Sec. 2. Improving cybersecurity of small organizations
1,004 words·~5 min read·
/bill/116/hr/8379/ih/section-2A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section: The term Administration means the Small Business Administration. The term Administrator means the Administrator of the Administration. The term Commission means the Federal Trade Commission. The term cybersecurity guidance means the cybersecurity guidance documented and promoted in the resource maintained under section 3(a). The term Director means the Director of the Cybersecurity and Infrastructure Security Agency. The term NIST means the National Institute of Standards and Technology.
The term Secretary means the Secretary of Commerce. The term small business has the meaning given the term small business concern under section 3 of the Small Business Act ( 15 U.S.C. 632 ). The term small governmental jurisdiction has the meaning given the term in section 601 of title 5, United States Code. The term small nonprofit has the meaning given the term small organization in section 601 of title 5, United States Code. The term small organization means an organization that is unlikely to employ a specialist in cybersecurity, including— a small business; a small nonprofit; and a small governmental jurisdiction.
The Director shall maintain cybersecurity guidance that documents and promotes evidence-based cybersecurity policies and controls for use by small organizations, which shall— include simple, basic controls that have the most impact in protecting small organizations against common cybersecurity threats and risks; include guidance to address common cybersecurity threats and risks posed by electronic devices that are personal to the employees and contractors of small organizations, as well as electronic devices that are issued to those employees and contractors by small organizations; and recommend— measures to improve the cybersecurity of small organizations; and configurations and settings for some of the most commonly used software that can improve the cybersecurity of small organizations.
The Director shall ensure the cybersecurity guidance maintained under paragraph
(1)is consistent with— cybersecurity resources developed by NIST, as required by the NIST Small Business Cybersecurity Act ( Public Law 115–236 ); and the most recent version of the Cybersecurity Framework, or successor resource, maintained by NIST. The Director may include cybersecurity guidance, as required under paragraph (1), appropriate for specific types of small organizations in addition to guidance applicable for all small organizations. The Director shall review the cybersecurity guidance maintained under paragraph
(1)not less frequently than annually and update as appropriate. In updating the cybersecurity guidance under subparagraph (A), the Director shall, to the degree practicable and as appropriate, consult with— the Administrator, the Secretary, and the Commission; small organizations, insurers, State governments, companies that work with small organizations, and academic and Federal and non-Federal experts in cybersecurity; and any other entity as determined by the Director. As appropriate, the Director shall consult with experts regarding the design of a user interface for the cybersecurity guidance. The cybersecurity guidance maintained under subsection (b)(1) shall be— made available, prominently and free of charge, on the public website of the Cybersecurity Infrastructure Security Agency; and linked to from relevant portions of the websites of the Administration and the Minority Business Development Agency. The Director, the Administrator, and the Secretary shall, to the degree practicable, promote the cybersecurity guidance through relevant resources that are intended for or known to be regularly used by small organizations, including agency documents, websites, and events. Not later than one year after the date of the enactment of this Act, the Secretary shall submit to Congress a report describing methods to incentivize small organizations to improve their cybersecurity, including through the adoption of policies, controls, products, and services that have been demonstrated to reduce cybersecurity risk. The report required under paragraph
(1)shall— identify barriers or challenges for small organizations in purchasing or acquiring products and services that promote the cybersecurity; assess market availability, market pricing, and affordability of products and services that promote the cybersecurity for small organizations, with particular attention to identifying high-risk and underserved sectors or regions; estimate the cost of tax breaks, grants, subsidies, or other incentives to increase the adoption of policies and controls or acquisition of products and services that promote the cybersecurity, for small organizations; as practicable, consult the certifications and requirement for cloud services described in the final report of the Cyberspace Solarium Commission established under section 1652 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 ( Public Law 115–232 ; 132 Stat. 2140); describe evidence-based cybersecurity controls and policies that improve cybersecurity for small organizations; with respect to the incentives described in subparagraph (C), recommend measures that can effectively improve cybersecurity at scale for small organizations; and include any other matters the Secretary deems relevant. In preparing the report required under paragraph (1), the Secretary may include matters applicable for specific types of small organizations in addition to matters applicable to all small organizations. In preparing the report required under paragraph (1), the Secretary shall consult with— the Administrator, the Director, and the Commission; and small organizations, insurers of risks related to cybersecurity, State governments, cybersecurity and information technology companies that work with small organizations, and academic and Federal and non-Federal experts in cybersecurity. Not later than one year after the date of enactment of this Act and not less frequently than every 24 months thereafter for not more than 10 years, the Administrator shall submit to Congress and make publicly available data on the state of cybersecurity of small businesses, including— adoption of the cybersecurity guidance among small businesses; the most significant and widespread cybersecurity threats facing small businesses; the amount small businesses spend on cybersecurity products and services; and the personnel small businesses dedicate to cybersecurity (including the amount of total personnel time, whether by employees or contractors, dedicated to cybersecurity efforts). The report required under paragraph
(1)shall be produced in unclassified form but may contain a classified annex. In preparing the report required under paragraph (1), the Administrator shall consult with— the Secretary, the Director, and the Commission; and small businesses, insurers of risks related to cybersecurity, cybersecurity and information technology companies that work with small businesses, and academic and Federal and non-Federal experts in cybersecurity.
Connectionstraces to 3
Traces to 3 documents
1 reference not yet in our index
- 132 Stat. 2140
Citation graph
cites case law
Sec. 2
Improving cybersecurity of small organizations
Stat.132 Stat. 2140
Cites 4Cited by 0 across 0 sources