sense of confusion, inadequate guidance from the government, and outcry from the Aerospace and Defense community has led to several dismal assessments of the lack of progress towards technical compliance.
This is where the NIST Small Business Cybersecurity Act comes in. The director of the National Institute of Standards and Technology has one year (within the law's passing; Aug 2019) to make informative and instructional resources available. Another focus of the Act's educational efforts is to better equip smaller organizations and simplify the security framework for their unique limitations.
Small businesses make easy targets for hackers due to the lack of resources they have to protect themselves. Also, many of these organizations historically relied on dated technology or riskier and inexpensive cloud platforms like Google's G-Suite (which is not compliant for DFARS).
With this new law in place, SB's will now have clearer paths to compliance with adequate examples and documentation. This federally funded educational effort will provide the tools SB's previously lacked to strengthen their cybersecurity infrastructure and fend off attacks.
The report states: "(7) Public Availability.- The Director and the head of each Federal agency that so elects shall make prominently available on the respective agency's public Internet website information about the resources disseminated ... The Director and the heads shall ensure that the information they respectively make prominently available is consistent, clear, and concise".
The key qualities should be simple, widely applicable, and technology neutral. Dirk Morris, the chief product officer at Untangle explains that "Small businesses are not immune to threats... The NIST SBCA will provide [them] the resources and a simplified cybersecurity framework so they can effectively protect their businesses from threats."
Original article source
*President signs NIST Small Business Cybersecurity Act into law