January 21, 2018

January 19, 2018

Subscribe to Latest Legal News and Analysis

January 18, 2018

Subscribe to Latest Legal News and Analysis

NIST Small Business Cybersecurity Act Passes in the House

On October 11, 2017, the House of Representatives passed bill H.R. 2105, the NIST Small Business Cybersecurity Act (NIST Act), which would require the US Department of Commerce’s National Institute of Standards and Technology (NIST) to provide cybersecurity guidance to US small businesses. The NIST Act was passed shortly after the very similar Senate bill S. 770, the MAIN STREET Cybersecurity Act of 2017, which passed on September 28.


The NIST Act would require NIST to issue voluntary guidelines, within the year following enactment, specifically tailored to the cybersecurity needs of small businesses. As drafted, the guidelines must

  • be generally applicable and usable by a wide range of small business concerns;

  • vary depending on the size and nature of the implementing business concern and the sensitivity of data collected and stored;

  • include elements to promote awareness of basic controls, a workplace cybersecurity culture, and third-party relationships in order to help mitigate common cybersecurity risks;

  • include case studies;

  • be technology neutral; and

  • to the extent possible, be based on international standards and consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. §§ 3701 et seq.).

The initial version of the NIST Act, introduced on April 20, presented findings to highlight the need for cybersecurity guidance given the importance of small businesses to the US economy. The April 20 version states that small businesses account “for 54 percent of all United States sales and 55 percent of jobs in the United States.” It further states that a high percentage of cyberattacks target small and medium businesses and that, according to the National Cyber Security Alliance, 60% of small businesses that suffer such attacks go out of business within the following six months.

Reconciliation with Senate Bill

The NIST Act and the Senate bill are substantively very similar and provide comparable findings and requirements. Both outline nearly identical standards for NIST’s future guidelines—with the exception that the NIST Act requires case studies. Also, the Senate bill provides that if another federal agency publishes any resources to guide small businesses with respect to cybersecurity risks, the head of such agency must ensure that such guidance is consistent with those resources published by NIST.

Given the similarity of both bills, as well as bipartisan support of each, reconciliation is not expected to be a difficult task.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author


Rahul Kapoor is a partner in Morgan Lewis's Business and Finance Practice, the firmwide hiring partner, and a member of the firm's Legal Personnel and Finance Committees. Mr. Kapoor has deep transactional experience in strategic alliances, joint ventures, corporate partnering transactions, standards body licensing structures, intellectual property strategic counseling, technology licensing, open source software strategy, electronic commerce and privacy, supply and distribution agreements, consignment agreements, spin-outs and core technology licenses, IT outsourcing...

Valerie A. Gross, Morgan Lewis, Technology Transactions Attorney, System Integration Lawyer

Valerie A. Gross focuses her practice on business technology transactions, including technology and business process outsourcing; systems integration; commercial agreements, including professional services and consulting agreements; and licensing and other technology-related agreements.