October 23, 2018

October 23, 2018

Subscribe to Latest Legal News and Analysis

October 22, 2018

Subscribe to Latest Legal News and Analysis

NIST Small Business Cybersecurity Act Passes in the House

On October 11, 2017, the House of Representatives passed bill H.R. 2105, the NIST Small Business Cybersecurity Act (NIST Act), which would require the US Department of Commerce’s National Institute of Standards and Technology (NIST) to provide cybersecurity guidance to US small businesses. The NIST Act was passed shortly after the very similar Senate bill S. 770, the MAIN STREET Cybersecurity Act of 2017, which passed on September 28.


The NIST Act would require NIST to issue voluntary guidelines, within the year following enactment, specifically tailored to the cybersecurity needs of small businesses. As drafted, the guidelines must

  • be generally applicable and usable by a wide range of small business concerns;

  • vary depending on the size and nature of the implementing business concern and the sensitivity of data collected and stored;

  • include elements to promote awareness of basic controls, a workplace cybersecurity culture, and third-party relationships in order to help mitigate common cybersecurity risks;

  • include case studies;

  • be technology neutral; and

  • to the extent possible, be based on international standards and consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. §§ 3701 et seq.).

The initial version of the NIST Act, introduced on April 20, presented findings to highlight the need for cybersecurity guidance given the importance of small businesses to the US economy. The April 20 version states that small businesses account “for 54 percent of all United States sales and 55 percent of jobs in the United States.” It further states that a high percentage of cyberattacks target small and medium businesses and that, according to the National Cyber Security Alliance, 60% of small businesses that suffer such attacks go out of business within the following six months.

Reconciliation with Senate Bill

The NIST Act and the Senate bill are substantively very similar and provide comparable findings and requirements. Both outline nearly identical standards for NIST’s future guidelines—with the exception that the NIST Act requires case studies. Also, the Senate bill provides that if another federal agency publishes any resources to guide small businesses with respect to cybersecurity risks, the head of such agency must ensure that such guidance is consistent with those resources published by NIST.

Given the similarity of both bills, as well as bipartisan support of each, reconciliation is not expected to be a difficult task.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Rahul Kapoor, Intellectual property lawyer, Morgan Lewis

With a focus on commercial, intellectual property (IP), and technology transactions, Rahul Kapoor counsels clients on strategic alliances, joint ventures, and corporate partnering transactions in the technology and life science industries. He also handles standards body licensing structures, patent licensing, open source software strategy, e-commerce and privacy, supply and distribution agreements, consignment agreements, spinoffs and core technology licenses, and IT outsourcing transactions. Rahul is a member of the firm’s Advisory Board, leader of the India initiative...

Valerie A. Gross, Business Technology Attorney, Morgan Lewis

Valerie A. Gross focuses her practice on business technology transactions, including technology and business process outsourcing; systems integration; commercial agreements, including professional services and consulting agreements; and licensing and other technology-related agreements.